You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2021/01/28 18:52:11 UTC

svn commit: r1885991 - /spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf

Author: jhardin
Date: Thu Jan 28 18:52:11 2021
New Revision: 1885991

URL: http://svn.apache.org/viewvc?rev=1885991&view=rev
Log:
More phishing/malware rule tweaks, add rules for evaluation

Modified:
    spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf

Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1885991&r1=1885990&r2=1885991&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Thu Jan 28 18:52:11 2021
@@ -121,8 +121,8 @@ ifplugin Mail::SpamAssassin::Plugin::MIM
   mimeheader   __MALW_ATTACH_01_01 Content-Disposition =~ /\bfilename="?[^"]+\.SettingContent-ms\b/i
   mimeheader   __MALW_ATTACH_01_02 Content-Type =~ /\bname="?[^"]+\.SettingContent-ms\b/i
   # others
-  mimeheader   __MALW_ATTACH_02_01 Content-Disposition =~ /\bfilename="?[^"]*(?:invoice|pdf)\.(?:ace|zip|7z|rar)[";$]/i
-  mimeheader   __MALW_ATTACH_02_02 Content-Type =~ /\bname="?[^"]*(?:invoice|pdf)\.(?:ace|zip|7z|rar)[";$]/i
+  mimeheader   __MALW_ATTACH_02_01 Content-Disposition =~ /\bfilename="?[^"]*(?:invoice|pdf|\.img)\.(?:ace|zip|7z|rar)[";$]/i
+  mimeheader   __MALW_ATTACH_02_02 Content-Type =~ /\bname="?[^"]*(?:invoice|pdf|\.img)\.(?:ace|zip|7z|rar)[";$]/i
   meta         MALW_ATTACH         __MALW_ATTACH_01_01 || __MALW_ATTACH_01_02 || __MALW_ATTACH_02_01 || __MALW_ATTACH_02_02
   describe     MALW_ATTACH         Attachment filename suspicious, probable malware exploit
   tflags       MALW_ATTACH         publish
@@ -133,8 +133,8 @@ ifplugin Mail::SpamAssassin::Plugin::MIM
   describe     ISO_ATTACH          ISO attachment - possible malware delivery
   score        ISO_ATTACH          3.000	# limit
 
-  mimeheader   __PHISH_ATTACH_01_01  Content-Disposition =~ /\bfilename="?[^"]*(?:\.pdf)\.(?:html?)[";$]/i
-  mimeheader   __PHISH_ATTACH_01_02  Content-Type =~ /\bname="?[^"]*(?:\.pdf)\.(?:html?)[";$]/i
+  mimeheader   __PHISH_ATTACH_01_01  Content-Disposition =~ /\bfilename="?[^"]*(?:\.pdf)\.html?[";$]/i
+  mimeheader   __PHISH_ATTACH_01_02  Content-Type =~ /\bname="?[^"]*(?:\.pdf)\.html?[";$]/i
   meta         PHISH_ATTACH          __PHISH_ATTACH_01_01 || __PHISH_ATTACH_01_02
   describe     PHISH_ATTACH          Attachment filename suspicious, probable phishing
   tflags       PHISH_ATTACH          publish
@@ -3598,4 +3598,6 @@ endif
 
 rawbody    __CONTENT_AFTER_HTML        /<\/html>\s*\S/i
 
+uri        __GOOG_REDIR_DOCUSIGN       m;://www\.google\.com/url\?.*q=https?://www\.docusign\.com/;i
+uri        __URI_ADOBESPARK            m;https?://branchlink\.adobespark\.com/;i