You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2020/09/12 18:51:35 UTC
svn commit: r1881667 - /spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf

Author: jhardin
Date: Sat Sep 12 18:51:35 2020
New Revision: 1881667

URL: http://svn.apache.org/viewvc?rev=1881667&view=rev
Log:
Add rules for eval: long invisible text, work-from-home; FP avoidance tuning

Modified:
    spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf

Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1881667&r1=1881666&r2=1881667&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Sat Sep 12 18:51:35 2020
@@ -2265,7 +2265,7 @@ meta      GOOG_REDIR_HTML_ONLY
 describe  GOOG_REDIR_HTML_ONLY          Google redirect to obscure spamvertised website + HTML only
 score     GOOG_REDIR_HTML_ONLY          2.000	# limit
 
-
+rawbody   __LONG_INVIS_DIV              /<div\s+style\s*=\s*"(?:visibility\s*:\s*hidden|display\s*:\s*none)\s*">[^<\s]{1400}/i
 
 # low S/O, apparently lots of invisible ham...
 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
@@ -2278,10 +2278,19 @@ if can(Mail::SpamAssassin::Conf::feature
   describe  HTML_TEXT_INVISIBLE_STYLE     HTML hidden text + other spam signs
   score     HTML_TEXT_INVISIBLE_STYLE     3.500   # limit
   tflags    HTML_TEXT_INVISIBLE_STYLE     publish
+
+  meta      __LONG_STY_INVIS              __STY_INVIS && __LONGLINE
+  meta      LONG_INVISIBLE_TEXT           __LONG_INVIS_DIV || __LONG_STY_INVIS
+else
+  meta      LONG_INVISIBLE_TEXT           __LONG_INVIS_DIV
 endif
 # try it on span tags only...
 # rawbody   __SPAN_INVIS                  /<span\s[^>]{0,200}style\s*=\s*"[^">]{0,80}(?:visibility\s*:\s*hidden\s*;|display\s*:\s*none\s*;)[^>]{1,200}>\w/i
 
+describe  LONG_INVISIBLE_TEXT           Long block of hidden text - spam scan evasion?
+score     LONG_INVISIBLE_TEXT           3.000	# limit
+
+
 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
   # Lots of ham uses invisible fonts - WHY?
   rawbody   __FONT_INVIS                  /<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|in|pc|em|ex|ch|rem|lh|vmax|%))(?:\s[a-z]|\s*[;'])|color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w/i
@@ -3083,18 +3092,41 @@ score      RCVD_DOTEDU_SUSP            2
 
 
 # bitcoin work-at-home spams 04/2020
-body       PERFECT_BINARY              /\bperfect binary option\b/i
-body       WE_PAID                     /\bwe have (?:already )?(?:paid|sent|remitted|issued) \$?\d+ (?:thousand )?(?:dollars )?to our (?:users|subscribers|members|clients|affiliates|partners)\b/i
-body       MAKE_XTRA_DOLLAR            /\bmake an extra dollar\b/i
-body       BONUS_LAST_DAY              /\b(?:last|final) day of the (?:\$\d+ |\d+ dollars? )?bonus offer(?:ing)?\b/i
+body       __PERFECT_BINARY            /\bperfect binary option\b/i
+body       __WE_PAID                   /\bwe have (?:already )?(?:paid|sent|remitted|issued) \$?\d+(?:,\d+)* (?:thousand )?(?:dollars )?to our (?:users|subscribers|members|clients|affiliates|partners)\b/i
+body       __MAKE_XTRA_DOLLAR          /\bmake an extra dollar\b/i
+body       __BONUS_LAST_DAY            /\b(?:last|final) day of the (?:\$\d+ |\d+ dollars? )?bonus offer(?:ing)?\b/i
+body       __PASSIVE_INCOME            /\bpassive income\b/i
+body       __WITHOUT_EFFORT            /\bwith(?:out(?: a(?:ny)?| the)?| no)(?: great)? effort\b/i
+body       __TRANSFORM_LIFE            /\b(transform|radically change) your (?:daily )?life\b/i
+body       __STAY_HOME                 /\b(?:going out of|leaving) your (?:home|house|residence)\b/i
+body       __RECEIVE_BONUS             /\byou(?:'ll )?(?:also |will )*(?:rec[ei]*ve|get|earn|be awarded) a (?:gift|bonus): \$[\d,]+/i
+
+meta       __WFH_01                    ( __PERFECT_BINARY + __WE_PAID + __MAKE_XTRA_DOLLAR + __BONUS_LAST_DAY + __PASSIVE_INCOME + __WITHOUT_EFFORT + __TRANSFORM_LIFE + __STAY_HOME + __RECEIVE_BONUS ) > 2
+
+meta       __BITCOIN_WFH_01            __BITCOIN && __WFH_01
+meta       BITCOIN_WFH_01              __BITCOIN_WFH_01
+describe   BITCOIN_WFH_01              Work-from-Home + bitcoin
+
+meta       __TO_TOO_MANY_WFH_01        __TO_WAY_TOO_MANY && __WFH_01
+meta       TO_TOO_MANY_WFH_01          __TO_TOO_MANY_WFH_01
+describe   TO_TOO_MANY_WFH_01          Work-from-Home + many recipients
+
+meta       __FREEMAIL_WFH_01           (FREEMAIL_FROM || FREEMAIL_REPLYTO) && __WFH_01
+meta       FREEMAIL_WFH_01             __FREEMAIL_WFH_01
+describe   FREEMAIL_WFH_01             Work-from-Home + freemail
+
 
 body       __4BYTE_UTF8_WORD           /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/
 tflags     __4BYTE_UTF8_WORD           multiple maxhits=10
-meta       SUSP_UTF8_WORD_MANY         __4BYTE_UTF8_WORD > 9
+meta       __4BYTE_UTF8_WORD_3         __4BYTE_UTF8_WORD > 3
+meta       __4BYTE_UTF8_WORD_5         __4BYTE_UTF8_WORD > 5
+meta       __4BYTE_UTF8_WORD_9         __4BYTE_UTF8_WORD > 9
+meta       SUSP_UTF8_WORD_MANY         __4BYTE_UTF8_WORD_9
 describe   SUSP_UTF8_WORD_MANY         Many words using only suspicious UTF-8 characters
 score      SUSP_UTF8_WORD_MANY         3.000	# limit
 
-meta       SUSP_UTF8_WORD_COMBO        __4BYTE_UTF8_WORD && ( __JM_REACTOR_DATE || __LIST_PARTIAL || __RDNS_NONE || __CLICK_HERE || __PHPMAILER_MUA || __STY_INVIS_2 ||  __TO___LOWER || __MSGID_OK_DIGITS )
+meta       SUSP_UTF8_WORD_COMBO        __4BYTE_UTF8_WORD && ( __LIST_PARTIAL || __RDNS_NONE || __CLICK_HERE || __PHPMAILER_MUA || __STY_INVIS_3 ||  __TO___LOWER || __MSGID_OK_DIGITS || __HTML_IMG_ONLY )
 describe   SUSP_UTF8_WORD_COMBO        Words using only suspicious UTF-8 characters + other signs
 score      SUSP_UTF8_WORD_COMBO        3.000	# limit