You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2009/09/16 15:40:26 UTC
svn commit: r815775 - in /spamassassin/trunk/rulesrc/sandbox/jhardin:
20_fillform.cf 20_lotsa_money.cf 20_misc_testing.cf
Author: jhardin
Date: Wed Sep 16 13:40:25 2009
New Revision: 815775
URL: http://svn.apache.org/viewvc?rev=815775&view=rev
Log:
Tweak fillform, add new stuff to lotsa_money and misc
Modified:
spamassassin/trunk/rulesrc/sandbox/jhardin/20_fillform.cf
spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf
spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_fillform.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_fillform.cf?rev=815775&r1=815774&r2=815775&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_fillform.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_fillform.cf Wed Sep 16 13:40:25 2009
@@ -16,7 +16,7 @@
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
# Repetitive syntactic bits
- replace_tag FF_LNNO (?:(?:\d+[)}\]:.,]|\W?\(\d+\)|\W?\{\d+\}|\[\d+\]|\*{1,5}|\#{1,5})\s?)
+ replace_tag FF_LNNO (?:(?:\d+[)}\]:.,]|\W?\(\d+\)|\W?\{\d+\}|\[\d+\]|\*{1,5}|\#{1,5}|[A-K][)}\]:.,])\s?)
replace_tag FF_YOUR (?:a?\s?copy\sof\s)?(?:your[\s,:]{1,5})?(?:present\s|c[uo]rrent\s|full\s?|complete\s|direct\s|private\s|valid\s|personal\s){0,3}
replace_tag ANDOR (?:\s?[\/&+,]\s?|\sor\s|\sand\s)
replace_tag NUMBER (?:num(?:ber)?s?|nos?\.|no\b|\#s?|nbrs?\.?)
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf?rev=815775&r1=815774&r2=815775&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf Wed Sep 16 13:40:25 2009
@@ -40,7 +40,7 @@
# The existing LOTTO rules should be updated if this works out
-body LOTTO_WINNINGS /(?:claim|transfer(?:\s\w+)?)\s(?:your|of)\s(?:win+ings?|money|(?:cash\s)?prize)/i
+body LOTTO_WINNINGS /(?:claim|transfer(?:\s\w+)?)\s(?:your|of|the)\s(?:win+ings?|money|(?:cash\s)?prize|award)/i
describe LOTTO_WINNINGS Claim your winnings
score LOTTO_WINNINGS 0.25
@@ -53,10 +53,10 @@
score LOTTO_YOU_WON_03 0.50
describe LOTTO_YOU_WON_04 You won!
-body __YOU_WON_04A /\byou\s(?:\w+\s)?w[io]n/i
-body __YOU_WON_04B /\bw[io]n\s(?:\w+\s)?you/i
+body __YOU_WON_04A /\byour?\s(?:\w+\s)?w[io]n\b/i
+body __YOU_WON_04B /\bw[io]n\s(?:(?:for|by)\s)?your?\b/i
meta LOTTO_YOU_WON_04 __YOU_WON_04A || __YOU_WON_04B
-score LOTTO_YOU_WON_04 0.20
+score LOTTO_YOU_WON_04 0.10
body LOTTO_AGENT /\b(?:claim(?:s|ing)?(?:\sprocessing)?|fiduciary|fiducial|reimbursement|prize\stransfer|international\sremittance)\s?(?:agent|manager|officer)/i
describe LOTTO_AGENT Claims Agent
@@ -74,7 +74,7 @@
describe LOTTO_AGENT_RPLY Claims Agent
score LOTTO_AGENT_RPLY 0.50
-body __LOTTO_ADMITS_1 /\b(?:on-?line|e-?mail|ballot|(?:inter)?national|state|(?:UK|euro)[- ]?mil+ions?|Canada|Microsoft|MSN|internet|mega|this)(?:\s\w+)?\s(?:lot(?:to|tery|erie)|sweepstake)/i
+body __LOTTO_ADMITS_1 /\b(?:on-?line|e-?mail|ballot|(?:inter)?national|state|(?:UK|euro)[- ]?mil+ions?|Canada|Microsoft|MSN|internet|mega|jackpot|this)(?:\s\w+)?\s(?:lot(?:to|tery|erie)|sweepstake)/i
