You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2019/01/22 20:15:59 UTC
svn commit: r1851861 -
/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Author: jhardin
Date: Tue Jan 22 20:15:59 2019
New Revision: 1851861
URL: http://svn.apache.org/viewvc?rev=1851861&view=rev
Log:
re-enable fuzzy bitcoin extortion rules, obfuscated spams still being sent.
Modified:
spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1851861&r1=1851860&r2=1851861&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Tue Jan 22 20:15:59 2019
@@ -1947,28 +1947,28 @@ describe BITCOIN_SPAM_09 BitCoin
score BITCOIN_SPAM_09 1.500 # limit
tflags BITCOIN_SPAM_09 publish
-# ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
-# body __MY_VICTIM /(?:<H><I>|<H><E><L><L><O>),?(?:\s<M><Y>)?\s(?:<V><I><C><T><I><M>|<P><R><E><Y>)/i
-# replace_rules __MY_VICTIM
-# body __MY_MALWARE /\s(?:(?:<I>\s<P><U><T>\s<A>\s|<M><Y>\s(?:<P><E><R><S><O><N><A><L>\s)?)(?:<M><A><L><W><A><R><E>|<V><I><R><U><S>)|<A><P><P><L><I><C><A><T><I><O><N>[a-z\s]{1,30}<E><N><A><B><L><E><D>\s<M><E>\s<T><O>\s(?:<A><C><C><E><S><S>|<C><O><N><T><R><O><L>))\s/i
-# replace_rules __MY_MALWARE
-# body __PAY_ME /\s(?:<P><A><Y>\s<M><E>|(?:<S><E><N><D>\s<M><E>|<T><R><A><N><S><F><E><R>\s<T><H><E>\s<A><M><O><U><N><T>\s<O><F>|<D><E><N>\s<B><E><T><R><A><G>\s<V><O><N>)\s[\d,'.]+\s?(?:<U><S><D>|<E><U><R>))\s/i
-# replace_rules __PAY_ME
-# body __YOUR_PASSWORD /\s<Y><O><U><R>\s<P><A><S><S><W><O><R><D>/i
-# replace_rules __YOUR_PASSWORD
-# body __YOUR_WEBCAM /\s(?:<F><R><O><M>|<Y><O><U><R>)\s<W><E><B><C><A><M>/i
-# replace_rules __YOUR_WEBCAM
-# body __YOUR_ONAN /\s<Y><O><U><R>?\s(?:<M><A><S><T>(?:<U>|<R>){2}<B><A><T><I>(?:<O><N>|<N><G>)|<O><N><A><N><I><S><M>|<S><O><L><I><T><A><R><Y>\s<S><E><X>)/i
-# replace_rules __YOUR_ONAN
-# body __YOUR_PERSONAL /\s<Y><O><U><R>\s<P><E><R><S><O><N><A><L>\s(?:<I><N><F><O>(?:<R><M><A><T><I><O><N>)?|<D><A><T><A>\s)/i
-# replace_rules __YOUR_PERSONAL
-# body __HOURS_DEADLINE /\s(?:(?:<G><I><V><E>\s<Y><O><U>|<Y><O><U>\s<H><A><V><E>(?:\s<O><N><L><Y>|\s<J><U><S><T>)?)\s\d+\s<H><O><U><R><S>|(?:<B><Y>|<T><O>|<U><N><T><I><L>|<B><E><F><O><R><E>)\s<T><H><E>\s<E><N><D>\s<O><F>\s<T><H><E>\s(?:<W><O><R><K>(?:<I><N><G>)?\s)?<D><A><Y>)/i
-# replace_rules __HOURS_DEADLINE
-# body __EXPLOSIVE_DEVICE /\s(?:<E><X><P><L><O><S><I><V><E>\s<D><E><V><I><C><E>|<B><O><M><B>)\s/i
-# replace_rules __EXPLOSIVE_DEVICE
-# else
+ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
+ body __MY_VICTIM /(?:<H><I>|<H><E><L><L><O>),?(?:\s<M><Y>)?\s(?:<V><I><C><T><I><M>|<P><R><E><Y>)/i
+ replace_rules __MY_VICTIM
+ body __MY_MALWARE /\s(?:(?:<I>\s<P><U><T>\s<A>\s|<M><Y>\s(?:<P><E><R><S><O><N><A><L>\s)?)(?:<M><A><L><W><A><R><E>|<V><I><R><U><S>|<S><P><Y>\s?<W><A><R><E>)|<A><P><P><L><I><C><A><T><I><O><N>[^\.]{1,30}(?:<E><N><A><B><L><E>(?:<D>|<S>)|<A><L><L><O><W>)\s<M><E>\s<T><O>\s(?:<A><C><C><E><S><S>|<C><O><N><T><R><O><L>)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann)[\s\.,]/i
