You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2018/10/07 20:14:27 UTC
svn commit: r1843083 -
/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Author: jhardin
Date: Sun Oct 7 20:14:27 2018
New Revision: 1843083
URL: http://svn.apache.org/viewvc?rev=1843083&view=rev
Log:
More bitcoin rule tuning
Modified:
spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1843083&r1=1843082&r2=1843083&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Sun Oct 7 20:14:27 2018
@@ -1865,23 +1865,47 @@ endif
body __BITCOIN_ID /\b(?<!=)[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/
-meta BTC_ORG __BITCOIN_ID && __HAS_ORGANIZATION
+ifplugin Mail::SpamAssassin::Plugin::DKIM
+ meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST && !DKIM_SIGNED
+else
+ meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST
+endif
describe BTC_ORG Bitcoin wallet ID + unusual header
+score BTC_ORG 2.500 # limit
# bitcoin obfuscation - tip o' the hat to Steve Zinski on the users list, with a little cleanup
-# __BTC_OBFU_4 may duplicate (to a degree) FUZZY_BITCOIN, clean up if this performs well
body __BTC_OBFU_2 /\b\W{0,10}b(?!itcoin)\W{0,10}i\W{0,10}t\W{0,10}c\W{0,10}o\W{0,10}i\W{0,10}n\W{0,10}\b/i
body __BTC_OBFU_3 /\b\W{0,10}b(?!tc\b)\W{0,10}t\W{0,10}c\W{0,10}\b/i
-body __BTC_OBFU_4 /\bb(?!itcoin)[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i
-meta OBFU_BITCOIN ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 ) )
-describe OBFU_BITCOIN Obfuscated BitCoin references
-score OBFU_BITCOIN 2.000 # limit
+# __BTC_OBFU_4 duplicates (to a degree) FUZZY_BITCOIN
+# Use FUZZY_BITCOIN (more hits) if possible
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
- # for masscheck comparison
- meta T_OBFU_BITCOIN_FUZZY ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN ) )
+ meta __OBFU_BITCOIN ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN ) )
+else
+ body __BTC_OBFU_4 /\bb(?!itcoin)[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i
+ meta __OBFU_BITCOIN ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 ) )
endif
+meta OBFU_BITCOIN __OBFU_BITCOIN
+describe OBFU_BITCOIN Obfuscated BitCoin references
+score OBFU_BITCOIN 3.000 # limit
+tflags OBFU_BITCOIN publish
+
+meta BITCOIN_SPAM_01 __BITCOIN_ID && HTML_MIME_NO_HTML_TAG
+describe BITCOIN_SPAM_01 BitCoin spam pattern 01
+score BITCOIN_SPAM_01 2.500 # limit
+
+meta BITCOIN_SPAM_02 __BITCOIN_ID && __BOTH_INR_AND_REF
+describe BITCOIN_SPAM_02 BitCoin spam pattern 02
+score BITCOIN_SPAM_02 1.500 # limit
+
+meta BITCOIN_SPAM_03 __BITCOIN_ID && __SINGLE_WORD_SUBJ
+describe BITCOIN_SPAM_03 BitCoin spam pattern 03
+score BITCOIN_SPAM_03 1.500 # limit
+
+meta BITCOIN_SPAM_04 __BITCOIN_ID && __freemail_hdr_replyto
+describe BITCOIN_SPAM_04 BitCoin spam pattern 04
+score BITCOIN_SPAM_04 1.500 # limit
#body NUM_FREE /\b\d+free/i