You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2020/08/25 19:43:12 UTC
svn commit: r1881194 -
/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Author: jhardin
Date: Tue Aug 25 19:43:12 2020
New Revision: 1881194
URL: http://svn.apache.org/viewvc?rev=1881194&view=rev
Log:
More invisible-font rule tweaks and FP avoidance tuning
Modified:
spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1881194&r1=1881193&r2=1881194&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Tue Aug 25 19:43:12 2020
@@ -2285,7 +2285,8 @@ if can(Mail::SpamAssassin::Conf::feature
tflags __WORD_INVIS multiple maxhits=6
meta __WORD_INVIS_5 __WORD_INVIS > 5
- meta FONT_INVIS_LONG_LINE __FONT_INVIS && __LONGLINE
+ meta __FONT_INVIS_LONG_LINE __FONT_INVIS && __LONGLINE
+ meta FONT_INVIS_LONG_LINE __FONT_INVIS_LONG_LINE && !__RDNS_LONG
describe FONT_INVIS_LONG_LINE Invisible text + long lines
score FONT_INVIS_LONG_LINE 3.000 # limit
@@ -2293,21 +2294,38 @@ if can(Mail::SpamAssassin::Conf::feature
describe FONT_INVIS_NORDNS Invisible text + no rDNS
score FONT_INVIS_NORDNS 2.500 # limit
- meta __FONT_INVIS_POSTEXTRAS __FONT_INVIS && __AC_POST_EXTRAS
+ meta FONT_INVIS_POSTEXTRAS __FONT_INVIS && __AC_POST_EXTRAS
+ describe FONT_INVIS_POSTEXTRAS Invisible text + suspicious URI
+ score FONT_INVIS_POSTEXTRAS 3.500 # limit
+
meta __FONT_INVIS_MSGID __FONT_INVIS && __MSGID_OK_HOST
+ meta FONT_INVIS_MSGID __FONT_INVIS_MSGID && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__HAS_ERRORS_TO
+ describe FONT_INVIS_MSGID Invisible text + suspicious message ID
+ score FONT_INVIS_MSGID 2.500 # limit
+
+
meta __FONT_INVIS_NAKED_TO __FONT_INVIS && __NAKED_TO
- meta __FONT_INVIS_DIRECT __FONT_INVIS && __DOS_DIRECT_TO_MX_UNTRUSTED
meta __FONT_INVIS_CENTER __FONT_INVIS && __TAG_EXISTS_CENTER
meta __FONT_INVIS_SINGLET __FONT_INVIS && __HTML_SINGLET
+
+ meta __FONT_INVIS_DIRECT __FONT_INVIS && __DOS_DIRECT_TO_MX_UNTRUSTED
+ meta FONT_INVIS_DIRECT __FONT_INVIS_DIRECT && !__UNSUB_LINK && !__HAS_ERRORS_TO && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY
+ describe FONT_INVIS_DIRECT Invisible text + direct-to-MX
+ score FONT_INVIS_DIRECT 3.500 # limit
+
meta __FONT_INVIS_DOTGOV __FONT_INVIS && __URI_DOTGOV
+ meta FONT_INVIS_DOTGOV __FONT_INVIS_DOTGOV && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO
+ describe FONT_INVIS_DOTGOV Invisible text + .gov URI
+ score FONT_INVIS_DOTGOV 3.500 # limit
endif
-# Adapted from SARE rules __SARE_HTML_SINGLET*
+# Adapted from SARE rules __SARE_HTML_SINGLET
rawbody __HTML_SINGLET />\s*(?:[a-z"]|&\#(?:\d+|x[0-9a-f]+);)\s*</i
tflags __HTML_SINGLET multiple maxhits=21
+meta __HTML_SINGLET_10 __HTML_SINGLET > 10
meta __HTML_SINGLET_MANY __HTML_SINGLET > 20
-meta HTML_SINGLET_MANY __HTML_SINGLET_MANY && !__STY_INVIS_MANY && !__RCD_RDNS_MTA_MESSY && !__NOT_SPOOFED && !__FEES && !ALL_TRUSTED
+meta HTML_SINGLET_MANY __HTML_SINGLET_MANY && !__RCD_RDNS_MTA_MESSY && !__NOT_SPOOFED && !ALL_TRUSTED && !__USING_VERP1 && !__MIME_QP
describe HTML_SINGLET_MANY Many single-letter HTML format blocks
score HTML_SINGLET_MANY 2.500 # limit
tflags HTML_SINGLET_MANY publish
@@ -2827,7 +2845,7 @@ uri __AC_POSTHTMLEXTRAS /
uri __AC_POSTIMGEXTRAS /(?:(?:main|external|hosted|new|file)?(?:im(?:g|age)?|user|one)s?-?(?:view(?:er)?|file|map|finder|portal|hub|online)?s?|library|media(?:source|-?files?)?|main|png|view|begin|file|port|space|webpics|host)(?:[-]?(?:[0-9]|one|two|three|four|five|six|seven|eight|nine))?[.,](?:jpe?g|png|gif)\/\w{2,}\b/i
meta __AC_POST_EXTRAS (__AC_POSTHTMLEXTRAS || __AC_POSTIMGEXTRAS)
-meta AC_POST_EXTRAS __AC_POST_EXTRAS
+meta AC_POST_EXTRAS __AC_POST_EXTRAS && !__URI_MAILTO && !__HAS_LIST_ID
describe AC_POST_EXTRAS Suspicious URL
score AC_POST_EXTRAS 2.500 # limit