You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2016/02/12 02:47:25 UTC

svn commit: r1729933 - /spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf

Author: jhardin
Date: Fri Feb 12 01:47:25 2016
New Revision: 1729933

URL: http://svn.apache.org/viewvc?rev=1729933&view=rev
Log:
add exploratory subrules

Modified:
    spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf

Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1729933&r1=1729932&r2=1729933&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Fri Feb 12 01:47:25 2016
@@ -117,6 +117,7 @@ ifplugin Mail::SpamAssassin::Plugin::MIM
   meta         DOC_ATTACH_NO_EXT   __ATTACH_NAME_NO_EXT && (__PDF_ATTACH || __DOC_ATTACH_MT)
   describe     DOC_ATTACH_NO_EXT   Document attachment with suspicious name
 
+  mimeheader   __ZIP_ATTACH_MT     Content-Type =~ m,\bapplication/zip\b,i
 else
   meta         __HTML_ATTACH_01    0
   meta         __HTML_ATTACH_02    0
@@ -124,6 +125,7 @@ else
   meta         __ZIP_ATTACH_NOFN   0
   meta         __PDF_ATTACH        0
   meta         __ATTACH_NAME_NO_EXT 0
+  meta         __ZIP_ATTACH_MT     0
 endif
 
 # general case of spample observation
@@ -1483,7 +1485,6 @@ score       URI_WP_HACKED_2    2.000   #
 tflags      URI_WP_HACKED_2    publish
 
 
-
 # subrules migrated from 00_FVGT_File001.cf
 
 header      __SUBJ_LOWER       ALL =~ /subject:\s\S{5}/
@@ -2170,6 +2171,7 @@ header     __HAS_XM_RECPTID            e
 header     __HAS_XM_SID                exists:X-Mailer-SID
 header     __HAS_XM_SENTBY             exists:X-Mailer-Sent-By
 header     __HAS_DOMAINKEY_SIG         exists:DomainKey-Signature
+header     __HAS_PHP_SCRIPT            exists:X-PHP-Script
 
 header     __FROM_WORDY                From:addr =~ /(?:(?:[A-Z][A-Za-z]+|or|&)\.)+[A-Z][A-Za-z]+\@/
 #header     __FROM_WORDY_3              From:addr =~ /(?:(?:[A-Z][A-Za-z]+|or|&)\.){2,}[A-Z][A-Za-z]+\@/
@@ -2183,4 +2185,11 @@ meta       FROM_WORDY_SHORT            (
 describe   FROM_WORDY_SHORT            From address looks like a sentence + short message
 tflags     FROM_WORDY_SHORT            publish
 
+# test some spam-only combos
+meta       __PHP_SCRIPT_SENDER         __HAS_PHP_SCRIPT && __PHP_NOVER_MUA 
+meta       __PHP_SCRIPT_MIMENEEDED     __HAS_PHP_SCRIPT && __FROM_NEEDS_MIME 
+
+header     __FROM_AUTHORITY_COMPANY    From:name =~ /\b(?:court|fed-?ex|dhl|e-?zpass)\b/
+
+meta       __PHP_MALWARE_ATTACH        __HAS_PHP_SCRIPT && __FROM_AUTHORITY_COMPANY && __ZIP_ATTACH_MT