You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@spamassassin.apache.org by jh...@apache.org on 2016/09/05 16:22:26 UTC

svn commit: r1759330 - /spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf

Author: jhardin
Date: Mon Sep  5 16:22:26 2016
New Revision: 1759330

URL: http://svn.apache.org/viewvc?rev=1759330&view=rev
Log:
FROM_FULLN_URL doesn't pan out; tweak URI_DATA

Modified:
    spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf

Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1759330&r1=1759329&r2=1759330&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Mon Sep  5 16:22:26 2016
@@ -1169,8 +1169,8 @@ score       URI_MALWARE_BH     1.0	# lim
 # suggested by https://isc.sans.edu/diary.html?storyid=13996
 uri         __URI_DATA         /^data:[a-z]/i
 meta        URI_DATA           __URI_DATA && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__VIA_ML && !__ENV_AND_HDR_FROM_MATCH 
-describe    URI_DATA           "data:" URI : possible malware or phish
-score       URI_DATA           2.500	# limit
+describe    URI_DATA           "data:" URI - possible malware or phish
+score       URI_DATA           3.250	# limit
 tflags      URI_DATA           publish
 
 
@@ -2202,10 +2202,11 @@ score      MIMEOLE_DIRECT_TO_MX        2
 
 # suggested 9/2016 by ChipM in personal email
 # would be a LOT nicer if rules could use other rules' captures
-full       __FROM_FULLN_URL            m;^From:\s+"?([a-z]+)\s([a-z]+)\b.*?https?://[^/]+/\1[_.]\2\b;ism
-meta       FROM_FULLN_URL              __FROM_FULLN_URL && !__THREADED 
-describe   FROM_FULLN_URL              From address full name is in body URL - possible phishing
-score      FROM_FULLN_URL              2.000	# limit
+# terrible S/O
+#full       __FROM_FULLN_URL            m;^From:\s+"?([a-z]+)\s([a-z]+)\b.*?https?://[^/]+/\1[_.]\2\b;ism
+#meta       FROM_FULLN_URL              __FROM_FULLN_URL && !__THREADED 
+#describe   FROM_FULLN_URL              From address full name is in body URL - possible phishing
+#score      FROM_FULLN_URL              2.000	# limit