You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2021/01/24 17:37:53 UTC

svn commit: r1885884 - /spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf

Author: jhardin
Date: Sun Jan 24 17:37:53 2021
New Revision: 1885884

URL: http://svn.apache.org/viewvc?rev=1885884&view=rev
Log:
Various rule tweaks

Modified:
    spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf

Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1885884&r1=1885883&r2=1885884&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Sun Jan 24 17:37:53 2021
@@ -125,6 +125,7 @@ ifplugin Mail::SpamAssassin::Plugin::MIM
   mimeheader   __MALW_ATTACH_02_02 Content-Type =~ /\bname="?[^"]*(?:invoice|pdf)\.(?:ace|zip|7z|rar)[";$]/i
   meta         MALW_ATTACH         __MALW_ATTACH_01_01 || __MALW_ATTACH_01_02 || __MALW_ATTACH_02_01 || __MALW_ATTACH_02_02
   describe     MALW_ATTACH         Attachment filename suspicious, probable malware exploit
+  tflags       MALW_ATTACH         publish
 
   mimeheader   __ISO_ATTACH        Content-Disposition =~ m,\bfilename="?[^"]+\.iso[";$],i
   mimeheader   __ISO_ATTACH_MT     Content-Type =~ m,\bapplication/x-iso9660-image\b,i
@@ -136,6 +137,7 @@ ifplugin Mail::SpamAssassin::Plugin::MIM
   mimeheader   __PHISH_ATTACH_01_02  Content-Type =~ /\bname="?[^"]*(?:\.pdf)\.(?:html)[";$]/i
   meta         PHISH_ATTACH          __PHISH_ATTACH_01_01 || __PHISH_ATTACH_01_02
   describe     PHISH_ATTACH          Attachment filename suspicious, probable phishing
+  tflags       PHISH_ATTACH          publish
 
 else
   meta         __HTML_ATTACH_01    0
@@ -1376,9 +1378,9 @@ tflags      GOOGLE_DOC_SUSP      publish
 
 meta        __URI_PHISH    __HAS_ANY_URI && !__URI_GOOGLE_DOC && !__URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH)
 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
-  meta      URI_PHISH      __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__REMOTE_IMAGE && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR 
+  meta      URI_PHISH      __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__REMOTE_IMAGE && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR && !__RCVD_DOTGOV_EXT 
 else
-  meta      URI_PHISH      __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR 
+  meta      URI_PHISH      __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR && !__RCVD_DOTGOV_EXT 
 endif
 describe    URI_PHISH            Phishing using web form
 score       URI_PHISH            4.00   # limit
@@ -3530,6 +3532,10 @@ score      URI_FIREBASEAPP             3
 tflags     URI_FIREBASEAPP             publish
 
 uri        __URI_AZURE_CLOUDAPP        m,://(?:[^./]+\.)+cloudapp\.azure\.com/,
+meta       URI_AZURE_CLOUDAPP          __URI_AZURE_CLOUDAPP && !__HDR_RCVD_GOOGLE && !__CTYPE_CHARSET_QUOTED 
+describe   URI_AZURE_CLOUDAPP          Link to hosted azure web application, possible phishing
+score      URI_AZURE_CLOUDAPP          3.000	# limit
+tflags     URI_AZURE_CLOUDAPP          publish
 
 
 # seen in a few spams
@@ -3540,14 +3546,17 @@ meta       __PHISH_FBASE_01            (
 meta       PHISH_FBASEAPP              __PHISH_FBASE_01
 describe   PHISH_FBASEAPP              Probable phishing via hosted web app
 score      PHISH_FBASEAPP              3.000	# limit
+tflags     PHISH_FBASEAPP              publish
 
 meta       __UNDISC_MONEY              __TO_UNDISCLOSED && (__ADVANCE_FEE_2_NEW || LOTS_OF_MONEY)
-meta       UNDISC_MONEY                __UNDISC_MONEY && !__VIA_ML
+meta       UNDISC_MONEY                __UNDISC_MONEY && !__VIA_ML && !__MSGID_HEXISH
 describe   UNDISC_MONEY                Undisclosed recipients + money/fraud signs
+tflags     UNDISC_MONEY                publish
 
 meta       __UNDISC_FREEM              __TO_UNDISCLOSED && __freemail_replyto 
 meta       UNDISC_FREEM                __UNDISC_FREEM
 describe   UNDISC_FREEM                Undisclosed recipients + freemail reply-to
+tflags     UNDISC_FREEM                publish
 
-header     __REPTO_LONG                Reply-To:addr =~ /[^@]{20,}@/
+header     __REPTO_LONG                Reply-To:addr =~ /[a-z]{20,}\d*@/