You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2018/10/20 18:59:01 UTC

svn commit: r1844432 - /spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf

Author: jhardin
Date: Sat Oct 20 18:59:01 2018
New Revision: 1844432

URL: http://svn.apache.org/viewvc?rev=1844432&view=rev
Log:
Tuning __PHOTO_RETOUCHING to respond to spammer changes; Add a bitcoin extortion rule and tweak an existing bitcoin score limit; Tweak a FUZZY rule - \b doesn't work well with them

Modified:
    spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf

Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1844432&r1=1844431&r2=1844432&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Sat Oct 20 18:59:01 2018
@@ -605,7 +605,7 @@ tflags         MANY_APPARENTLY_TO
 
 # obfuscation of "opt out"
 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
-  body           FUZZY_OPTOUT             /\b(?!opt.?out)<O><P><T>.?<O><U><T>\b/i
+  body           FUZZY_OPTOUT             /\s(?!opt.?out)<O><P><T>.?<O><U><T>/i
   replace_rules  FUZZY_OPTOUT
   describe       FUZZY_OPTOUT             Obfuscated opt-out text
 endif
@@ -1906,7 +1906,7 @@ score          BITCOIN_SPAM_01  2.500	#
 
 meta           BITCOIN_SPAM_02  __BITCOIN_ID && __BOTH_INR_AND_REF 
 describe       BITCOIN_SPAM_02  BitCoin spam pattern 02
-score          BITCOIN_SPAM_02  1.500	# limit
+score          BITCOIN_SPAM_02  2.500	# limit
 
 meta           BITCOIN_SPAM_03  __BITCOIN_ID && __SINGLE_WORD_SUBJ
 describe       BITCOIN_SPAM_03  BitCoin spam pattern 03
@@ -1916,6 +1916,34 @@ meta           BITCOIN_SPAM_04  __BITCOI
 describe       BITCOIN_SPAM_04  BitCoin spam pattern 04
 score          BITCOIN_SPAM_04  1.500	# limit
 
+ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
+  body           __MY_VICTIM            /(?:<H><I>|<H><E><L><L><O>),?(?:\s<M><Y>)?\s<V><I><C><T><I><M>/i
+  replace_rules  __MY_VICTIM
+  body           __MY_MALWARE           /\s<M><Y>\s(?:<M><A><L><W><A><R><E>|<V><I><R><U><S>)\s/i
+  replace_rules  __MY_MALWARE
+  body           __PAY_ME               /\s<P><A><Y>\s<M><E>\s/i
+  replace_rules  __PAY_ME
+  body           __YOUR_WEBCAM          /\s<Y><O><U><R>\s<W><E><B><C><A><M>\s/i
+  replace_rules  __YOUR_WEBCAM
+  body           __YOUR_ONAN            /\s<Y><O><U><R>\s(?:<M><A><S><T><U><R><B><A><T><I><O><N>|<O><N><A><N><I><S><M>)/i
+  replace_rules  __YOUR_ONAN
+  body           __YOUR_PERSONAL        /\s<Y><O><U><R>\s<P><E><R><S><O><N><A><L>\s(?:<I><N><F><O>(?:<R><M><A><T><I><O><N>)?|<D><A><T><A>)\s/i
+  replace_rules  __YOUR_PERSONAL
+  body           __HOURS_DEADLINE       /\s<G><I><V><E>\s<Y><O><U>\s\d+\s<H><O><U><R><S>\s/i
+  replace_rules  __HOURS_DEADLINE
+else
+  body           __MY_VICTIM            /\b(?:hi|hello),/(?:\smy)?\svictim\b/i
+  body           __MY_MALWARE           /\bmy\s(?:malware|virus)\b/i
+  body           __PAY_ME               /\bpay\sme\b/i
+  body           __YOUR_WEBCAM          /\byour\swebcam\b/i
+  body           __YOUR_ONAN            /\byour\s(?:masturbation|onanism)\b/i
+  body           __YOUR_PERSONAL        /\byour\spersonal\s(?:info(?:rmation)?|data)\b/i
+  body           __HOURS_DEADLINE       /\bgive\syou\s\d+\shours\b/i
+endif
+meta           BITCOIN_EXTORT_01      __BITCOIN_ID && __MY_VICTIM && __MY_MALWARE && __PAY_ME && ( __YOUR_WEBCAM + __YOUR_ONAN + __YOUR_PERSONAL + __HOURS_DEADLINE) > 2
+describe       BITCOIN_EXTORT_01      Extortion spam, pay via bitcoin
+score          BITCOIN_EXTORT_01      4.750	# limit
+
 