body __LOTTO_ADMITS_2 /\b(?:lot(?:to|tery|erie)|sweepstakes)\s(?:inter)?na[tz]ional/i
uri __LOTTO_ADMITS_3 /lottery/i
meta LOTTO_ADMITS __LOTTO_ADMITS_1 || __LOTTO_ADMITS_2 || __LOTTO_ADMITS_3
@@ -88,31 +88,38 @@
meta MONEY_LOTTERY LOTS_OF_MONEY && (LOTTO_WINNINGS + LOTTO_WIN_01 + LOTTO_YOU_WON_03 + LOTTO_YOU_WON_04 + LOTTO_AGENT + LOTTO_DEPT + LOTTO_AGENT_FM + LOTTO_AGENT_RPLY + LOTTO_ADMITS + LOTTO_RELATED + DEAR_WINNER > 1)
describe MONEY_LOTTERY Lots of money from a lottery
-body __DEAL /\b(?:business|financial|this|the|mutual)\s(?:deal|transaction|proposal)/i
+body __DEAL /\b(?:business|financial|this|the|mutual)\s(?:deal|transaction|proposal|offer)/i
body __HUSH_HUSH /\b(?:confidential(?:ity)?|private|secre(?:t|cy)|sensitive)\b/i
+body __IS_LEGAL /\bthis\s(?:deal|offer|transaction|proposal|exchange|arrangement)?\sis\s(?:(?:guaranteed|completely|absolutely|perfectly|100%)\s)?legal\b/i
+body __NOT_SCAM /\bnot\sa\sscam\b/i
+body __BACK_SCRATCH /\bmutual+y?\sbenefi(?:t|cial)\b/i
+body __LUCRATIVE /\blucrative\b/i
body __PCT_FOR_YOU_1 /\b(?:\d+|ten|[a-z]+teen|(?:twen|thir|fou?r)ty(?:-?[a-z]+)?)\s?(?:%|percent)[\s)]+(?:for|to|as)\syour?/i
body __PCT_FOR_YOU_2 /\b(?:give|offer)\syou\s(?:\d+|en|[a-z]+teen|(?:twen|thir|fou?r)ty(?:-?[a-z]+)?)\s?(?:%|percent)/i
meta PCT_FOR_YOU __PCT_FOR_YOU_1 || __PCT_FOR_YOU_2
describe PCT_FOR_YOU X% for you
-meta MONEY_DEAL LOTS_OF_MONEY && (__DEAL + __HUSH_HUSH + PCT_FOR_YOU + __FRAUD_IOU + __FRAUD_JYG > 2)
+meta MONEY_DEAL LOTS_OF_MONEY && (__DEAL + __HUSH_HUSH + PCT_FOR_YOU + __FRAUD_IOU + __FRAUD_JYG + __IS_LEGAL + __NOT_SCAM + __BACK_SCRATCH + __LUCRATIVE > 3)
describe MONEY_DEAL Lots of money in a suspicious deal
body __ATM_CARD /\b(?:your|the)\satm\scard/i
meta MONEY_ATM LOTS_OF_MONEY && __ATM_CARD
describe MONEY_ATM Lots of money on an ATM card
-score MONEY_ATM 0.1
+score MONEY_ATM 0.5
body __YOU_INHERIT /\byour\s[a-z\s]{0,30}inheritance\b/i
body __I_INHERIT /\bI\s[a-z\s]{0,30}inherited\b/i
+body __THEY_INHERIT /\binherit\sth(?:e|is)\smoney\b/i
body __I_WILL_YOU /\bwill(?:ed)?\s(?:[a-z\s]{0,20}\s(?:fortune|money)\s)?to\syou\b/i
body __NEXT_OF_KIN /\bnext\sof\skin\b/i
body __DECEASED /\bdeceased\s(?:client|customer)/i
body __DORMANT_ACCT /\bdormant\saccount/i
-meta MONEY_INHERIT LOTS_OF_MONEY && (__YOU_INHERIT || __I_INHERIT || __I_WILL_YOU || __NEXT_OF_KIN || __DECEASED || __DORMANT_ACCT)
+body __WILL_LEGAL /\b(?:codicil|last\stestament|probate|executor)\b/i
+body __EARLY_DEMISE /\buntimely\sdeath\b/i
+meta MONEY_INHERIT LOTS_OF_MONEY && (__YOU_INHERIT || __I_INHERIT || __THEY_INHERIT || __I_WILL_YOU || __NEXT_OF_KIN || __DECEASED || __DORMANT_ACCT || __WILL_LEGAL || __EARLY_DEMISE)
describe MONEY_INHERIT Lots of money from a dead guy
-score MONEY_INHERIT 0.1
+score MONEY_INHERIT 0.2
body __WIRE_XFR /\b(?:wire|telegraph(?:ic)?)\stransfer/i
body __CASHIERS_CHK /\bcashier'?s?\sche(?:ck|que)/i
@@ -126,3 +133,19 @@
