You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2012/11/30 22:50:23 UTC
svn commit: r1415861 - in /spamassassin/trunk/rulesrc/sandbox/jhardin:
20_MIME_no_text.cf 20_misc_testing.cf
Author: jhardin
Date: Fri Nov 30 21:50:22 2012
New Revision: 1415861
URL: http://svn.apache.org/viewvc?rev=1415861&view=rev
Log:
More FP avoidance in FROM_MISSP* rules
Modified:
spamassassin/trunk/rulesrc/sandbox/jhardin/20_MIME_no_text.cf
spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_MIME_no_text.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_MIME_no_text.cf?rev=1415861&r1=1415860&r2=1415861&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_MIME_no_text.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_MIME_no_text.cf Fri Nov 30 21:50:22 2012
@@ -5,7 +5,9 @@
# These should be generally useful to other rules as well
header __CTYPE_MULTIPART_ANY Content-Type =~ /multipart\/\w+/i
-header __XM_PHP X-Mailer =~ /^PHP\s?v?\/?\d\./
+header __PHP_MUA_1 X-Mailer =~ /^PHP\s?v?\/?\d\./
+header __PHP_MUA_2 X-Mailer =~ /^PHP\d$/
+meta __PHP_MUA __PHP_MUA_1 || __PHP_MUA_2
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w+/i
@@ -14,7 +16,7 @@ ifplugin Mail::SpamAssassin::Plugin::MIM
score MIME_NO_TEXT 2.00 # limit
describe MIME_NO_TEXT No text body parts
- meta MIME_PHP_NO_TEXT (MIME_NO_TEXT && __XM_PHP)
+ meta MIME_PHP_NO_TEXT (MIME_NO_TEXT && __PHP_MUA)
#score MIME_PHP_NO_TEXT 2.00
describe MIME_PHP_NO_TEXT No text body parts, X-Mailer: PHP
endif
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1415861&r1=1415860&r2=1415861&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Fri Nov 30 21:50:22 2012
@@ -80,6 +80,9 @@ describe DEAR_EMAIL_USER
uri URI_NUMERIC_CCTLD m;^[a-z]+://(?:\d+\.){2,}[a-z][a-z]/;i
describe URI_NUMERIC_CCTLD CCTLD URI with multiple numeric subdomains
+# various MUAs
+header __PHP_NOVER_MUA X-Mailer =~ /^PHP$/
+header __PHPMAILER_MUA X-Mailer =~ /^PHPMailer\b/
# From should have whitespace between the comment and the address
# Better S/O, good enough for standalone rule
@@ -87,9 +90,13 @@ header __FROM_MISSPACED Fro
# legit mailers known to misspace from
header __MTLANDROID_MUA X-Mailer =~ /\bMotorola android mail \d+\.\d/
+header __XEROXWORKCTR_MUA X-Mailer =~ /^WorkCentre \D?\d[\d\.]\d+/
+header __AMADEUSMS_MUA X-Mailer =~ /^Amadeus Messaging Server/
+header __FLASHMAIL_MUA X-Mailer =~ /^NetEase Flash Mail \d/
+
# meta with some stuff to reduce FPs
-meta FROM_MISSPACED __FROM_MISSPACED && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__UNSUB_LINK && !__TO___LOWER && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__TO_EQ_FROM_DOM && !__MAIL_LINK && !__MTLANDROID_MUA
+meta FROM_MISSPACED __FROM_MISSPACED && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__UNSUB_LINK && !__TO___LOWER && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__TO_EQ_FROM_DOM && !__MAIL_LINK && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
describe FROM_MISSPACED From: missing whitespace
score FROM_MISSPACED 2.00
@@ -109,12 +116,12 @@ ifplugin Mail::SpamAssassin::Plugin::SPF
endif
meta __FROM_MISSP_EH_MATCH __FROM_RUNON_UNCODED && __ENV_AND_HDR_FROM_MATCH
