You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2011/02/13 22:55:15 UTC

svn commit: r1070308 - in /spamassassin/trunk/rulesrc/sandbox/jhardin: 20_misc_testing.cf 20_uri_obfu_ws.cf

Author: jhardin
Date: Sun Feb 13 21:55:14 2011
New Revision: 1070308

URL: http://svn.apache.org/viewvc?rev=1070308&view=rev
Log:
Add some new URI obfuscation and med spam rules, add some rules from NSL for evaluation.

Modified:
    spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
    spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf

Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1070308&r1=1070307&r2=1070308&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Sun Feb 13 21:55:14 2011
@@ -545,4 +545,29 @@ header      ART_NAMES_ORG          Recei
 score       ART_NAMES_ORG          4.0
 describe    ART_NAMES_ORG          Arthur Simmons - registrar spammer extraordinaire
 
+body        __PILL_PRICE_1         m;\$?[\d\s.]{3,8}(?:/|per|each)\s?(?:pill|tablet|cap(?:sule|let));i
+body        __PILL_PRICE_2         /(?:pill|tablet|cap(?:sule|let))s\s\$?[\d\s.]{3,8}/i
+body        __PILL_PRICE_3         /free\s(?:pill|tablet|cap(?:sule|let))s/i
+tflags      __PILL_PRICE_1         multiple
+tflags      __PILL_PRICE_2         multiple
+tflags      __PILL_PRICE_3         multiple
+meta        MANY_PILL_PRICE        (__PILL_PRICE_1 + __PILL_PRICE_2 + __PILL_PRICE_3) > 2
+describe    MANY_PILL_PRICE        Prices for pills
+
+# More from Ned Slider
+meta        NSL_FREEMAIL_SUBJ      (FREEMAIL_FROM && MISSING_SUBJECT)
+describe    NSL_FREEMAIL_SUBJ      From freemail with missing subject
+score       NSL_FREEMAIL_SUBJ      0.1
+tflags      NSL_FREEMAIL_SUBJ      nopublish
+
+meta        NSL_FREEMAIL_M1        (NSL_FREEMAIL_SUBJ && (__HAS_ANY_URI || __MANY_RECIPS))
+describe    NSL_FREEMAIL_M1        From freemail, missing subject and uri or many recips
+score       NSL_FREEMAIL_M1        0.1
+tflags      NSL_FREEMAIL_M1        nopublish
+
+meta        NSL_FREEMAIL_M2        (FREEMAIL_FROM && __HAS_ANY_URI && __MANY_RECIPS)
+describe    NSL_FREEMAIL_M2        From freemail with uri and many recips
+score       NSL_FREEMAIL_M2        0.1
+tflags      NSL_FREEMAIL_M2        nopublish
+
 

Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf?rev=1070308&r1=1070307&r2=1070308&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf Sun Feb 13 21:55:14 2011
@@ -16,3 +16,14 @@ replace_rules URI_OBFU_WWW
 
 endif
 
+# First started appearing 02/2011
+body          URI_OBFU_PROTO    m,h\st\st\sp\s?:\s?/\s?/,i
+describe      URI_OBFU_PROTO    URI http protocol with space obfuscation
+
+body          URI_OBFU_TLD      /\.\s(?:c\so\sm|n\se\st|o\sr\sg|b\si\sz|i\sn\sf\so)/i
+describe      URI_OBFU_TLD      URI top-level domain with space obfuscation
+
+body          URI_DEOBFU_INSTR  /(?:delete|remove|take\sout)(?:\sthe)?\sspaces/i
+describe      URI_DEOBFU_INSTR  How to deobfuscate this URI
+tflags        URI_DEOBFU_INSTR  nopublish
+