You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2013/01/13 23:03:45 UTC
svn commit: r1432750 - in /spamassassin/trunk/rulesrc/sandbox/jhardin:
20_lotsa_money.cf 20_misc_testing.cf
Author: jhardin
Date: Sun Jan 13 22:03:44 2013
New Revision: 1432750
URL: http://svn.apache.org/viewvc?rev=1432750&view=rev
Log:
Tune LOTSA_MONEY and email phishing, more FP avoidance
Modified:
spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf
spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf?rev=1432750&r1=1432749&r2=1432750&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf Sun Jan 13 22:03:44 2013
@@ -193,7 +193,7 @@ describe DECEASED_NO_ML Dead not via m
body __WIRE_XFR /\b(?:wire|telegraph(?:ic)?|bank)\s?transfer/i
body __TRUSTED_CHECK /\b(?:cashier'?s?|certified)\sche(?:ck|que)/i
body __BANK_DRAFT /\bbank\sdraft/i
-body __MOVE_MONEY /\b(?:(?:receive|re-?profile|transfer(?:ring|t)?|release|repatriate|rapatrier|secure|r(?:e|=E9|[\xe9]|[\xc3][\xa9])clamation|possession|virer|dona(?:te|r)|depositante|dep[\xc3][\xb3]sito)\s(?:th(?:e(?:se)?|is)|d[ae]s|sur ce|de ce[st]|cet|est[ea]|del?)|re-?profiling|receive|re-?locat(?:e|ing)(?:\s\w{1,15})?)\s(?:sums?\sof\s)?(?:proceeds|funds?|money|balance|account|g[eo]ld|compte|fond[so]{1,2}|argent)\b/i
+body __MOVE_MONEY /\b(?:(?:receive|re-?profile|transfer(?:ring|ir|t)?|release|repatriate|rapatrier|secure|r(?:e|=E9|[\xe9]|[\xc3][\xa9])clamation|possession|virer|dona(?:te|r)|depositante|dep[\xc3][\xb3]sito)\s(?:th(?:e(?:se)?|is)|d[ae]s|sur ce|de ce[st]|cet|est[eao]s?|del?)|re-?profiling|receive|re-?locat(?:e|ing)(?:\s\w{1,15})?)\s(?:sums?\sof\s)?(?:proceeds|funds?|money|balance|account|g[eo]ld|compte|fond[so]{1,2}|dinero|argent)\b/i
body __TO_YOUR_ACCT /\b(?:f[uo]nds|money|f[uo]ndo|dinheiro|bank)\s(?:\w{1,10}\s){0,4}(?:transfer(?:red)?|transferido|sont)\s(?:to|para|en)\s(?:your|sua|votre)\s(?:account|conta|pos+es+ion)/i
body __PAY_YOU /\bpay\syou\b/
body __GIVE_MONEY /\b(?:(?:give\syou\s(?:this\s)?(?:money|fund|inheritance))|(?:donated?\s(?:\w\+\s){0,3}(?:the\ssum\sof|(?:(?:the|this|some)\s(?:money|funds?|inheritance)|to\s)(?:you|(?:(?:the|a)\s)?church|charit(?:y|ies)|humanit\w+|needy|poor|orphan(?:age)?s?|philanthropists\?)))|de vous donner cet argent|faire don de la somme|voudrais en faire don|tego funduszu do dom(?:=F3|[\xf3])w (?:dziecka|wdowy))\b/i
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1432750&r1=1432749&r2=1432750&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Sun Jan 13 22:03:44 2013
@@ -362,7 +362,7 @@ meta TO_IN_SUBJ __SU
describe TO_IN_SUBJ To address is in Subject
meta __TO_EQ_FM_HTML_ONLY __TO_EQ_FROM && MIME_HTML_ONLY
-meta TO_EQ_FM_HTML_ONLY __TO_EQ_FM_HTML_ONLY && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__NOT_SPOOFED && !__DKIM_EXISTS && !__ANY_IMAGE_ATTACH
+meta TO_EQ_FM_HTML_ONLY __TO_EQ_FM_HTML_ONLY && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__NOT_SPOOFED && !__DKIM_EXISTS && !__ANY_IMAGE_ATTACH && !__FROM_LOWER
describe TO_EQ_FM_HTML_ONLY To == From and HTML only
#tflags TO_EQ_FM_HTML_ONLY publish
@@ -395,7 +395,7 @@ meta __TO_EQ_FROM_DOM (__T
describe __TO_EQ_FROM_DOM To: domain same as From: domain
meta __TO_EQ_FM_DOM_HTML_ONLY __TO_EQ_FROM_DOM && MIME_HTML_ONLY
-meta TO_EQ_FM_DOM_HTML_ONLY __TO_EQ_FM_DOM_HTML_ONLY && !__CTYPE_MULTIPART_ALT && !HTML_MIME_NO_HTML_TAG && !ALL_TRUSTED && !__MIME_QP && !__IS_EXCH && !__MSGID_BEFORE_RECEIVED && !__RCD_RDNS_MAIL_MESSY && !__FM_TO_ALL_NUMS
+meta TO_EQ_FM_DOM_HTML_ONLY __TO_EQ_FM_DOM_HTML_ONLY && !__CTYPE_MULTIPART_ALT && !HTML_MIME_NO_HTML_TAG && !ALL_TRUSTED && !__MIME_QP && !__IS_EXCH && !__MSGID_BEFORE_RECEIVED && !__RCD_RDNS_MAIL_MESSY && !__FM_TO_ALL_NUMS && !__FROM_LOWER && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON
describe TO_EQ_FM_DOM_HTML_ONLY To domain == From domain and HTML only
