You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by sm...@apache.org on 2013/03/12 22:59:52 UTC
svn commit: r1455728 - /spamassassin/trunk/rulesrc/sandbox/smf/20_smf.cf
Author: smf
Date: Tue Mar 12 21:59:52 2013
New Revision: 1455728
URL: http://svn.apache.org/r1455728
Log:
Updated sandbox rules
Modified:
spamassassin/trunk/rulesrc/sandbox/smf/20_smf.cf
Modified: spamassassin/trunk/rulesrc/sandbox/smf/20_smf.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/smf/20_smf.cf?rev=1455728&r1=1455727&r2=1455728&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/smf/20_smf.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/smf/20_smf.cf Tue Mar 12 21:59:52 2013
@@ -1,52 +1,86 @@
#testrules
-header SMF_BRACKETS_TO To:raw =~ /<<[^<>]+>>/
-describe SMF_BRACKETS_TO Double-brackets around To header address
-score SMF_BRACKETS_TO 0.01
-
-header SMF_EXTRA_BRKTS_TO To:raw =~ /(?:<<|>>)/
-describe SMF_EXTRA_BRKTS_TO Double-brackets in To header
-score SMF_EXTRA_BRKTS_TO 0.01
-
-header SMF_EXTRA_BRKTS_CC Cc:raw =~ /(?:<<|>>)/
-describe SMF_EXTRA_BRKTS_CC Double-brackets in Cc header
-score SMF_EXTRA_BRKTS_CC 0.01
-
-header SMF_EXTRA_BRKTS_FROM From:raw =~ /(?:<<|>>)/
-describe SMF_EXTRA_BRKTS_FROM Doube-brackets in From header
-score SMF_EXTRA_BRKTS_FROM 0.01
-
-rawbody SMF_HIDDEN_TEXT /<font color="(?:white|\#FFFFF[0-F])">[^<]{50,}<\/font>/i
-describe SMF_HIDDEN_TEXT Text hidden inside <font> tag
-score SMF_HIDDEN_TEXT 0.01
-
-rawbody SMF_SPAMSIG_1 /<br><center><a href="http:\/\/\S+\/(\S+)\.htm"><img src="http:\/\/\S+\/images\/(\1)\.gif" border="0"><\/a><\/center>/i
-describe SMF_SPAMSIG_1 Signature seen in mainsleze spam
-score SMF_SPAMSIG_1 0.01
-
-body SMF_SPAMSIG_2 /delete spaces before visiting/i
-describe SMF_SPAMSIG_2 Signature seen in trap hits
-score SMF_SPAMSIG_2 0.01
-
-body SMF_SPAMSIG_3 /our server will reject all response traffic/i
-describe SMF_SPAMSIG_3 Signature seen in trap hits
-score SMF_SPAMSIG_3 0.01
-
-# URIBL meta
-meta __SMF_ANY_URIBL (URIBL_AB_SURBL || URIBL_JP_SURBL || URIBL_PH_SURBL || URIBL_SC_SURBL || URIBL_WS_SURBL || URIBL_DBL_SPAM || URIBL_RHS_DOB || URIBL_BLACK)
-
-# Google groups test rules
-header SMF_TO_GGRPS To:addr =~ /\@googlegroups\.com$/
-describe SMF_TO_GGRPS Message to a Google Group
-score SMF_TO_GGRPS 0.01
-
-meta SMF_GGRPS_URIBL (__SMF_ANY_URIBL && SMF_TO_GGRPS)
-describe SMF_GGRPS_URIBL Message to a Google Group contains blacklisted URI(s)
-score SMF_GGRPS_URIBL 0.01
-
-header SMF_FROM_GMAIL From:addr =~ /\@gmail\.com$/
-describe SMF_FROM_GMAIL Message is from a Gmail address
-score SMF_FROM_GMAIL 0.01
-
-meta SMF_GGRPS_FROM_GMAIL (SMF_TO_GGRPS && SMF_FROM_GMAIL)
-describe SMF_GGRPS_FROM_GMAIL Message is from a Gmail user to a Google Group
-score SMF_GGRPS_FROM_GMAIL 0.01
+header __FSL_RELAY_GOOGLE X-Spam-Relays-External =~ /\brdns=[^ ]+\.google\.com\b/i
+header __FSL_ENVFROM_GOOGLE X-Spam-Relays-External =~ /\benvfrom=[^\@ ]+\@g(?:mail|oogle)\.com\b/i
+meta FSL_NOT_FROM_GOOGLE __FSL_ENVFROM_GOOGLE && !__FSL_RELAY_GOOGLE
+score FSL_NOT_FROM_GOOGLE 2.0
+describe FSL_NOT_FROM_GOOGLE Envelope-From GMail or Google but not originated from Google systems
+
+header __FSL_RELAY_YAHOO X-Spam-Relays-External =~ /\brdns=[^ ]+\.yahoo(?:dns)?\.co(?:m|\.jp)\b/i
+header __FSL_ENVFROM_YAHOO X-Spam-Relays-External =~ /\benvfrom=[^\@ ]+\@yahoo(?:groups)?\./i