-meta FROM_MISSP_EH_MATCH __FROM_MISSP_EH_MATCH && !__RCD_RDNS_MTA_MESSY && !__UNSUB_LINK && !__COMMENT_EXISTS && !__TO___LOWER && !__MIME_QP && !__TO_EQ_FROM_DOM && !__BUGGED_IMG && !__DKIM_EXISTS && !__RCVD_ZIXMAIL && !__MTLANDROID_MUA
+meta FROM_MISSP_EH_MATCH __FROM_MISSP_EH_MATCH && !__RCD_RDNS_MTA_MESSY && !__UNSUB_LINK && !__COMMENT_EXISTS && !__TO___LOWER && !__MIME_QP && !__TO_EQ_FROM_DOM && !__BUGGED_IMG && !__DKIM_EXISTS && !__RCVD_ZIXMAIL && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
describe FROM_MISSP_EH_MATCH From misspaced, matches envelope
score FROM_MISSP_EH_MATCH 2.00 # max
meta __FROM_MISSP_URI __FROM_RUNON_UNCODED && __HAS_ANY_URI
-meta FROM_MISSP_URI __FROM_MISSP_URI && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !MISSING_MIMEOLE && !__REPTO_QUOTE && !__UNSUB_LINK && !__MSGID_OK_HEX && !__MAIL_LINK && !__MIME_QP && !__BUGGED_IMG && !MIME_BASE64_TEXT && !__CTYPE_MULTIPART_ALT && !__MTLANDROID_MUA
+meta FROM_MISSP_URI __FROM_MISSP_URI && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !MISSING_MIMEOLE && !__REPTO_QUOTE && !__UNSUB_LINK && !__MSGID_OK_HEX && !__MAIL_LINK && !__MIME_QP && !__BUGGED_IMG && !MIME_BASE64_TEXT && !__CTYPE_MULTIPART_ALT && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
describe FROM_MISSP_URI From misspaced, has URI
score FROM_MISSP_URI 2.00 # max
@@ -127,9 +134,9 @@ describe FROM_MISSP_NO_TO Fro
meta FROM_MISSP_TO_UNDISC (__FROM_RUNON && __TO_UNDISCLOSED)
describe FROM_MISSP_TO_UNDISC From misspaced, To undisclosed
-meta __FROM_MISSP_DKIM (__FROM_RUNON && __DKIM_DEPENDABLE)
+meta __FROM_MISSP_DKIM (__FROM_RUNON_UNCODED && __DKIM_DEPENDABLE)
tflags __FROM_MISSP_DKIM net
-meta FROM_MISSP_DKIM __FROM_MISSP_DKIM && !__CTYPE_MULTIPART_ALT && !__MIME_QP && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__MIME_BASE64 && !__MTLANDROID_MUA
+meta FROM_MISSP_DKIM __FROM_MISSP_DKIM && !__CTYPE_MULTIPART_ALT && !__MIME_QP && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__MIME_BASE64 && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
describe FROM_MISSP_DKIM From misspaced, DKIM dependable
meta __FROM_MISSP_REPLYTO __FROM_RUNON && __REPLYTO_EXISTS
@@ -854,9 +861,10 @@ score SUBJ_OBFU_PUNCT_MANY 1.750
# Hewlett-Packard Officejet Location: machine location not set
# Xerox WorkCentre
# See http://isc.sans.edu/diary.html?storyid=11848#comment
-body __SCANNED_HP /(?:(?:document was scan+ed and sent ?to you using|Scan from)(?: a)? (?:Hewlet+-Packard |HP ){1,2}Officejet|Hewlet+-Packard Officejet Location: machine location not set)/i
-meta SCANNED_EXTERNAL __SCANNED_HP && !ALL_TRUSTED
+body __SCANNED /\b(?:(?:document was scan+ed and sent ?to you using|Scan from)(?: an?)? (?:(?:Hewlet+-Packard |HP ){1,2}Officejet|Hewlet+-Packard Officejet Location: machine location not set)|Xerox\b)/i
+meta SCANNED_EXTERNAL __SCANNED && !ALL_TRUSTED && !__XEROXWORKCTR_MUA
describe SCANNED_EXTERNAL "Scanned Document" email from external source - malware?
+score SCANNED_EXTERNAL 3.00 # limit
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
# real estate / stock scam spams 11/2011