You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by qu...@apache.org on 2005/05/09 06:50:39 UTC
svn commit: r169234 - in /spamassassin/trunk/rules: 20_html_tests.cf
20_uri_tests.cf 50_scores.cf 70_testing.cf
Author: quinlan
Date: Sun May 8 21:50:39 2005
New Revision: 169234
URL: http://svn.apache.org/viewcvs?rev=169234&view=rev
Log:
various rule promotions and deletions
Modified:
spamassassin/trunk/rules/20_html_tests.cf
spamassassin/trunk/rules/20_uri_tests.cf
spamassassin/trunk/rules/50_scores.cf
spamassassin/trunk/rules/70_testing.cf
Modified: spamassassin/trunk/rules/20_html_tests.cf
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/rules/20_html_tests.cf?rev=169234&r1=169233&r2=169234&view=diff
==============================================================================
--- spamassassin/trunk/rules/20_html_tests.cf (original)
+++ spamassassin/trunk/rules/20_html_tests.cf Sun May 8 21:50:39 2005
@@ -344,3 +344,6 @@
rawbody HTML_EHTML2 m'</html></html>'i
describe HTML_EHTML2 HTML has doubled end HTML tag
+# bug 3070
+rawbody HTML_TINY_FONT /\<.*font\-size\:[ \"]*[01][^0-9]+.*\>/i
+describe HTML_TINY_FONT body contains 1 or 0-point font
Modified: spamassassin/trunk/rules/20_uri_tests.cf
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/rules/20_uri_tests.cf?rev=169234&r1=169233&r2=169234&view=diff
==============================================================================
--- spamassassin/trunk/rules/20_uri_tests.cf (original)
+++ spamassassin/trunk/rules/20_uri_tests.cf Sun May 8 21:50:39 2005
@@ -165,3 +165,7 @@
# bug 678
uri DOMAIN_4U2 /[\@\.]\S{0,20}(?:[^0-9][42](?:yo)?u|for-*you)(?:[.-]\S{1,20})?\.(?:net|com|org|info)\b/
describe DOMAIN_4U2 Domain name containing a "4u" variant
+
+# possible IDN spoofing attack: http://www.shmoo.com/idn/homograph.txt
+# not expecting any hits on this (yet)
+uri HIGH_CODEPAGE_URI /^https?:\/\/[^\/]*\&\#(?:\d{4,}|[3456789]\d\d);/i
Modified: spamassassin/trunk/rules/50_scores.cf
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/rules/50_scores.cf?rev=169234&r1=169233&r2=169234&view=diff
==============================================================================
--- spamassassin/trunk/rules/50_scores.cf (original)
+++ spamassassin/trunk/rules/50_scores.cf Sun May 8 21:50:39 2005
@@ -560,8 +560,9 @@
score GTUBE 1000.000
# we dare you
-score HEAD_LONG 2.5
score FRAGMENTED_MESSAGE 2.5
+score HEAD_LONG 2.5
+score HIGH_CODEPAGE_URI 2.5
score MISSING_HB_SEP 2.5
# HTML control test
Modified: spamassassin/trunk/rules/70_testing.cf
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/rules/70_testing.cf?rev=169234&r1=169233&r2=169234&view=diff
==============================================================================
--- spamassassin/trunk/rules/70_testing.cf (original)
+++ spamassassin/trunk/rules/70_testing.cf Sun May 8 21:50:39 2005
@@ -36,19 +36,9 @@
##########################################################################
-# 1.972 2.4562 0.2249 0.916 0.64 0.01 T_NORMAL_HTTP_TO_IP
-body T_NORMAL_HTTP_TO_IP eval:check_numeric_http()
-
# this doesn't hit a lot, but it's a definite obfuscation technique
uri T_HTTP_BAD_HOST_CHAR m@^https?://[^/]*[\000-\037\200-\377]@i
-# possible IDN spoofing attack: http://www.shmoo.com/idn/homograph.txt
-# not expecting any hits on this (yet)
-uri T_HIGH_CODEPAGE_URI /^https?:\/\/[^\/]*\&\#(?:\d{4,}|[3456789]\d\d);/i
-
-header T_OBSOLETE_WS_FOLDING eval:check_msg_parse_flags('obsolete_folding_whitespace')
-describe T_OBSOLETE_WS_FOLDING Header uses obsolete whitespace folding method
-