 #body          NUM_FREE         /\b\d+free/i
 #describe      NUM_FREE         Number + free
@@ -2322,7 +2350,7 @@ rawbody    __SPAMTOOL_GOOF_01
 
 
 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
-  body       __PHOTO_RETOUCHING         /\b(?:(?:retouching|(?:image|photo|pic)s? (?:[a-z]{1,15} ){0,3}(?:edit(?:ing|ors)|team|(?:cut+|mask|clip+|clean|crop+|resiz|enhanc|etch)ing|cut+(?:ing)?[-\s]?out|enhancement|manipulation|restoration|compositing|working|(?:color|contrast|brightnes+|background|make-?up) (?:cor+ection|change)|solution|work|services?)|your (?:imag(?:es|ing)|pics)|photo\s?shop (?:expert|service)s?|(?:deliver (?:the|your) |(?:(?:send|throw|ship|drop|deliver|give|provide|e-?mail) us|(?:cut+(?:ing)?[-\s]?out|masking|(?:test|edit)(?:ing)?) (?:for|of|on|with)) (?:(?:an?|one|your|some|sample|test|example|the) )+)(?:image|photo|pic)s?|(?:proces+|edit)(?:\sover|\smore th[ae]n)? \d{2,5}\D? (?:image|photo|pic)s|improv(?:e|ing) (?:(?:image|photo|picture|pic) (?:quality|lighting)|(?:(?:image|photo|picture|pic) )?(?:resolution|contrast|background|color))|cor+ecting (?:color|contrast|brightnes+|background))\b|(?:e-?com+erce|website|jew[el]+r(?:[y's]+|ies)|model+(?:s|ing)?|produc
 ts?|portraits?|graduation['s]*|school['s]*|bab(?:[y's]+|ies)|famil(?:[y's]+|ies)|kids|wedding|beauty|glamou?r|catalog['s]*|store['s]*|shop['s]*|(?:cut+(?:ing)?[-\s]?out|clip+ing\spath|(?:all|any) kinds? of|enhance|retouch|edit(?:ing)?)[,;]?(?:\s[a-z]{1,15}){0,4})\s(?:image|photo|pic)s?(?:[.,?]|$|\sand\b|\sor\b|\setc\b)|\bphotos\s\d+$)/i
+  body       __PHOTO_RETOUCHING         /\b(?:(?:retouching|(?:image|photo|pic)s? (?:[a-z]{1,15} ){0,3}(?:edit(?:ing|ors)|team|(?:cut+|mask|clip+|clean|crop+|resiz|enhanc|etch)ing|cut+(?:ing)?[-\s]?out|enhancement|manipulation|restoration|compositing|working|(?:color|contrast|brightnes+|background|make-?up) (?:cor+ection|change)|solution|work|services?)|your (?:imag(?:es|ing)|pics)|photo\s?shop (?:expert|service)s?|(?:deliver (?:the|your) |(?:(?:send|throw|ship|drop|deliver|give|provide|e-?mail) us|(?:cut+(?:ing)?[-\s]?out|masking|(?:test|edit)(?:ing)?) (?:for|of|on|with)) (?:(?:an?|one|your|some|sample|test|example|the) )+)(?:image|photo|pic)s?|(?:proces+|edit)(?:\sover|\smore th[ae]n)? \d{2,5}\D? (?:image|photo|pic)s|improv(?:e|ing) (?:(?:image|photo|picture|pic) (?:quality|lighting)|(?:(?:image|photo|picture|pic) )?(?:resolution|contrast|background|color))|cor+ecting (?:color|contrast|brightnes+|background))\b|(?:e-?com+erce|website|jew[el]+r(?:[y's]+|ies)|model+(?:s|ing)?|produc
 ts?|portraits?|graduation['s]*|school['s]*|bab(?:[y's]+|ies)|famil(?:[y's]+|ies)|kids|wedding|beauty|glamou?r|catalog['s]*|store['s]*|shop['s]*|(?:cut+(?:ing)?[-\s]?out|clip+ing\spath|(?:all|any) kinds? of|enhance|retouch|edit(?:ing)?)[,;]?(?:\s[a-z]{1,15}){0,4})\s(?:image|photo|pic)s?(?:[.,?]|$|\sand\b|\sor\b|\setc\b)|\b(?:image|photo)s\s\d+$)/i
   tflags     __PHOTO_RETOUCHING         multiple maxhits=5
   meta       PHOTO_EDITING_FREEM        __PHOTO_RETOUCHING > 4 && (__REPTO_CHN_FREEM || __freemail_hdr_replyto)
   describe   PHOTO_EDITING_FREEM        Image editing service, freemail or CHN replyto
@@ -2520,3 +2548,5 @@ endif
 
 
 
+
+