You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2011/02/13 22:55:15 UTC
svn commit: r1070308 - in /spamassassin/trunk/rulesrc/sandbox/jhardin:
20_misc_testing.cf 20_uri_obfu_ws.cf
Author: jhardin
Date: Sun Feb 13 21:55:14 2011
New Revision: 1070308
URL: http://svn.apache.org/viewvc?rev=1070308&view=rev
Log:
Add some new URI obfuscation and med spam rules, add some rules from NSL for evaluation.
Modified:
spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1070308&r1=1070307&r2=1070308&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Sun Feb 13 21:55:14 2011
@@ -545,4 +545,29 @@ header ART_NAMES_ORG Recei
score ART_NAMES_ORG 4.0
describe ART_NAMES_ORG Arthur Simmons - registrar spammer extraordinaire
+body __PILL_PRICE_1 m;\$?[\d\s.]{3,8}(?:/|per|each)\s?(?:pill|tablet|cap(?:sule|let));i
+body __PILL_PRICE_2 /(?:pill|tablet|cap(?:sule|let))s\s\$?[\d\s.]{3,8}/i
+body __PILL_PRICE_3 /free\s(?:pill|tablet|cap(?:sule|let))s/i
+tflags __PILL_PRICE_1 multiple
+tflags __PILL_PRICE_2 multiple
+tflags __PILL_PRICE_3 multiple
+meta MANY_PILL_PRICE (__PILL_PRICE_1 + __PILL_PRICE_2 + __PILL_PRICE_3) > 2
+describe MANY_PILL_PRICE Prices for pills
+
+# More from Ned Slider
+meta NSL_FREEMAIL_SUBJ (FREEMAIL_FROM && MISSING_SUBJECT)
+describe NSL_FREEMAIL_SUBJ From freemail with missing subject
+score NSL_FREEMAIL_SUBJ 0.1
+tflags NSL_FREEMAIL_SUBJ nopublish
+
+meta NSL_FREEMAIL_M1 (NSL_FREEMAIL_SUBJ && (__HAS_ANY_URI || __MANY_RECIPS))
+describe NSL_FREEMAIL_M1 From freemail, missing subject and uri or many recips
+score NSL_FREEMAIL_M1 0.1
+tflags NSL_FREEMAIL_M1 nopublish
+
+meta NSL_FREEMAIL_M2 (FREEMAIL_FROM && __HAS_ANY_URI && __MANY_RECIPS)
+describe NSL_FREEMAIL_M2 From freemail with uri and many recips
+score NSL_FREEMAIL_M2 0.1
+tflags NSL_FREEMAIL_M2 nopublish
+
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf?rev=1070308&r1=1070307&r2=1070308&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf Sun Feb 13 21:55:14 2011
@@ -16,3 +16,14 @@ replace_rules URI_OBFU_WWW
endif
+# First started appearing 02/2011
+body URI_OBFU_PROTO m,h\st\st\sp\s?:\s?/\s?/,i
+describe URI_OBFU_PROTO URI http protocol with space obfuscation
+
+body URI_OBFU_TLD /\.\s(?:c\so\sm|n\se\st|o\sr\sg|b\si\sz|i\sn\sf\so)/i
+describe URI_OBFU_TLD URI top-level domain with space obfuscation
+
+body URI_DEOBFU_INSTR /(?:delete|remove|take\sout)(?:\sthe)?\sspaces/i
+describe URI_DEOBFU_INSTR How to deobfuscate this URI
+tflags URI_DEOBFU_INSTR nopublish
+