You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@spamassassin.apache.org by qu...@apache.org on 2005/05/09 06:50:39 UTC

svn commit: r169234 - in /spamassassin/trunk/rules: 20_html_tests.cf 20_uri_tests.cf 50_scores.cf 70_testing.cf

Author: quinlan
Date: Sun May  8 21:50:39 2005
New Revision: 169234

URL: http://svn.apache.org/viewcvs?rev=169234&view=rev
Log:
various rule promotions and deletions

Modified:
    spamassassin/trunk/rules/20_html_tests.cf
    spamassassin/trunk/rules/20_uri_tests.cf
    spamassassin/trunk/rules/50_scores.cf
    spamassassin/trunk/rules/70_testing.cf

Modified: spamassassin/trunk/rules/20_html_tests.cf
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/rules/20_html_tests.cf?rev=169234&r1=169233&r2=169234&view=diff
==============================================================================
--- spamassassin/trunk/rules/20_html_tests.cf (original)
+++ spamassassin/trunk/rules/20_html_tests.cf Sun May  8 21:50:39 2005
@@ -344,3 +344,6 @@
 rawbody   HTML_EHTML2         m'</html></html>'i
 describe  HTML_EHTML2         HTML has doubled end HTML tag
 
+# bug 3070
+rawbody HTML_TINY_FONT	/\<.*font\-size\:[ \"]*[01][^0-9]+.*\>/i
+describe HTML_TINY_FONT	body contains 1 or 0-point font

Modified: spamassassin/trunk/rules/20_uri_tests.cf
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/rules/20_uri_tests.cf?rev=169234&r1=169233&r2=169234&view=diff
==============================================================================
--- spamassassin/trunk/rules/20_uri_tests.cf (original)
+++ spamassassin/trunk/rules/20_uri_tests.cf Sun May  8 21:50:39 2005
@@ -165,3 +165,7 @@
 # bug 678
 uri DOMAIN_4U2			/[\@\.]\S{0,20}(?:[^0-9][42](?:yo)?u|for-*you)(?:[.-]\S{1,20})?\.(?:net|com|org|info)\b/
 describe DOMAIN_4U2		Domain name containing a "4u" variant
+
+# possible IDN spoofing attack: http://www.shmoo.com/idn/homograph.txt
+# not expecting any hits on this (yet)
+uri HIGH_CODEPAGE_URI	/^https?:\/\/[^\/]*\&\#(?:\d{4,}|[3456789]\d\d);/i

Modified: spamassassin/trunk/rules/50_scores.cf
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/rules/50_scores.cf?rev=169234&r1=169233&r2=169234&view=diff
==============================================================================
--- spamassassin/trunk/rules/50_scores.cf (original)
+++ spamassassin/trunk/rules/50_scores.cf Sun May  8 21:50:39 2005
@@ -560,8 +560,9 @@
 score GTUBE 1000.000
 
 # we dare you
-score HEAD_LONG 2.5
 score FRAGMENTED_MESSAGE 2.5
+score HEAD_LONG 2.5
+score HIGH_CODEPAGE_URI 2.5
 score MISSING_HB_SEP 2.5
 
 # HTML control test

Modified: spamassassin/trunk/rules/70_testing.cf
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/rules/70_testing.cf?rev=169234&r1=169233&r2=169234&view=diff
==============================================================================
--- spamassassin/trunk/rules/70_testing.cf (original)
+++ spamassassin/trunk/rules/70_testing.cf Sun May  8 21:50:39 2005
@@ -36,19 +36,9 @@
 
 ##########################################################################
 
-# 1.972   2.4562   0.2249    0.916   0.64    0.01  T_NORMAL_HTTP_TO_IP
-body T_NORMAL_HTTP_TO_IP	eval:check_numeric_http()
-
 # this doesn't hit a lot, but it's a definite obfuscation technique
 uri T_HTTP_BAD_HOST_CHAR	m@^https?://[^/]*[\000-\037\200-\377]@i
 
-# possible IDN spoofing attack: http://www.shmoo.com/idn/homograph.txt
-# not expecting any hits on this (yet)
-uri T_HIGH_CODEPAGE_URI         /^https?:\/\/[^\/]*\&\#(?:\d{4,}|[3456789]\d\d);/i
-
-header T_OBSOLETE_WS_FOLDING	eval:check_msg_parse_flags('obsolete_folding_whitespace')
-describe T_OBSOLETE_WS_FOLDING	Header uses obsolete whitespace folding method
-
 ########################################################################
 
