You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by pd...@apache.org on 2020/01/05 19:10:23 UTC
svn commit: r1872359 - in /spamassassin/trunk/rulesrc/sandbox/pds:
10_menaces.cf 20_helo.cf 20_ntld.cf 20_php.cf 20_urlshort.cf
Author: pds
Date: Sun Jan 5 19:10:23 2020
New Revision: 1872359
URL: http://svn.apache.org/viewvc?rev=1872359&view=rev
Log:
Remove some reuse and short email metas
Modified:
spamassassin/trunk/rulesrc/sandbox/pds/10_menaces.cf
spamassassin/trunk/rulesrc/sandbox/pds/20_helo.cf
spamassassin/trunk/rulesrc/sandbox/pds/20_ntld.cf
spamassassin/trunk/rulesrc/sandbox/pds/20_php.cf
spamassassin/trunk/rulesrc/sandbox/pds/20_urlshort.cf
Modified: spamassassin/trunk/rulesrc/sandbox/pds/10_menaces.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/pds/10_menaces.cf?rev=1872359&r1=1872358&r2=1872359&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/pds/10_menaces.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/pds/10_menaces.cf Sun Jan 5 19:10:23 2020
@@ -1,5 +1,9 @@
header __PDS_FROM_NAME_TO_DOMAIN ALL =~ /From: ["']?([a-z0-9\.-]+\.[0-9a-z\.-]+)["']? [^\n]+\nTo:[^\n]+\@\1/ism
+meta PDS_SHORT_BOGUS_MSM_HDRS __PDS_HTML_LENGTH_1024 && __BOGUS_MSM_HDRS
+score PDS_SHORT_BOGUS_MSM_HDRS 2.0
+describe PDS_SHORT_BOGUS_MSM_HDRS Short HTML email with bogus MSM headers
+
meta PDS_FROM_NAME_TO_DOMAIN __PDS_FROM_NAME_TO_DOMAIN
score PDS_FROM_NAME_TO_DOMAIN 1.0
describe PDS_FROM_NAME_TO_DOMAIN From:name looks like To:domain
Modified: spamassassin/trunk/rulesrc/sandbox/pds/20_helo.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/pds/20_helo.cf?rev=1872359&r1=1872358&r2=1872359&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/pds/20_helo.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/pds/20_helo.cf Sun Jan 5 19:10:23 2020
@@ -1,12 +1,10 @@
-header __HELO_HIGHPROFILE X-Spam-Relays-External =~ /^[^\]]+ helo=\S*(?:hotmail|gmail|google|yahoo|msn|microsoft|outlook|xxx)\.[\w]+\b/i
+header __HELO_HIGHPROFILE X-Spam-Relays-External =~ /^[^\]]+ helo=\S*(?:hotmail|gmail|google|yahoo|msn|microsoft|outlook|paypal|xxx)\.[\w]+\b/i
meta PDS_HELO_SPF_FAIL SPF_HELO_FAIL && __HELO_HIGHPROFILE
describe PDS_HELO_SPF_FAIL High profile HELO that fails SPF
score PDS_HELO_SPF_FAIL 2.0
tflags PDS_HELO_SPF_FAIL net
-reuse PDS_HELO_SPF_FAIL
meta PDS_HP_HELO_NORDNS RDNS_NONE && __HELO_HIGHPROFILE
describe PDS_HP_HELO_NORDNS High profile HELO with no sender rDNS
score PDS_HP_HELO_NORDNS 1.0
-reuse PDS_HP_HELO_NORDNS
Modified: spamassassin/trunk/rulesrc/sandbox/pds/20_ntld.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/pds/20_ntld.cf?rev=1872359&r1=1872358&r2=1872359&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/pds/20_ntld.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/pds/20_ntld.cf Sun Jan 5 19:10:23 2020
@@ -44,19 +44,16 @@ meta FROM_SUSPICIOUS_NTLD_FP __FROM_
tflags FROM_SUSPICIOUS_NTLD_FP publish
describe FROM_SUSPICIOUS_NTLD_FP From abused NTLD
