You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by kh...@apache.org on 2010/04/24 21:14:52 UTC

svn commit: r937676 - /spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf

Author: khopesh
Date: Sat Apr 24 19:14:51 2010
New Revision: 937676

URL: http://svn.apache.org/viewvc?rev=937676&view=rev
Log:
legit freemail should all be not_spoofed, test adding one hex digit to __rdns_hex

Modified:
    spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf

Modified: spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf?rev=937676&r1=937675&r2=937676&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf Sat Apr 24 19:14:51 2010
@@ -67,6 +67,11 @@ meta	 KHOP_BOTNET_7	!(__FROM_FREEMAIL ||
 describe KHOP_BOTNET_7	Relay looks like a dynamic address
 tflags	 KHOP_BOTNET_7	nopublish
 
+meta	 KHOP_BOTNET_UNCLEAN	__LAST_EXTERNAL_RELAY_NO_AUTH && (__S25R_4 || __S25R_5 || __S25R_6 || __RDNS_HEX || __5_SUBDOM || __S25R_1 + __S25R_2 + __S25R_3 + __IP_IN_RELAY > 2)
+describe KHOP_BOTNET_UNCLEAN	Relay looks like a dynamic address
+tflags	 KHOP_BOTNET_UNCLEAN	nopublish
+
+
 
 
 # I intend to remove s25r_4 and s25r_6 from publish
@@ -78,14 +83,12 @@ describe KHOP_DYNAMIC	Relay looks like a
 tflags	 KHOP_DYNAMIC	nopublish
 
 # cleansing added to make safe
-meta	 KHOP_DYNAMIC2	!(__NOT_SPOOFED||__GREYLISTING||__FROM_FREEMAIL) && (__S25R_1 + __S25R_2 + __S25R_3 + __S25R_5 + __IP_IN_RELAY > 3)
+meta	 KHOP_DYNAMIC2	!(__NOT_SPOOFED||__GREYLISTING) && (__S25R_1 + __S25R_2 + 2*__S25R_3 + 2*__S25R_5 + __IP_IN_RELAY > 2)
 describe KHOP_DYNAMIC2	Relay looks like a dynamic address
 tflags	 KHOP_DYNAMIC2	nopublish
 
-meta	 KHOP_BOTNET_UNCLEAN	__LAST_EXTERNAL_RELAY_NO_AUTH && (__S25R_4 || __S25R_5 || __S25R_6 || __RDNS_HEX || __5_SUBDOM || __S25R_1 + __S25R_2 + __S25R_3 + __IP_IN_RELAY > 2)
-describe KHOP_BOTNET_UNCLEAN	Relay looks like a dynamic address
-tflags	 KHOP_BOTNET_UNCLEAN	nopublish
-
+# Sanity check:  how much freemail lacks spf or dkim?
+meta	 SPOOFED_FREEMAIL	!__NOT_SPOOFED && FREEMAIL_FROM
 
 
 # S25R-wanted item (3.2 a, "A terminal host name includes hexadecimal number")
@@ -94,3 +97,6 @@ tflags	 KHOP_BOTNET_UNCLEAN	nopublish
 header __RDNS_HEX X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ .]*\d(?![0-9a-f]*[a-f]{3})[0-9a-f]{7}/
 # 4.4352/0.0163 spam/ham, 0.996 s/o @ 20091214  awesome score-map; avg is LOW!
 # 4.9976/0.0086 spam/ham, 0.998 s/o @ 20100420  37% of spam hits are under 6 pts
+
+# see if we can further reduce the FPs w/out impacting the spam hits too hard
+header __RDNS_HEX9 X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ .]*\d(?![0-9a-f]*[a-f]{3})[0-9a-f]{8}/