You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2020/08/29 00:34:25 UTC
svn commit: r1881285 -
/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Author: jhardin
Date: Sat Aug 29 00:34:25 2020
New Revision: 1881285
URL: http://svn.apache.org/viewvc?rev=1881285&view=rev
Log:
Add scored rules, FP avoidance tuning
Modified:
spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1881285&r1=1881284&r2=1881285&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Sat Aug 29 00:34:25 2020
@@ -2268,7 +2268,7 @@ if can(Mail::SpamAssassin::Conf::feature
meta __STY_INVIS_2 __STY_INVIS > 1
meta __STY_INVIS_3 __STY_INVIS > 2
meta __STY_INVIS_MANY __STY_INVIS > 5
- meta HTML_TEXT_INVISIBLE_STYLE __STY_INVIS_MANY && (__RDNS_NONE || __HDRS_LCASE || __UNSUB_EMAIL || __ADMITS_SPAM || __FROM_DOM_INFO || __HTML_TAG_BALANCE_CENTER || __MSGID_RANDY ) && !__RDNS_LONG && !__RCD_RDNS_MTA
+ meta HTML_TEXT_INVISIBLE_STYLE __STY_INVIS_MANY && (__RDNS_NONE || __HDRS_LCASE || __UNSUB_EMAIL || __ADMITS_SPAM || __FROM_DOM_INFO || __HTML_TAG_BALANCE_CENTER || __MSGID_RANDY ) && !__RDNS_LONG && !__FROM_ENCODED_QP
describe HTML_TEXT_INVISIBLE_STYLE HTML hidden text + other spam signs
score HTML_TEXT_INVISIBLE_STYLE 3.500 # limit
tflags HTML_TEXT_INVISIBLE_STYLE publish
@@ -2284,7 +2284,7 @@ if can(Mail::SpamAssassin::Conf::feature
meta __FONT_INVIS_5 __FONT_INVIS > 5
meta __FONT_INVIS_10 __FONT_INVIS > 10
meta __FONT_INVIS_MANY __FONT_INVIS_5
- meta HTML_TEXT_INVISIBLE_FONT __FONT_INVIS_MANY && !__HAS_ERRORS_TO && !__URI_DOTGOV && !__L_CTE_7BIT && !__LYRIS_EZLM_REMAILER
+ meta HTML_TEXT_INVISIBLE_FONT __FONT_INVIS_MANY && !__HAS_ERRORS_TO && !__URI_DOTGOV && !__L_CTE_7BIT && !__LYRIS_EZLM_REMAILER && !__ML3 && !__THREADED
describe HTML_TEXT_INVISIBLE_FONT HTML hidden text - word obfuscation?
score HTML_TEXT_INVISIBLE_FONT 3.000 # limit
tflags HTML_TEXT_INVISIBLE_FONT publish
@@ -2310,11 +2310,15 @@ if can(Mail::SpamAssassin::Conf::feature
tflags FONT_INVIS_POSTEXTRAS publish
meta __FONT_INVIS_MSGID __FONT_INVIS && __MSGID_OK_HOST
- meta FONT_INVIS_MSGID __FONT_INVIS_MSGID && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__HAS_ERRORS_TO && !__RCD_RDNS_MAIL
+ meta FONT_INVIS_MSGID __FONT_INVIS_MSGID && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__HAS_ERRORS_TO && !__RCD_RDNS_MAIL && !__MAIL_LINK && !__HDR_RCVD_AMAZON
describe FONT_INVIS_MSGID Invisible text + suspicious message ID
score FONT_INVIS_MSGID 2.500 # limit
- meta __FONT_INVIS_NAKED_TO __FONT_INVIS && __NAKED_TO
+ meta __FONT_INVIS_NAKED_TO __FONT_INVIS && __NAKED_TO
+ meta FONT_INVIS_NAKED_TO __FONT_INVIS_NAKED_TO && !__ML3 && !__HAS_ERRORS_TO
+ describe FONT_INVIS_NAKED_TO Invisible text + suspicious To
+ score FONT_INVIS_NAKED_TO 2.500 # limit
+
meta __FONT_INVIS_CENTER __FONT_INVIS && __TAG_EXISTS_CENTER
meta __FONT_INVIS_SINGLET __FONT_INVIS && __HTML_SINGLET
@@ -2873,6 +2877,7 @@ score URI_BUFFLY 2
meta SHORTENER_SHORT_IMG __URL_SHORTENER && HTML_SHORT_LINK_IMG_1
describe SHORTENER_SHORT_IMG Short HTML + image + URL shortener
score SHORTENER_SHORT_IMG 2.500 # limit
+tflags SHORTENER_SHORT_IMG publish
header __DATA_ENTRY_SERVICE Subject =~ /\bdata entry services?\b/i
meta FREEM_DATA_ENTRY __DATA_ENTRY_SERVICE && __freemail_hdr_replyto
@@ -3032,6 +3037,11 @@ meta __DOTGOV_IMAGE _
meta __DOTGOV_NXDKIM __URI_DOTGOV && DKIM_ADSP_NXDOMAIN
tflags __DOTGOV_NXDKIM net
+meta URI_DOTEDU __URI_DOTEDU && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HAS_X_MAILER && !TRUSTED
+describe URI_DOTEDU Has .edu URI
+score URI_DOTEDU 2.000 # limit
+
+
# bitcoin work-at-home spams 04/2020
body PERFECT_BINARY /\bperfect binary option\b/i
body WE_PAID /\bwe have (?:already )?(?:paid|sent|remitted|issued) \$?\d+ (?:thousand )?(?:dollars )?to our (?:users|subscribers|members|clients|affiliates|partners)\b/i
@@ -3068,6 +3078,15 @@ score HTML_EMPTY_CELLS_MANY 1
uri __SENDGRID_REDIR m,://u\d+\.ct\.sendgrid\.net/ls/click\?upn=,
+meta SENDGRID_REDIR __SENDGRID_REDIR
+describe SENDGRID_REDIR Redirect URI via Sendgrid
+score SENDGRID_REDIR 3.500 # limit
+
meta __SENDGRID_REDIR_PHISH __SENDGRID_REDIR && PDS_FROM_NAME_TO_DOMAIN
+meta SENDGRID_REDIR_PHISH __SENDGRID_REDIR_PHISH
+describe SENDGRID_REDIR_PHISH Redirect URI via Sendgrid + phishing signs
+score SENDGRID_REDIR_PHISH 3.500 # limit
+
+