+ replace_rules __MY_MALWARE
+ body __PAY_ME /\s(?:<P><A><Y>\s<M><E>|(?:<S><E><N><D>\s<M><E>|<T><R><A><N><S><F><E><R>\s<T><H><E>\s<A><M><O><U><N><T>\s<O><F>|<D><E><N>\s<B><E><T><R><A><G>\s<V><O><N>)\s(?:[\d,'.]+\s?(?:<U><S><D>|<E><U><R>)|<B><I><T><C><O><I><N>))\s/i
+ replace_rules __PAY_ME
+ body __YOUR_PASSWORD /\s<Y><O><U><R>\s<P><A><S><S><W><O><R><D>/i
+ replace_rules __YOUR_PASSWORD
+ body __YOUR_WEBCAM /\s(?:<F><R><O><M>|<Y><O><U><R>)\s<W><E><B><C><A><M>/i
+ replace_rules __YOUR_WEBCAM
+ body __YOUR_ONAN /\s<Y><O><U><R>?\s(?:<M><A><S><T>(?:<U>|<R>){2}<B><A><T><I>(?:<O><N>|<N><G>)|<O><N><A><N><I><S><M>|<S><O><L><I><T><A><R><Y>\s<S><E><X>)/i
+ replace_rules __YOUR_ONAN
+ body __YOUR_PERSONAL /\s<Y><O><U><R>\s<P><E><R><S><O><N><A><L>\s(?:<I><N><F><O>(?:<R><M><A><T><I><O><N>)?|<D><A><T><A>\s)/i
+ replace_rules __YOUR_PERSONAL
+ body __HOURS_DEADLINE /\s(?:(?:<G><I><V><E>\s<Y><O><U>|<Y><O><U>\s<H><A><V><E>(?:\s<O><N><L><Y>|\s<J><U><S><T>)?)(?:\s<T><H><E>\s<L><A><S><T>)?\s\d+\s<H><O><U><R><S>|(?:<B><Y>|<T><O>|<U><N><T><I><L>|<B><E><F><O><R><E>)\s<T><H><E>\s<E><N><D>\s<O><F>\s<T><H><E>\s(?:<W><O><R><K>(?:<I><N><G>)?\s)?<D><A><Y>|Ich\sgebe\sIhnen\s\d+\sStunden)/i
+ replace_rules __HOURS_DEADLINE
+ body __EXPLOSIVE_DEVICE /\s(?:<E><X><P><L><O><S><I><V><E>\s<D><E><V><I><C><E>|<B><O><M><B>)\s/i
+ replace_rules __EXPLOSIVE_DEVICE
+else
body __MY_VICTIM /\b(?:hi|hello),?(?:\smy)?\s(?:victim|prey)\b/i
- body __MY_MALWARE /\b(?:(?:I\sput\sa\s|my\s(?:personal\s)?)(?:malware|virus|spy\s?ware)|application[a-z\s]{1,30}(?:enabled|allows)\sme\sto\s(?:access|control)|Anwendung\s[^\.]{1,40}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann)\b/i
+ body __MY_MALWARE /\b(?:(?:I\sput\sa\s|my\s(?:personal\s)?)(?:malware|virus|spy\s?ware)|application[^\.]{1,30}(?:enable[sd]|allows)\sme\sto\s(?:access|control)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann)\b/i
body __PAY_ME /\b(?:pay\sme|(?:send\sme|transfer\sthe\samount\sof|den\sbetrag\svon)\s(?:[\d,'.]+\s?(?:usd|eur)|bitcoin))\b/i
body __YOUR_PASSWORD /\byour\spassword\b/i
body __YOUR_WEBCAM /\b(?:from|your)\swebcam\b/i
@@ -1976,7 +1976,7 @@ tflags BITCOIN_SPAM_09 publish
body __YOUR_PERSONAL /\byour\spersonal\s(?:info(?:rmation)?|data)\b/i
body __HOURS_DEADLINE /\b(?:(?:give\syou|you\shave(?:\sonly|\sjust)?)(?:\sthe\slast)?\s\d+\shours|(?:by|to|until|before)\sthe\send\sof\sthe\s(?:work(?:ing)?\s)?day|Ich\sgebe\sIhnen\s\d+\sStunden)\b/i
body __EXPLOSIVE_DEVICE /\b(?:explosive\sdevice|bomb)\b/i
-# endif
+endif
meta BITCOIN_EXTORT_01 __BITCOIN_ID && (__MY_MALWARE + __PAY_ME + __MY_VICTIM + __YOUR_WEBCAM + __YOUR_ONAN + __YOUR_PERSONAL + __HOURS_DEADLINE + __YOUR_PASSWORD + LOCALPART_IN_SUBJECT + __DESTROY_ME + __DESTROY_YOU + __EXPLOSIVE_DEVICE) > 2
describe BITCOIN_EXTORT_01 Extortion spam, pay via BitCoin
score BITCOIN_EXTORT_01 5.000 # limit