You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2016/02/12 02:47:25 UTC
svn commit: r1729933 -
/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Author: jhardin
Date: Fri Feb 12 01:47:25 2016
New Revision: 1729933
URL: http://svn.apache.org/viewvc?rev=1729933&view=rev
Log:
add exploratory subrules
Modified:
spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1729933&r1=1729932&r2=1729933&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Fri Feb 12 01:47:25 2016
@@ -117,6 +117,7 @@ ifplugin Mail::SpamAssassin::Plugin::MIM
meta DOC_ATTACH_NO_EXT __ATTACH_NAME_NO_EXT && (__PDF_ATTACH || __DOC_ATTACH_MT)
describe DOC_ATTACH_NO_EXT Document attachment with suspicious name
+ mimeheader __ZIP_ATTACH_MT Content-Type =~ m,\bapplication/zip\b,i
else
meta __HTML_ATTACH_01 0
meta __HTML_ATTACH_02 0
@@ -124,6 +125,7 @@ else
meta __ZIP_ATTACH_NOFN 0
meta __PDF_ATTACH 0
meta __ATTACH_NAME_NO_EXT 0
+ meta __ZIP_ATTACH_MT 0
endif
# general case of spample observation
@@ -1483,7 +1485,6 @@ score URI_WP_HACKED_2 2.000 #
tflags URI_WP_HACKED_2 publish
-
# subrules migrated from 00_FVGT_File001.cf
header __SUBJ_LOWER ALL =~ /subject:\s\S{5}/
@@ -2170,6 +2171,7 @@ header __HAS_XM_RECPTID e
header __HAS_XM_SID exists:X-Mailer-SID
header __HAS_XM_SENTBY exists:X-Mailer-Sent-By
header __HAS_DOMAINKEY_SIG exists:DomainKey-Signature
+header __HAS_PHP_SCRIPT exists:X-PHP-Script
header __FROM_WORDY From:addr =~ /(?:(?:[A-Z][A-Za-z]+|or|&)\.)+[A-Z][A-Za-z]+\@/
#header __FROM_WORDY_3 From:addr =~ /(?:(?:[A-Z][A-Za-z]+|or|&)\.){2,}[A-Z][A-Za-z]+\@/
@@ -2183,4 +2185,11 @@ meta FROM_WORDY_SHORT (
describe FROM_WORDY_SHORT From address looks like a sentence + short message
tflags FROM_WORDY_SHORT publish
+# test some spam-only combos
+meta __PHP_SCRIPT_SENDER __HAS_PHP_SCRIPT && __PHP_NOVER_MUA
+meta __PHP_SCRIPT_MIMENEEDED __HAS_PHP_SCRIPT && __FROM_NEEDS_MIME
+
+header __FROM_AUTHORITY_COMPANY From:name =~ /\b(?:court|fed-?ex|dhl|e-?zpass)\b/
+
+meta __PHP_MALWARE_ATTACH __HAS_PHP_SCRIPT && __FROM_AUTHORITY_COMPANY && __ZIP_ATTACH_MT