describe MONEY_INTL_BK Lots of money from an International Bank
score MONEY_INTL_BK 0.1
+body __BARRISTER /\bbarrister\b/i
+meta MONEY_BARRISTER LOTS_OF_MONEY && __BARRISTER
+describe MONEY_BARRISTER Lots of money from a British lawyer
+score MONEY_BARRISTER 0.2
+
+body __SCAM /\bscam\b/i
+body __UN /\bunited\snations?\b/i
+body __AFR_UNION /\bafrican\sunion\b/i
+body __COMPENSATION /\bcompensation\b/i
+body __FRAUD /\bfraud/i
+meta MONEY_FRAUD_COMP LOTS_OF_MONEY && __BARRISTER && (__SCAM || __FRAUD) && (__UN || __AFR_UNION) && __COMPENSATION
+describe MONEY_FRAUD_COMP Lots of money from a fraud compensation
+score MONEY_FRAUD_COMP 1.0
+
+
+
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=815775&r1=815774&r2=815775&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Wed Sep 16 13:40:25 2009
@@ -27,7 +27,7 @@
#header MUA_ONE_WORD X-Mailer =~ /^[A-Za-z][a-z]*$/
#describe MUA_ONE_WORD Single word X-Mailer: not CamelCase
-body DEAR_BENEFICIARY /^\s?(?:Dear\s|Attention:\s?)Beneficiary\b/i
+body DEAR_BENEFICIARY /^\s?(?:Dear\s|At+(?:ention|n):\s?)Beneficiary\b/i
describe DEAR_BENEFICIARY Dear Beneficiary:
body DEAR_EMAIL_USER /^\s?(?:Dear\s|Attention:\s?)(?:E|Web)-?mail\sUser\b/i
@@ -57,16 +57,37 @@
# observed in spam 8/2009
-header MUA_EQ_ORG ALL =~ /\nX-Mailer: ([^\n]+)\n.*Organization: \1/sm
-describe MUA_EQ_ORG X-Mailer: same as Organization:
+header __MUA_EQ_ORG_1 ALL =~ /\nX-Mailer: ([^\n]+)\n.*Organization: \1\n/ism
+header __MUA_EQ_ORG_2 ALL =~ /\nOrganization: ([^\n]+)\n.*X-Mailer: \1\n/ism
+meta MAILER_EQ_ORG __MUA_EQ_ORG_1 || __MUA_EQ_ORG_2
+describe MAILER_EQ_ORG X-Mailer: same as Organization:
+
+# observed in UCE 9/2009
+header __HDRS_LCASE ALL =~ /\n(?:Reply-to|Message-id|Content-type|X-MSMail-priority|from|subject|to):/sm
+tflags __HDRS_LCASE multiple
+meta HDRS_LCASE __HDRS_LCASE > 2
+describe HDRS_LCASE Odd capitalization of multiple message headers
+
+# observed in spam 9/2009
+header HDRS_MISSP ALL =~ /\n(?:Subject|From):\S/ism
+describe HDRS_MISSP Misspaced headers
+
+header SPAMMY_MIME_BDRY_01 Content-Type =~ /boundary="\@\@BOUNDARY"/
+describe SPAMMY_MIME_BDRY_01 Spammy MIME boundary string
+score SPAMMY_MIME_BDRY_01 0.10
# testing
header __TB_MIME_BDRY_NO_Z Content-Type =~ /boundary="-{8,}(?:[1-9]){16}/
-meta TBIRD_SUSP_MIME_BDRY __MUA_TBIRD && __TB_MIME_BDRY_NO_Z
-describe TBIRD_SUSP_MIME_BDRY Unlikely Thunderbird MIME boundary
+meta TBIRD_SUSP_MIME_BDRY __MUA_TBIRD && __TB_MIME_BDRY_NO_Z
+describe TBIRD_SUSP_MIME_BDRY Unlikely Thunderbird MIME boundary
# seen in a few HTML fraud spams
rawbody RUNON_SHY /(?:\­){3}/i
describe RUNON_SHY Repeating soft hyphens
score RUNON_SHY 0.1
+# Seen all too often
+header LAZY_LISTWASHING To =~ /\@(?:example\.com|example\.domain|your\.domain|some\.domain|domain\.dom|somewhere\.tld|somewhere\.com|your\.?domain\.com|your\.favorite\.machine)\b/i
+describe LAZY_LISTWASHING Lazy spammer, painfully obvious bogus addresses
+score LAZY_LISTWASHING 0.25
+