You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by sm...@apache.org on 2013/03/24 16:55:46 UTC
svn commit: r1460409 - /spamassassin/trunk/rulesrc/sandbox/smf/20_smf.cf
Author: smf
Date: Sun Mar 24 15:55:46 2013
New Revision: 1460409
URL: http://svn.apache.org/r1460409
Log:
Sandbox updates
Modified:
spamassassin/trunk/rulesrc/sandbox/smf/20_smf.cf
Modified: spamassassin/trunk/rulesrc/sandbox/smf/20_smf.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/smf/20_smf.cf?rev=1460409&r1=1460408&r2=1460409&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/smf/20_smf.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/smf/20_smf.cf Sun Mar 24 15:55:46 2013
@@ -76,10 +76,6 @@ header FSL_ABUSED_WEB_3 exists:X
score FSL_ABUSED_WEB_3 0.01
describe FSL_ABUSED_WEB_3 Has X-PHP-Originating-Script header
-body FSL_MY_NAME_IS /\bmy name is\b/i
-describe FSL_MY_NAME_IS My name is ...
-score FSL_MY_NAME_IS 1.0
-
body FSL_SUPPLY /\b(?:i|we|company)\s*(?:can|is|am|are)?\s*(?:sell(?:ing)?|offer(?:ing)?|provid(?:es?|ing|supply(?:ing)))\b/i
describe FSL_SUPPLY Something can be supplied
score FSL_SUPPLY 1.0
@@ -108,11 +104,6 @@ meta FSL_UNDISCLOSED_BULK (FSL_UNDI
describe FSL_UNDISCLOSED_BULK Undisclosed recipients and bulk signature
score FSL_UNDISCLOSED_BULK 3.0
-header __FSL_HAS_LIST_UNSUB exists:List-Unsubscribe
-meta FSL_BULK_SIG ((DCC_CHECK || RAZOR2_CHECK || PYZOR_CHECK) && !__FSL_HAS_LIST_UNSUB)
-describe FSL_BULK_SIG Bulk signature with no Unsubscribe
-score FSL_BULK_SIG 1.0
-
header __FSL_TO_COMMON_ROLE To:addr =~ /^((?:post|web|domain)master|info|sales|(?:tech)?support|(?:sys)?admin(?:istrator)?|abuse|noc|root|security|compliance|registrar)@/i
meta FSL_TO_ROLE_BULK (__FSL_TO_COMMON_ROLE && (DCC_CHECK || RAZOR2_CHECK || PYZOR_CHECK))
describe FSL_TO_ROLE_BULK Bulk signature and to a role account
@@ -129,3 +120,14 @@ score FSL_YAHOO_AUTH_SIG 5.0
header FSL_PHP_EXPLOIT_41 X-PHP-Script =~ / 41\.\d+\.\d+\.\d+\b/
describe FSL_PHP_EXPLOIT_41 PHP Script being run by someone in Africa
score FSL_PHP_EXPLOIT_41 3.0
+
+uri FSL_UNSUB_RATWARE /unsubscribe\.php\?M=[0-9]+&C=[^& ]+&L=[0-9]+&N=[0-9]+/
+describe FSL_UNSUB_RATWARE Unsubscribe ratware signature
+score FSL_UNSUB_RATWARE 3.0
+
+# Based on John Hardin's MONEY_FROM_41
+header __FSL_IPV4_41 ALL =~ / \[?41\.(?:[0-9]{1,3}\.){2}[0-9]{1,3}\]?/
+body __FSL_URGENT_ASSIST /your urgent assist/i
+body __FSL_MAIL_HAS /your mail has/i
+meta FSL_FRAUD_FROM_41 (__FSL_IPV4_41 && (LOTS_OF_MONEY || FSL_MY_NAME_IS || __FSL_URGENT_ASSIST || __FSL_MAIL_HAS))
+score FSL_FRAUD_FROM_41 1.0