You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2018/12/14 01:09:33 UTC
svn commit: r1848908 -
/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Author: jhardin
Date: Fri Dec 14 01:09:32 2018
New Revision: 1848908
URL: http://svn.apache.org/viewvc?rev=1848908&view=rev
Log:
New Bitcoin extortion scam, now 50% more 'splodey!
Modified:
spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1848908&r1=1848907&r2=1848908&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Fri Dec 14 01:09:32 2018
@@ -1951,7 +1951,7 @@ ifplugin Mail::SpamAssassin::Plugin::Rep
replace_rules __MY_VICTIM
body __MY_MALWARE /\s(?:<I>\s<P><U><T>\s<A>\s|<M><Y>\s(?:<P><E><R><S><O><N><A><L>\s)?)(?:<M><A><L><W><A><R><E>|<V><I><R><U><S>)/i
replace_rules __MY_MALWARE
- body __PAY_ME /\s<P><A><Y>\s<M><E>\s/i
+ body __PAY_ME /\s(?:<P><A><Y>\s<M><E>|<S><E><N><D>\s<M><E>\s[\d,'.]+\s(?:<U><S><D>|<E><U><R>))\s/i
replace_rules __PAY_ME
body __YOUR_PASSWORD /\s<Y><O><U><R>\s<P><A><S><S><W><O><R><D>/i
replace_rules __YOUR_PASSWORD
@@ -1961,19 +1961,22 @@ ifplugin Mail::SpamAssassin::Plugin::Rep
replace_rules __YOUR_ONAN
body __YOUR_PERSONAL /\s<Y><O><U><R>\s<P><E><R><S><O><N><A><L>\s(?:<I><N><F><O>(?:<R><M><A><T><I><O><N>)?|<D><A><T><A>\s)/i
replace_rules __YOUR_PERSONAL
- body __HOURS_DEADLINE /\s(?:<G><I><V><E>\s<Y><O><U>|<Y><O><U>\s<H><A><V><E>)\s\d+\s<H><O><U><R><S>/i
+ body __HOURS_DEADLINE /\s(?:(?:<G><I><V><E>\s<Y><O><U>|<Y><O><U>\s<H><A><V><E>)\s\d+\s<H><O><U><R><S>|(?:<B><Y>|<T><O>|<U><N><T><I><L>|<B><E><F><O><R><E>)\s<T><H><E>\s<E><N><D>\s<O><F>\s<T><H><E>\s(?:<W><O><R><K>(?:<I><N><G>)?\s)?<D><A><Y>)/i
replace_rules __HOURS_DEADLINE
+ body __EXPLOSIVE_DEVICE /\s(?:<E><X><P><L><O><S><I><V><E>\s<D><E><V><I><C><E>|<B><O><M><B>)\s/i
+ replace_rules __EXPLOSIVE_DEVICE
else
body __MY_VICTIM /\b(?:hi|hello),?(?:\smy)?\s(?:victim|prey)\b/i
body __MY_MALWARE /\b(?:I\sput\sa\s|my\s(?:personal\s)?)(?:malware|virus)\b/i
- body __PAY_ME /\bpay\sme\b/i
+ body __PAY_ME /\b(?:pay\sme|send\sme\s[\d,'.]+\s(?:usd|eur))\b/i
body __YOUR_PASSWORD /\byour\spassword\b/i
body __YOUR_WEBCAM /\b(?:from|your)\swebcam\b/i
body __YOUR_ONAN /\byour?\s(?:masturbati(?:on|ng)|onanism|solitary\ssex)\b/i
body __YOUR_PERSONAL /\byour\spersonal\s(?:info(?:rmation)?|data)\b/i
- body __HOURS_DEADLINE /\b(?:give\syou|you\shave)\s\d+\shours\b/i
+ body __HOURS_DEADLINE /\b(?:(?:give\syou|you\shave)\s\d+\shours|(?:by|to|until|before)\sthe\send\sof\sthe\s(?:work(?:ing)?\s)?day)\b/i
+ body __EXPLOSIVE_DEVICE /\b(?:explosive\sdevice|bomb)\b/i
endif
-meta BITCOIN_EXTORT_01 __BITCOIN_ID && __MY_MALWARE && ( __PAY_ME + __MY_VICTIM + __YOUR_WEBCAM + __YOUR_ONAN + __YOUR_PERSONAL + __HOURS_DEADLINE + __YOUR_PASSWORD + LOCALPART_IN_SUBJECT + __DESTROY_ME ) > 2
+meta BITCOIN_EXTORT_01 __BITCOIN_ID && (__MY_MALWARE + __PAY_ME + __MY_VICTIM + __YOUR_WEBCAM + __YOUR_ONAN + __YOUR_PERSONAL + __HOURS_DEADLINE + __YOUR_PASSWORD + LOCALPART_IN_SUBJECT + __DESTROY_ME + __EXPLOSIVE_DEVICE) > 2
describe BITCOIN_EXTORT_01 Extortion spam, pay via BitCoin
score BITCOIN_EXTORT_01 5.000 # limit
tflags BITCOIN_EXTORT_01 publish
@@ -1988,6 +1991,11 @@ describe BITCOIN_MALWARE Bi
score BITCOIN_MALWARE 3.000 # limit
tflags BITCOIN_MALWARE publish
+meta BITCOIN_BOMB __BITCOIN_ID && __EXPLOSIVE_DEVICE && !BITCOIN_EXTORT_01
+describe BITCOIN_BOMB BitCoin + bomb threat
+score BITCOIN_BOMB 3.000 # limit
+tflags BITCOIN_BOMB publish
+
#body NUM_FREE /\b\d+free/i
#describe NUM_FREE Number + free