You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2020/11/23 18:18:21 UTC
svn commit: r1883759 -
/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Author: jhardin
Date: Mon Nov 23 18:18:21 2020
New Revision: 1883759
URL: http://svn.apache.org/viewvc?rev=1883759&view=rev
Log:
Rule tuning, new rules for eval
Modified:
spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1883759&r1=1883758&r2=1883759&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Mon Nov 23 18:18:21 2020
@@ -3319,10 +3319,18 @@ header __MSMAIL_PRI_HIGH X
header __MSMAIL_PRI_LOW X-MSMail-Priority =~ /^(?:low|non-urgent)$/i
meta __MSMAIL_PRI_ABNORMAL __HAS_MSMAIL_PRI && !__MSMAIL_PRI_NORMAL
-meta MSMAIL_PRI_ABNORMAL __MSMAIL_PRI_ABNORMAL && !ALL_TRUSTED && !__ANY_OUTLOOK_MUA && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__MSOE_MID_WRONG_CASE && !__HAS_X_MAILER
+# This is counterintuitive - exclude __MSMAIL_PRI_HIGH ?
+# It seems that 99% of the spam using X-MSMail-Priority other than "normal" is using *invalid values*
+# score "high" separately if justified
+meta MSMAIL_PRI_ABNORMAL __MSMAIL_PRI_ABNORMAL && !ALL_TRUSTED && !__ANY_OUTLOOK_MUA && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__MSOE_MID_WRONG_CASE && !__HAS_X_MAILER && !__HAS_UA && !__MSMAIL_PRI_HIGH
describe MSMAIL_PRI_ABNORMAL Email priority often abused
score MSMAIL_PRI_ABNORMAL 1.500 # limit
+meta MSMAIL_PRI_HIGH __MSMAIL_PRI_HIGH && !ALL_TRUSTED && !__FROM_LOWER && !__RDNS_SHORT
+describe MSMAIL_PRI_HIGH Email priority often abused
+score MSMAIL_PRI_HIGH 1.500 # limit
+
+
# Phishing? 11/2020
full __TO_ADDR_BODY_DOC /^To:\s+(?:"[^"\n]{0,80}"\s*)?<?([^@\s]{1,40})@([^\s>]{1,40})>?\s(?=.{1,2048}\b\1(?:@\2)?\s+(?:sharepoint|document))/ism
@@ -3332,4 +3340,10 @@ body __BODY_HAS_ISBN /
header __REPLYTO_NOREPLY Reply-To =~ /\bno-?reply@/i
+body __ORDER_TODAY /\border (?:it|one|yours) (?:today|now)\b/i
+tflags __ORDER_TODAY multiple maxhits=4
+
+
+
+