+meta FSL_NOT_FROM_YAHOO __FSL_ENVFROM_YAHOO && !__FSL_RELAY_YAHOO
+score FSL_NOT_FROM_YAHOO 2.0
+describe FSL_NOT_FROM_YAHOO Envelope-From Yahoo or Yahoo Groups but not originated from Yahoo systems
+
+header __FSL_RELAY_HOTMAIL X-Spam-Relays-External =~ /\brdns=[^ ]+\.hotmail\.com\b/i
+header __FSL_ENVFROM_HOTMAIL X-Spam-Relays-External =~ /\benvfrom=[^\@ ]+\@hotmail\./i
+header __FSL_ENVFROM_LIVE X-Spam-Relays-External =~ /\benvfrom=[^\@ ]+\@live\./i
+meta FSL_NOT_FROM_HOTMAIL (__FSL_ENVFROM_HOTMAIL || __FSL_ENVFROM_LIVE) && !__FSL_RELAY_HOTMAIL
+score FSL_NOT_FROM_HOTMAIL 2.0
+describe FSL_NOT_FROM_HOTMAIL Envelope-From Hotmail/Live but not originated from Hotmail systems
+
+header __FSL_RELAY_AOL X-Spam-Relays-External =~ /\brdns=[^ ]+\.aol\.com\b/i
+header __FSL_ENVFROM_AOL X-Spam-Relays-External =~ /\benvfrom=[^\@ ]+\@aol\./i
+meta FSL_NOT_FROM_AOL __FSL_ENVFROM_AOL && !__FSL_RELAY_AOL
+score FSL_NOT_FROM_AOL 2.0
+describe FSL_NOT_FROM_AOL Envelope-From AOL but not originated from AOL systems
+
+body FSL_DONT_REPLY /do not reply/i
+score FSL_DONT_REPLY 1.0
+describe FSL_DONT_REPLY Contains the phrase 'do not reply'
+
+rawbody FSL_IMAGE_SHORT /<img src="?http:\/\/(?:bitly\.com|bit\.ly|j\.mp|amzn\.to)\//i
+score FSL_IMAGE_SHORT 1.0
+describe FSL_IMAGE_SHORT Contains an image pointing to a URL shortener
+
+meta FSL_IMAGE_SHORT_FM (FREEMAIL_FROM && FSL_IMAGE_SHORT)
+score FSL_IMAGE_SHORT_FM 2.0
+describe FSL_IMAGE_SHORT_FM Contains an image pointing to a URL shortener and is from a freemail address
+
+rawbody FSL_LINK_AWS_S3_WEB /(?:href|src)="?http:\/\/[^. ]+\.s3-website-[^. ]+\.amazonaws\.com/i
+score FSL_LINK_AWS_S3_WEB 1.0
+describe FSL_LINK_AWS_S3_WEB Contains a link to Amazon S3 website
+
+meta FSL_LINK_AWS_S3_WEB_FM (FREEMAIL_FROM && FSL_LINK_AWS_S3_WEB)
+score FSL_LINK_AWS_S3_WEB_FM 10.0
+describe FSL_LINK_AWS_S3_WEB_FM Contains a link to Amazon S3 website and from a freemail address
+
+header FSL_REPLYTO_NOREPLY Reply-To:addr =~ /^noreply\@/i
+score FSL_REPLYTO_NOREPLY 1.0
+describe FSL_REPLYTO_NOREPLY Can't reply to the message
+
+header FSL_FROM_INFO From:addr =~ /^info\@/i
+score FSL_FROM_INFO 1.0
+describe FSL_FROM_INFO From info@domain.com address
+
+header FSL_FROM_NEWS From:addr =~ /^news\@/i
+score FSL_FROM_NEWS 1.0
+describe FSL_FROM_NEWS From news@domain.com address
+
+header FSL_AOL_SPAM X-AOL-Global-Disposition =~ /^S/
+score FSL_AOL_SPAM 2.0
+describe FSL_AOL_SPAM AOL thinks the message is spam
+
+header FSL_PRECEDENCE_JUNK Precedence =~ /junk/i
+score FSL_PRECEDENCE_JUNK 1.0
+describe FSL_PRECEDENCE_JUNK Sender set the precedence header to 'junk'
+
+header FSL_UNDISCLOSED_RCPTS To =~ /Undisclosed[- ]recipients/i
+score FSL_UNDISCLOSED_RCPTS 2.0
+describe FSL_UNDISCLOSED_RCPTS To undisclosed recipients
+
+meta FSL_SCAM_1 (FREEMAIL_FROM && LOTS_OF_MONEY)
+score FSL_SCAM_1 2.0
+describe FSL_SCAM_1 Freemail account discussing lots of money
+
+header FSL_FROM_INFO_DOM From:addr =~ /\.info$/
+score FSL_FROM_INFO_DOM 1.0
+describe FSL_FROM_INFO_DOM From address is in .info
+
+body FSL_ADV /This is an advertisement/i
+score FSL_ADV 1.0
+describe FSL_ADV This is an advertisement
+
+body FSL_OPEN_ATTACH /OPEN THE ATTACHMENT/
+score FSL_OPEN_ATTACH 2.0
+describe FSL_OPEN_ATTACH Demands that you open the attachment
+