score FROM_SUSPICIOUS_NTLD_FP 2.0 # limit
-reuse FROM_SUSPICIOUS_NTLD_FP
meta FROM_NTLD_REPLY_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_SUSPNTLD
tflags FROM_NTLD_REPLY_FREEMAIL publish
describe FROM_NTLD_REPLY_FREEMAIL From abused NTLD and Reply-To is FREEMAIL
score FROM_NTLD_REPLY_FREEMAIL 2.0 # limit
-reuse FROM_NTLD_REPLY_FREEMAIL
meta FROM_NTLD_LINKBAIT __LCL__KAM_BODY_LENGTH_LT_512 && __FROM_ADDRLIST_SUSPNTLD && __BODY_URI_ONLY
tflags FROM_NTLD_LINKBAIT publish
describe FROM_NTLD_LINKBAIT From abused NTLD with little more than a URI
score FROM_NTLD_LINKBAIT 2.0 # limit
-reuse FROM_NTLD_LINKBAIT
meta GOOGLE_DRIVE_REPLY_BAD_NTLD __PDS_GOOGLE_DRIVE_SHARE && __REPLYTO_ADDRLIST_SUSPNTLD
tflags GOOGLE_DRIVE_REPLY_BAD_NTLD publish
@@ -65,39 +62,31 @@ score GOOGLE_DRIVE_REPLY_BAD_NTLD 1.0
reuse GOOGLE_DRIVE_REPLY_BAD_NTLD
body __PDS_SEO1 /(?:top|first page|1st) (?:(?:results|rank(?:ing)?) )?(?:in|of|on) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building/i
-reuse __PDS_SEO1
body __PDS_SEO2 /losing your (?:[a-z]+ )?(?:rank(?:ing)?|results)|rank well on [a-z]+\b/i
-reuse __PDS_SEO2
meta SEO_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && (__PDS_SEO1 + __PDS_SEO2 >= 1)
tflags SEO_SUSP_NTLD publish
describe SEO_SUSP_NTLD SEO offer from suspicious TLD
score SEO_SUSP_NTLD 1.2 # limit
-reuse SEO_SUSP_NTLD
-body __PDS_THIS_IS_ADV /This is an advertisement\./
-reuse __PDS_THIS_IS_ADV
+body __PDS_THIS_IS_ADV /This is an advert(?:isement)?/i
meta THIS_IS_ADV_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && __PDS_THIS_IS_ADV
tflags THIS_IS_ADV_SUSP_NTLD publish
describe THIS_IS_ADV_SUSP_NTLD This is an advertisement from a suspicious TLD
score THIS_IS_ADV_SUSP_NTLD 1.5 # limit
-reuse THIS_IS_ADV_SUSP_NTLD
meta BULK_RE_SUSP_NTLD __SUBJ_RE && __ML1 && __FROM_ADDRLIST_SUSPNTLD
tflags BULK_RE_SUSP_NTLD publish
describe BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD
score BULK_RE_SUSP_NTLD 1.0 # limit
-reuse BULK_RE_SUSP_NTLD
meta SHORT_IMG_SUSP_NTLD __LCL__KAM_BODY_LENGTH_LT_1024 && __HTML_LINK_IMAGE && __FROM_ADDRLIST_SUSPNTLD
tflags SHORT_IMG_SUSP_NTLD publish
describe SHORT_IMG_SUSP_NTLD Short HTML + image + suspicious TLD
score SHORT_IMG_SUSP_NTLD 1.5 # limit
-reuse SHORT_IMG_SUSP_NTLD
header __VPSNUMBERONLY_TLD From:addr =~ /\@vps[0-9]{4,}\.[a-z]+$/i
-reuse __VPSNUMBERONLY_TLD
meta VPS_NO_NTLD __VPSNUMBERONLY_TLD && __FROM_ADDRLIST_SUSPNTLD
tflags VPS_NO_NTLD publish
@@ -110,26 +99,22 @@ body __PDS_OFFER_ONLY_AMERICA /This
meta OFFER_ONLY_AMERICA __FROM_ADDRLIST_SUSPNTLD && __PDS_OFFER_ONLY_AMERICA
describe OFFER_ONLY_AMERICA Offer only available to US
score OFFER_ONLY_AMERICA 2.0 # limit
-reuse OFFER_ONLY_AMERICA
body __PDS_SENT_TO_EMAIL_ADDR /This message was sent to Email Address\./i
meta SENT_TO_EMAIL_ADDR __FROM_ADDRLIST_SUSPNTLD && __PDS_SENT_TO_EMAIL_ADDR
describe SENT_TO_EMAIL_ADDR Email was sent to email address