meta __TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FROM_DOM && __HTML_LINK_IMAGE
@@ -992,10 +992,10 @@ score FROM_MISSP_PHISH 4.75 #
uri __URI_GOOGLE_DOC m,^https?://docs\.google\.com/(?:[^/]+/)*view(?:form)?\?(?:id|formkey)=,i
body __WEBMAIL_ACCT /\byour web ?mail account/i
-body __MAILBOX_FULL /\b(?:you(?:r (?:mail\s?box|(?:e-?|web ?)mail))? (?:is (?:almost )?full|(?:quota )?ha(?:s|ve) (?:reached|exceeded|passed) (?:the|your|it'?s?) (?:size|storage|set|(?:e-?|web ?)mail|quota|folder|mail ?box)[\/\s](?:limit|quota))|over your mail\s?box (?:size )?(?:limit|quota)|sua conta de (?:e-?|web ?)mail excedeu sua limite)\b/i
+body __MAILBOX_FULL /\b(?:you(?:r (?:mail\s?box|(?:e-?|web ?)mail))? (?:is (?:almost )?full|(?:quota )?ha(?:s|ve) (?:reached|exceeded|passed) (?:the|your|it'?s?) (?:size|storage|set|(?:e-?|web ?)mail|quota|folder|mail ?box)[\/\s](?:limit|quota))|over your mail\s?box (?:size )?(?:limit|quota)|maximum mail\s?box (?:size )?(?:limit|quota) exceeded|sua conta de (?:e-?|web ?)mail excedeu sua limite)\b/i
body __CLEAN_MAILBOX /\b(?:(?:e-?mail|mail\s?box|violation:|(?-i:CLICK)) (?:quota size|clean(?:-?up))|clean ?up click ?here)\b/i
body __VALIDATE_MAILBOX /\b(?:(?:re-?)?(?:validate|confirm)(?:\S?(?:increase|raise))? your (?:mail\s?box|(?:e-?)?mail quota)|confirmar (?:que )?a sua conta (?:de e-?mail|ainda est(?:=E1|[\xe1]|[\xc3][\xa1]) ativa)|wprowadz dane konta ponizej)\b/i
-body __UPGR_MAILBOX /\b(?:up(?:g[ra]+d(?:e|ing)|date) (?:[hw]as\s(?:[a-z]+\s){1,5})?(?:o[nf] )?(?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|(?:web ?|e-?)mail Upgrade cuenta|atualize sua caixa de correio|click (?:here(?:[:\.\s]{0,5}\S{0,10}http\S{10,80})?|below) to (?:complete|finish|increase) (?:(?:the|this|your)\s)?(?:up(?:date|grade)|(?:web ?|e-?)?mail(?:\s?box)? (?:size|quota|limit)))\b/i
+body __UPGR_MAILBOX /\b(?:up(?:g[ra]+d(?:e|ing)|date) (?:[hw]as\s(?:[a-z]+\s){1,5})?(?:o[nf] )?(?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|(?:web ?|e-?)mail Upgrade cuenta|atualize sua caixa de correio|click\S{0,10} (?:here(?:[:\.\s]{0,5}\S{0,10}http\S{10,80})?|below)(?: link)? to (?:(?:complete|finish|increase) )?(?:(?:the|this|your)\s)?(?:up(?:date|grade)|(?:web ?|e-?)?mail(?:\s?box)? (?:size|quota|limit)))\b/i
body __LOCK_MAILBOX /\b(?:(?:deactivate|lock|lose access to) (?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|ditt konto vara "?deaktiverad"?|begr(?:=E4|\xe4|[\xc3][\xa4])nsad tillg(?:=E5|[\xe5]|[\xc3][\xa5])ng till din brevl(?:=E5|[\xe5]|[\xc3][\xa5])da|conta de (?:web ?|e-?)mail (?:ser(?:=E1|[\xe1]|[\xc3][\xa1]) desativado|(?:=E9|[\xe9]|[\xc3][\xa9]) exclu(?:=ED|[\xed]|[\xc3][\xad])do)|destruir a sua caixa de correio|tw(?:=F3|[\xf3])j konto zostalo ograniczone)\b/i
body __SYSADMIN /\b(?:help?[- ]?desk|(?:(?:web ?)?mail ?|sys(?:tem )?)admin(?:istrator)|local[- ]host|(?:support|upgrade) team|message from administrator|suporte t(?:=E9|[\xe9]|[\xc3][\xa9])cnico|administrador do sistema)\b/i
body __ATTN_MAIL_USER /\b(?:att(?:entio)?n|dear|caro) (?:web ?(?:mail)?\s\S\s)?(?:web ?|e-?)?mail (?:user|DO USU(?:=E1|[\xe1]|[\xc3][\xa1])RIO)[:;,]/i
@@ -1020,7 +1020,11 @@ describe URI_GOOGLE_DOCS URI for
score URI_GOOGLE_DOCS 1.00 # limit
meta __EMAIL_URI_PHISH __HAS_ANY_URI && !__URI_GOOGLE_DOC && __EMAIL_PHISH
-meta EMAIL_URI_PHISH __EMAIL_URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney
+ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+ meta EMAIL_URI_PHISH __EMAIL_URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__REMOTE_IMAGE
+else
+ meta EMAIL_URI_PHISH __EMAIL_URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney
+endif
score EMAIL_URI_PHISH 3.00 # limit
describe EMAIL_URI_PHISH Email account phishing using web form
tflags EMAIL_URI_PHISH publish # Force publication - very good S/O, hits mainly <= 3 points