You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by fe...@apache.org on 2006/04/14 05:59:34 UTC
svn commit: r394012 -
/spamassassin/rules/trunk/sandbox/felicity/70_phishing.cf
Author: felicity
Date: Thu Apr 13 20:59:32 2006
New Revision: 394012
URL: http://svn.apache.org/viewcvs?rev=394012&view=rev
Log:
more phishing work
Modified:
spamassassin/rules/trunk/sandbox/felicity/70_phishing.cf
Modified: spamassassin/rules/trunk/sandbox/felicity/70_phishing.cf
URL: http://svn.apache.org/viewcvs/spamassassin/rules/trunk/sandbox/felicity/70_phishing.cf?rev=394012&r1=394011&r2=394012&view=diff
==============================================================================
--- spamassassin/rules/trunk/sandbox/felicity/70_phishing.cf (original)
+++ spamassassin/rules/trunk/sandbox/felicity/70_phishing.cf Thu Apr 13 20:59:32 2006
@@ -115,11 +115,11 @@
# 0.102 0.1226 0.0000 1.000 0.79 0.01 T_TVD_PH_SUBJ_SEC_MEASURES
# 0.095 0.1144 0.0000 1.000 0.71 0.01 T_TVD_PH_SUBJ_UPDATE
# 0.180 0.2165 0.0000 1.000 0.86 0.01 T_TVD_PH_SUBJ_URGENT
-header TVD_PH_SUBJ_ACCOUNTS_PRE Subject =~ /\baccounts? (?:[a-z_,-]+ )*(?:record[a-z]*|suspen[a-z]+|notif(?:y|ication)|security|updated?|verifications?)\b/i
-header TVD_PH_SUBJ_SEC_MEASURES Subject =~ /\bsecurity (?:[a-z_,-]+ )*measures?\b/i
-header TVD_PH_SUBJ_UPDATE Subject =~ /\bupdate (?:[a-z_,-]+ )*(?:access|credit|records?|info(?:rmation)?)\b/i
+header TVD_PH_SUBJ_ACCOUNTS_PRE Subject =~ /\baccounts? (?:[a-z_,-]+ )*?(?:record[a-z]*|suspen[a-z]+|notif(?:y|ication)|security|updated?|verifications?|confirm[a-z]+)\b/i
+header TVD_PH_SUBJ_SEC_MEASURES Subject =~ /\bsecurity (?:[a-z_,-]+ )*?measures?\b/i
+header TVD_PH_SUBJ_UPDATE Subject =~ /\bupdate (?:[a-z_,-]+ )*?(?:access|credit|records?|info(?:rmation)?)\b/i
header TVD_PH_SUBJ_URGENT Subject =~ /^urgent(?:[\s\W]*$|.{1,40}(?:alert|response|assistance|proposal|reply|warning|noti(?:ce|fication)|greeting|matter))/i
-header TVD_PH_SUBJ_ACCOUNTS_POST Subject =~ /\b(?:(?:re-?)?activat[a-z]*|secure|verify|restore|flagged|limited|unusual|report|notif(?:y|ication)|suspen(?:d|ded|sion)) (?:[a-z_,-]+ )*accounts?\b/i
+header TVD_PH_SUBJ_ACCOUNTS_POST Subject =~ /\b(?:(?:re-?)?activat[a-z]*|secure|verify|restore|flagged|limited|unusual|report|notif(?:y|ication)|suspen(?:d|ded|sion)|confirm[a-z]*) (?:[a-z_,-]+ )*?accounts?\b/i
meta TVD_PH_SUBJ_META_ALL TVD_PH_SUBJ_META || TVD_PH_SUBJ_ACCOUNTS_PRE || TVD_PH_SUBJ_SEC_MEASURES || TVD_PH_SUBJ_UPDATE || TVD_PH_SUBJ_URGENT || TVD_PH_SUBJ_ACCOUNTS_POST
@@ -128,23 +128,18 @@
# Look for lesser matched REs and meta them together
# 0.251 0.3023 0.0000 1.000 1.00 0.01 T_TVD_PH_SUBJ_META
-meta TVD_PH_SUBJ_META __TVD_PH_BODY_01 || __TVD_PH_SUBJ_00 || __TVD_PH_SUBJ_01 || __TVD_PH_SUBJ_02 || __TVD_PH_SUBJ_04 || __TVD_PH_SUBJ_15 || __TVD_PH_SUBJ_17 || __TVD_PH_SUBJ_18 || __TVD_PH_SUBJ_19 || __TVD_PH_SUBJ_29 || __TVD_PH_SUBJ_31 || __TVD_PH_SUBJ_36 || __TVD_PH_SUBJ_37 || __TVD_PH_SUBJ_38 || __TVD_PH_SUBJ_39 || __TVD_PH_SUBJ_41 || __TVD_PH_SUBJ_52 || __TVD_PH_SUBJ_54 || __TVD_PH_SUBJ_56 || __TVD_PH_SUBJ_58 || __TVD_PH_SUBJ_59 || __TVD_PH_SUBJ_ACCESS_POST
+meta TVD_PH_SUBJ_META __TVD_PH_SUBJ_00 || __TVD_PH_SUBJ_02 || __TVD_PH_SUBJ_04 || __TVD_PH_SUBJ_15 || __TVD_PH_SUBJ_17 || __TVD_PH_SUBJ_18 || __TVD_PH_SUBJ_19 || __TVD_PH_SUBJ_29 || __TVD_PH_SUBJ_31 || __TVD_PH_SUBJ_36 || __TVD_PH_SUBJ_37 || __TVD_PH_SUBJ_38 || __TVD_PH_SUBJ_39 || __TVD_PH_SUBJ_41 || __TVD_PH_SUBJ_52 || __TVD_PH_SUBJ_54 || __TVD_PH_SUBJ_56 || __TVD_PH_SUBJ_58 || __TVD_PH_SUBJ_59 || __TVD_PH_SUBJ_ACCESS_POST