score SENT_TO_EMAIL_ADDR 2.0 # limit
-reuse SENT_TO_EMAIL_ADDR
body __PDS_EXPIRATION_NOTICE /\bexpiration (notice|alert|date)\b/i
meta SUSPNTLD_EXPIRATION_EXTORT LOTS_OF_MONEY && __PDS_EXPIRATION_NOTICE && __FROM_ADDRLIST_SUSPNTLD
describe SUSPNTLD_EXPIRATION_EXTORT Susp NTLD with an expiration notice and lotsa money
score SUSPNTLD_EXPIRATION_EXTORT 2.0 # limit
-reuse SUSPNTLD_EXPIRATION_EXTORT
meta PDS_BTC_NTLD ( __BITCOIN_ID && __FROM_ADDRLIST_SUSPNTLD )
describe PDS_BTC_NTLD Bitcoin suspect NTLD
score PDS_BTC_NTLD 2.0 # limit
-reuse PDS_BTC_NTLD
endif
endif
Modified: spamassassin/trunk/rulesrc/sandbox/pds/20_php.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/pds/20_php.cf?rev=1872359&r1=1872358&r2=1872359&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/pds/20_php.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/pds/20_php.cf Sun Jan 5 19:10:23 2020
@@ -4,12 +4,10 @@ header __PDS_PHP_EVAL2 X-PHP-Originati
meta PDS_PHP_EVAL __PDS_PHP_EVAL1
describe PDS_PHP_EVAL PHP header shows eval'd code
score PDS_PHP_EVAL 1.5
-reuse PDS_PHP_EVAL
meta PDS_PHP_RUNTIME_FUNC __PDS_PHP_EVAL2 && !__PDS_PHP_EVAL1
describe PDS_PHP_RUNTIME_FUNC PHP header shows runtime-created function
score PDS_PHP_RUNTIME_FUNC 1.5
-reuse PDS_PHP_RUNTIME_FUNC
header __PDS_X_PHP_WPCONTENT X-PHP-Script =~ m;/wp-content/(?:themes|uploads)/[\S]+\.php for;i
header __PDS_X_PHP_WPINCLUDES X-PHP-Script =~ m;/wp-includes/(?:css|fonts|js|pomo|Text|theme-compat)/[\S]+\.php for;i
@@ -19,26 +17,21 @@ header __PDS_X_PHP_WPJS X-PHP-Sc
meta PDS_X_PHP_WP_EXP (__PDS_X_PHP_WPCONTENT || __PDS_X_PHP_WPINCLUDES || __PDS_X_PHP_WPADMIN || __PDS_X_PHP_WPJS)
describe PDS_X_PHP_WP_EXP X-PHP-Script shows sent from a Wordpress PHP script where you would not expect one
score PDS_X_PHP_WP_EXP 1.5
-reuse PDS_X_PHP_WP_EXP
header __PDS_X_PHP_WELLKNOWN X-PHP-Script =~ m;/\.well-known/;
meta PDS_X_PHP_WELLKNOWN __PDS_X_PHP_WELLKNOWN
describe PDS_X_PHP_WELLKNOWN X-PHP-Script shows sent from a PHP script in the /.well-known/ dir
score PDS_X_PHP_WELLKNOWN 1.0
-reuse PDS_X_PHP_WELLKNOWN
meta PDS_PHPE_SHORT_URL __PDS_SHORT_URL && (__PDS_PHP_EVAL1 || __PDS_PHP_EVAL2)
describe PDS_PHPE_SHORT_URL Short URL that isn't a shortener and sent by PHP exploit
score PDS_PHPE_SHORT_URL 2.0 # limit
-reuse PDS_PHPE_SHORT_URL
meta PDS_PHPE_URISHORTENER (__PDS_PHP_EVAL1 || __PDS_PHP_EVAL2) && (__URL_SHORTENER || __PDS_URISHORTENER)
describe PDS_PHPE_URISHORTENER URI Shortener with PHP eval
score PDS_PHPE_URISHORTENER 2.0 # limit
-reuse PDS_PHPE_URISHORTENER
meta PDS_PHPEXP_BOT __SENDER_BOT && (__PDS_TONAME_EQ_TOLOCAL + __NAKED_TO >= 1) && (__PDS_PHP_EVAL2 + __PDS_PHP_EVAL1 + PDS_X_PHP_WP_EXP + __PDS_X_PHP_WELLKNOWN >= 1)
describe PDS_PHPEXP_BOT PHP exploit bot sender
score PDS_PHPEXP_BOT 1.5
-reuse PDS_PHPEXP_BOT