########################################################################
# TVD: these should just get turned into obfu/int rules ala above
@@ -299,26 +289,6 @@
header T_HELO_DYNAMIC_HOME_NL X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[a-z]{2}\d+-\S\.\S+\d\.[a-z]{2}\.home\.nl[^]]+ auth= /i
########################################################################
-
-# bug 3661
-body T_HTML_INVIS_SPAN eval:html_test('span_invisible')
-body T_HTML_INVIS_TEXT eval:html_test('invisible_text')
-
-# another
-body T_HTML_DISPLAY_NONE eval:html_test('display_none')
-describe T_HTML_DISPLAY_NONE CSS style contains "display:none"
-
-body T_HTML_IMG_DISPLAY_NONE eval:html_test('img_display_none')
-describe T_HTML_IMG_DISPLAY_NONE image CSS style contains "display:none"
-
-# bug 3070
-# this might have high overlap with other rules, double-check
-# before promoting
-rawbody T_TINY_FONT_1 /\<.*font\-size\:[ \"]*1[^0-9]+.*\>/i
-describe T_TINY_FONT_1 body contains 1-point font
-
-rawbody T_TINY_FONT_0 /\<.*font\-size\:[ \"]*0[^0-9]+.*\>/i
-describe T_TINY_FONT_0 body contains 0-point font
uri T_HEX_ENCODED_HTTP_1 /(?!http)(?:\\x68|h)(?:\\x74|t){2}(?:\\x70|p)/i
rawbody T_HEX_ENCODED_HTTP_2 /(?!http)(?:\\x68|h)(?:\\x74|t){2}(?:\\x70|p)/i
Re: svn commit: r169234 - in /spamassassin/trunk/rules: 20_html_tests.cf 20_uri_tests.cf 50_scores.cf 70_testing.cf
Posted by Daniel Quinlan <qu...@pathname.com>.
Theo Van Dinter <fe...@kluge.net> writes:
> Shouldn't we just do this in the HTML parser? It'd be more efficient than
> parsing everything, then running a rawbody rule to go over the same bits.
Yes, we should, but we don't -- our CSS support is very lame and
incomplete.
Daniel
--
Daniel Quinlan
http://www.pathname.com/~quinlan/
Re: svn commit: r169234 - in /spamassassin/trunk/rules: 20_html_tests.cf 20_uri_tests.cf 50_scores.cf 70_testing.cf
Posted by Theo Van Dinter <fe...@kluge.net>.
On Mon, May 09, 2005 at 04:50:39AM -0000, quinlan@apache.org wrote:
> +# bug 3070
> +rawbody HTML_TINY_FONT /\<.*font\-size\:[ \"]*[01][^0-9]+.*\>/i
> +describe HTML_TINY_FONT body contains 1 or 0-point font
Shouldn't we just do this in the HTML parser? It'd be more efficient than
parsing everything, then running a rawbody rule to go over the same bits.
--
Randomly Generated Tagline:
Leela: Oh, Adelai, I've had a wonderful time today. No one's stared
at me, or avoided staring at me, or tried to burn me. You make me
feel so not weird.
Re: check_msg_parse_flags
Posted by Theo Van Dinter <fe...@kluge.net>.
On Sun, May 08, 2005 at 09:53:38PM -0700, Dan Quinlan wrote:
> > -header T_OBSOLETE_WS_FOLDING eval:check_msg_parse_flags('obsolete_folding_whitespace')
> > -describe T_OBSOLETE_WS_FOLDING Header uses obsolete whitespace folding method
>
> Theo - FYI, I nuked the rule (poor results), not sure if you want to
> remove the flag code.
>
> 0.002 0.0011 0.0049 0.181 0.41 0.01 T_HIGH_CODEPAGE_URI
Thanks. I commented out the code piece. :)
--
Randomly Generated Tagline:
I guess Bart's not to blame. He's lucky, too, because it's spanking
season, and I got a hankering for some spankering!
-- Homer Simpson
Two Dozen and One Greyhounds
check_msg_parse_flags
Posted by Daniel Quinlan <qu...@pathname.com>.
quinlan@apache.org writes:
> -header T_OBSOLETE_WS_FOLDING eval:check_msg_parse_flags('obsolete_folding_whitespace')
> -describe T_OBSOLETE_WS_FOLDING Header uses obsolete whitespace folding method
Theo - FYI, I nuked the rule (poor results), not sure if you want to
remove the flag code.
0.002 0.0011 0.0049 0.181 0.41 0.01 T_HIGH_CODEPAGE_URI
--
Daniel Quinlan
http://www.pathname.com/~quinlan/