You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jm...@apache.org on 2006/10/25 11:07:24 UTC
svn commit: r467584 - /spamassassin/rules/trunk/sandbox/jm/20_basic.cf
Author: jm
Date: Wed Oct 25 02:07:23 2006
New Revision: 467584
URL: http://svn.apache.org/viewvc?view=rev&rev=467584
Log:
add another test mimeheader rule to match stock-spam Content-Type MIME-part headers
Modified:
spamassassin/rules/trunk/sandbox/jm/20_basic.cf
Modified: spamassassin/rules/trunk/sandbox/jm/20_basic.cf
URL: http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_basic.cf?view=diff&rev=467584&r1=467583&r2=467584
==============================================================================
--- spamassassin/rules/trunk/sandbox/jm/20_basic.cf (original)
+++ spamassassin/rules/trunk/sandbox/jm/20_basic.cf Wed Oct 25 02:07:23 2006
@@ -51,12 +51,9 @@
meta CORRUPT_FROM_LINE_IN_HDRS (MISSING_HEADERS && __BODY_STARTS_WITH_FROM_LINE && MISSING_DATE && NO_RELAYS)
describe CORRUPT_FROM_LINE_IN_HDRS Informational: message is corrupt, with a From line in its headers
-# ---------------------------------------------------------------------------
-# Testing bit
-
-# Suresh: 'Finding "mail.com", "post.com" etc in a received header is ALWAYS bogus'
-# oops, /\b/ matches ".", hence FPs :( try again:
-header RCVD_MAIL_COM Received =~ /[\s\(\[](?:post|mail)\.com[\s\)\]]/is
+# informational rules don't have to hit spam
+tflags CORRUPT_FROM_LINE_IN_HDRS userconf publish
+score CORRUPT_FROM_LINE_IN_HDRS 0.001
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
@@ -74,17 +71,29 @@
meta PART_CID_STOCK_LESS (__PART_STOCK_IMG&&__PART_CID_STOCK_LESS)
describe PART_CID_STOCK_LESS Has a spammy image attachment (by Content-ID, more specific)
-
mimeheader CTYPE_1SPACE_GIF Content-Type:raw =~ /image\/gif;\n name=\".+?\"\s*$/s
+describe CTYPE_1SPACE_GIF Stock spam image part 'Content-Type' found
endif # Mail::SpamAssassin::Plugin::MIMEHeader
header RCVD_FORGED_WROTE Received =~ /from \d\S+\d \(HELO [a-z]\S+\) by \S+ with esmtp \([A-Z0-9]/s
describe RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam)
+# ---------------------------------------------------------------------------
+# Testing bit
+
+# Suresh: 'Finding "mail.com", "post.com" etc in a received header is ALWAYS bogus'
+# oops, /\b/ matches ".", hence FPs :( try again:
+header RCVD_MAIL_COM Received =~ /[\s\(\[](?:post|mail)\.com[\s\)\]]/is
+
header __MIMEOLE_1106 X-MimeOLE =~ /^Produced By Microsoft MimeOLE V6.00.2800.1106$/
header __MAILER_OL_5510 X-Mailer =~ /^Microsoft Office Outlook, Build 11.0.5510$/
header __TI36 Thread-Index =~ /^.{36}$/
meta DRUGS_STOCK_MIMEOLE (__MIMEOLE_1106 && __MAILER_OL_5510 && __TI36)
meta DRUGS_STOCK_MIMEOLE2 (__MIMEOLE_1106 && __MAILER_OL_5510)
+
+ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+mimeheader CTYPE_8SPACE_GIF Content-Type:raw =~ /^image\/gif;\n {8}name=\".+?\"$/s
+describe CTYPE_8SPACE_GIF Stock spam image part 'Content-Type' found (8 spc)
+endif