Modified: spamassassin/trunk/rulesrc/sandbox/pds/20_urlshort.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/pds/20_urlshort.cf?rev=1872359&r1=1872358&r2=1872359&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/pds/20_urlshort.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/pds/20_urlshort.cf Sun Jan 5 19:10:23 2020
@@ -791,29 +791,24 @@ meta __PDS_SHORT_URL __SHORT_URL &&
meta DRUGS_ERECTILE_SHORT_SHORTNER __PDS_HTML_LENGTH_1024 && (__PDS_URISHORTENER || __URL_SHORTENER) && DRUGS_ERECTILE
describe DRUGS_ERECTILE_SHORT_SHORTNER Short erectile drugs advert with URL_SHORTENER
score DRUGS_ERECTILE_SHORT_SHORTNER 1.5 # limit
-reuse DRUGS_ERECTILE_SHORT_SHORTNER
meta XPRIO_URL_SHORTNER __XPRIO_MINFP && __PDS_URISHORTENER
describe XPRIO_URL_SHORTNER X-Priority header and short URL
score XPRIO_URL_SHORTNER 1.0 # limit
-reuse XPRIO_URL_SHORTNER
meta SHORT_SHORTNER __HTML_LENGTH_512 && (__PDS_URISHORTENER || __URL_SHORTENER) && !DRUGS_ERECTILE
describe SHORT_SHORTNER Short body with little more than a link to a shortener
score SHORT_SHORTNER 2.0 # limit
-reuse SHORT_SHORTNER
meta PDS_TINYSUBJ_URISHRT (__PDS_URISHORTENER || __URL_SHORTENER) && __SUBJ_SHORT && __PDS_HTML_LENGTH_1024
describe PDS_TINYSUBJ_URISHRT Short subject with URL shortener
score PDS_TINYSUBJ_URISHRT 1.5 # limit
-reuse PDS_TINYSUBJ_URISHRT
meta PDS_EMPTYSUBJ_URISHRT (__PDS_URISHORTENER || __URL_SHORTENER) && __SUBJECT_EMPTY && __PDS_HTML_LENGTH_1024
describe PDS_EMPTYSUBJ_URISHRT Empty subject with little more than URI shortener
score PDS_EMPTYSUBJ_URISHRT 1.5 # limit
-reuse PDS_EMPTYSUBJ_URISHRT
-meta PDS_SHORTFWD_URISHRT (__PDS_URISHORTENER || __URL_SHORTENER) && (__THREADED || __URI_MAILTO) && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048
+meta PDS_SHORTFWD_URISHRT (__PDS_URISHORTENER || __URL_SHORTENER) && (__THREADED || __HAS_IN_REPLY_TO || __HAS_THREAD_INDEX || __URI_MAILTO || __REPTO_QUOTE) && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048
describe PDS_SHORTFWD_URISHRT Threaded email with URI shortener
score PDS_SHORTFWD_URISHRT 1.5 # limit
reuse PDS_SHORTFWD_URISHRT
@@ -821,17 +816,14 @@ reuse PDS_SHORTFWD_URISHRT
meta PDS_FREEMAIL_REPLYTO_URISHRT (__PDS_URISHORTENER || __URL_SHORTENER) && __freemail_hdr_replyto && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048
describe PDS_FREEMAIL_REPLYTO_URISHRT Freemail replyto with URI shortener
score PDS_FREEMAIL_REPLYTO_URISHRT 1.5 # limit
-reuse PDS_FREEMAIL_REPLYTO_URISHRT
meta TONOM_EQ_TOLOC_SHRT_SHRTNER __PDS_URISHORTENER && __PDS_TONAME_EQ_TOLOCAL && __PDS_HTML_LENGTH_1024
describe TONOM_EQ_TOLOC_SHRT_SHRTNER Short email with shortener and To:name eq To:local
score TONOM_EQ_TOLOC_SHRT_SHRTNER 1.5 # limit
-reuse TONOM_EQ_TOLOC_SHRT_SHRTNER
meta TONOM_EQ_TOLOC_SHRT_PSHRTNER __PDS_SHORT_URL && __PDS_TONAME_EQ_TOLOCAL && __SUBJ_SHORT
describe TONOM_EQ_TOLOC_SHRT_PSHRTNER Short subject with potential shortener and To:name eq To:local
score TONOM_EQ_TOLOC_SHRT_PSHRTNER 1.5 # limit
-reuse TONOM_EQ_TOLOC_SHRT_PSHRTNER
endif
endif