-body __TVD_PH_BODY_01 /\baccount .{0,20}placed? [io]n restricted status/i
header __TVD_PH_SUBJ_00 Subject =~ /\brewards? survey\b/i
-# avoid FP by requiring at least one word between the words, makes it not able
-# to be part of TVD_PH_SUBJ_UPDATE which doesn't require a word in between
-header __TVD_PH_SUBJ_01 Subject =~ /\bupdate (?:[a-z_,-]+ )+accounts?\b/i
-
header __TVD_PH_SUBJ_02 Subject =~ /\byour payment has been sent\b/i
header __TVD_PH_SUBJ_04 Subject =~ /\baccounts? profile\b/i
-header __TVD_PH_SUBJ_15 Subject =~ /\binvestment for (?:[a-z_,-]+ )*to(?:morrow|day)\b/i
+header __TVD_PH_SUBJ_15 Subject =~ /\binvestment for (?:[a-z_,-]+ )*?to(?:morrow|day)\b/i
header __TVD_PH_SUBJ_17 Subject =~ /\bremove limitations?\b/i
-header __TVD_PH_SUBJ_18 Subject =~ /\bsecurity (?:[a-z_,-]+ )*changes\b/i
-header __TVD_PH_SUBJ_19 Subject =~ /\bmessage (?:[a-z_,-]+ )*bank\b/i
+header __TVD_PH_SUBJ_18 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?changes\b/i
+header __TVD_PH_SUBJ_19 Subject =~ /\bmessage (?:[a-z_,-]+ )*?bank\b/i
header __TVD_PH_SUBJ_29 Subject =~ /^notice(?::|[\s\W]*$)/i
-header __TVD_PH_SUBJ_31 Subject =~ /\bsecurity (?:[a-z_,-]+ )*verification\b/i
+header __TVD_PH_SUBJ_31 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?verification\b/i
header __TVD_PH_SUBJ_36 Subject =~ /\bconsumer notice\b/i
header __TVD_PH_SUBJ_37 Subject =~ /\bvalued member[a-z]*\b/i
header __TVD_PH_SUBJ_38 Subject =~ /\bonline bank[a-z]*\b/i
@@ -154,5 +149,21 @@
header __TVD_PH_SUBJ_54 Subject =~ /\bun-?authorized access(?:es)?\b/i
header __TVD_PH_SUBJ_56 Subject =~ /\brespond now\b/i
header __TVD_PH_SUBJ_58 Subject =~ /\bbilling service\b/i
-header __TVD_PH_SUBJ_59 Subject =~ /\bquestion from (?:[a-z_,-]+ )*member\b/i
-header __TVD_PH_SUBJ_ACCESS_POST Subject =~ /\b(?:(?:re-?)?activat[a-z]*|secure|verify|restore|flagged|limited|unusual|report|notif(?:y|ication)|suspen(?:d|ded|sion)) (?:[a-z_,-]+ )*access\b/i
+header __TVD_PH_SUBJ_59 Subject =~ /\bquestion from (?:[a-z_,-]+ )*?member\b/i
+header __TVD_PH_SUBJ_ACCESS_POST Subject =~ /\b(?:(?:re-?)?activat[a-z]*|secure|verify|restore|flagged|limited|unusual|report|notif(?:y|ication)|suspen(?:d|ded|sion)) (?:[a-z_,-]+ )*?access\b/i
+
+########################################################################
+
+meta TVD_PH_BODY_META __TVD_PH_BODY_01 || __TVD_PH_BODY_02 || __TVD_PH_BODY_03 || __TVD_PH_BODY_04 || __TVD_PH_BODY_05 || __TVD_PH_BODY_06 || __TVD_PH_BODY_07 || __TVD_PH_BODY_08
+meta TVD_PH_BODY_META_ALL TVD_PH_BODY_META || TVD_PH_BODY_ACCOUNTS_PRE || TVD_PH_BODY_ACCOUNTS_POST
+body __TVD_PH_BODY_01 /\baccount .{0,20}placed? [io]n restricted status/i
+body __TVD_PH_BODY_02 /\brecords (?:[a-z_,-]+ )+?(?:feature|(?:a|re)ward)/i
+body __TVD_PH_BODY_03 /\byou(?:'ve| have) been (?:[a-z_,-]+ )+?payment/i
+body __TVD_PH_BODY_04 /\bfunds? (?!transfer from)(?!from)(?!in)(?!via)(?:[a-z_,-]+ )+?to your (?:[a-z_,-]+ )*?account/i
+body __TVD_PH_BODY_05 /\bthis is (?:[a-z_,-]+ )+?protect (?:[a-z_,-]+ )+?your/i
+body __TVD_PH_BODY_06 /Dear [a-z]+ bank (?:member|customer)/i
+body __TVD_PH_BODY_07 /\bguarantee the safety of your (?:[a-z_,-]+ )*?account/i
+body __TVD_PH_BODY_08 /\bmultiple password failures/i
+
+body TVD_PH_BODY_ACCOUNTS_PRE /\baccounts? (?:[a-z_,-]+ )+?(?:record[a-z]*|suspen[a-z]+|notif(?:y|ication)|updated|verifications?|credited)\b/i
+body TVD_PH_BODY_ACCOUNTS_POST /\b(?:(?:re-?)?activat[a-z]*|(?:re-?)?validate|secure|restore|confirm|update|suspend) (?!your)(?:[a-z_,-]+ )+?accounts?\b/i