 # TVD: these should just get turned into obfu/int rules ala above
@@ -299,26 +289,6 @@
 header T_HELO_DYNAMIC_HOME_NL  X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[a-z]{2}\d+-\S\.\S+\d\.[a-z]{2}\.home\.nl[^]]+ auth= /i
 
 ########################################################################
-
-# bug 3661
-body T_HTML_INVIS_SPAN	eval:html_test('span_invisible')
-body T_HTML_INVIS_TEXT	eval:html_test('invisible_text')
-
-# another
-body T_HTML_DISPLAY_NONE	eval:html_test('display_none')
-describe T_HTML_DISPLAY_NONE	CSS style contains "display:none"
-
-body T_HTML_IMG_DISPLAY_NONE	eval:html_test('img_display_none')
-describe T_HTML_IMG_DISPLAY_NONE	image CSS style contains "display:none"
-
-# bug 3070
-# this might have high overlap with other rules, double-check
-# before promoting
-rawbody T_TINY_FONT_1	/\<.*font\-size\:[ \"]*1[^0-9]+.*\>/i
-describe T_TINY_FONT_1	body contains 1-point font
-
-rawbody T_TINY_FONT_0	/\<.*font\-size\:[ \"]*0[^0-9]+.*\>/i
-describe T_TINY_FONT_0	body contains 0-point font
 
 uri T_HEX_ENCODED_HTTP_1	/(?!http)(?:\\x68|h)(?:\\x74|t){2}(?:\\x70|p)/i
 rawbody T_HEX_ENCODED_HTTP_2	/(?!http)(?:\\x68|h)(?:\\x74|t){2}(?:\\x70|p)/i

Re: svn commit: r169234 - in /spamassassin/trunk/rules: 20_html_tests.cf 20_uri_tests.cf 50_scores.cf 70_testing.cf

Posted by Daniel Quinlan <qu...@pathname.com>.

Theo Van Dinter <fe...@kluge.net> writes:

> Shouldn't we just do this in the HTML parser?  It'd be more efficient than
> parsing everything, then running a rawbody rule to go over the same bits.

Yes, we should, but we don't -- our CSS support is very lame and
incomplete.

Daniel

-- 
Daniel Quinlan
http://www.pathname.com/~quinlan/

Re: svn commit: r169234 - in /spamassassin/trunk/rules: 20_html_tests.cf 20_uri_tests.cf 50_scores.cf 70_testing.cf

Posted by Theo Van Dinter <fe...@kluge.net>.

On Mon, May 09, 2005 at 04:50:39AM -0000, quinlan@apache.org wrote:
> +# bug 3070
> +rawbody HTML_TINY_FONT	/\<.*font\-size\:[ \"]*[01][^0-9]+.*\>/i
> +describe HTML_TINY_FONT	body contains 1 or 0-point font

Shouldn't we just do this in the HTML parser?  It'd be more efficient than
parsing everything, then running a rawbody rule to go over the same bits.

-- 
Randomly Generated Tagline:
 Leela: Oh, Adelai, I've had a wonderful time today. No one's stared 
  at me, or avoided staring at me, or tried to burn me. You make me 
  feel so not weird.

Re: check_msg_parse_flags

Posted by Theo Van Dinter <fe...@kluge.net>.

On Sun, May 08, 2005 at 09:53:38PM -0700, Dan Quinlan wrote:
> > -header T_OBSOLETE_WS_FOLDING	eval:check_msg_parse_flags('obsolete_folding_whitespace')
> > -describe T_OBSOLETE_WS_FOLDING	Header uses obsolete whitespace folding method
> 
> Theo - FYI, I nuked the rule (poor results), not sure if you want to
> remove the flag code.
> 
>   0.002   0.0011   0.0049    0.181   0.41    0.01  T_HIGH_CODEPAGE_URI

Thanks.  I commented out the code piece. :)

-- 
Randomly Generated Tagline:
I guess Bart's not to blame.  He's lucky, too, because it's spanking
 season, and I got a hankering for some spankering!
 
 		-- Homer Simpson
 		   Two Dozen and One Greyhounds

check_msg_parse_flags

Posted by Daniel Quinlan <qu...@pathname.com>.

quinlan@apache.org writes:

> -header T_OBSOLETE_WS_FOLDING	eval:check_msg_parse_flags('obsolete_folding_whitespace')
> -describe T_OBSOLETE_WS_FOLDING	Header uses obsolete whitespace folding method

Theo - FYI, I nuked the rule (poor results), not sure if you want to
remove the flag code.

  0.002   0.0011   0.0049    0.181   0.41    0.01  T_HIGH_CODEPAGE_URI

-- 
Daniel Quinlan
http://www.pathname.com/~quinlan/