You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2010/02/08 00:32:30 UTC

svn commit: r907514 - in /spamassassin/trunk/rulesrc/sandbox/jhardin: 20_lotsa_money.cf 20_misc_testing.cf

Author: jhardin
Date: Sun Feb  7 23:32:30 2010
New Revision: 907514

URL: http://svn.apache.org/viewvc?rev=907514&view=rev
Log:
Tweak 419 subrules, add some stock-spam-related rules

Modified:
    spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf
    spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf

Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf?rev=907514&r1=907513&r2=907514&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf Sun Feb  7 23:32:30 2010
@@ -66,7 +66,7 @@
 describe LOTTO_AGENT      Claims Agent
 score    LOTTO_AGENT      0.50
 
-body     LOTTO_DEPT       /\b(?:claim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:international|foreign)\sremittance|payment|award)\s?(?:department|dept|unit|group|committee|bureau)/i
+body     LOTTO_DEPT       /\b(?:claim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:international|foreign)\s(?:remittance|settlement)|payment|award)\s?(?:department|dept|unit|group|committee|bureau)/i
 describe LOTTO_DEPT       Claims Department
 score    LOTTO_DEPT       0.50
 
@@ -134,7 +134,7 @@
 #describe MONEY_DEAL       Lots of money in a suspicious deal
 #score    MONEY_DEAL       1.5
 
-body     __ATM_CARD       /\b(?:your|the|this)\s(?:atm|debit)(?:\smaster)?\scard/i
+body     __ATM_CARD       /\b(?:your|the|this)\s(?:atm|debit)(?:\smaster|swift)?\scard/i
 #meta     MONEY_ATM        LOTS_OF_MONEY && __ATM_CARD
 #describe MONEY_ATM        Lots of money on an ATM card
 #score    MONEY_ATM        1.5
@@ -162,7 +162,7 @@
 #score    MONEY_INHERIT    1.5
 #tflags   MONEY_INHERIT    nopublish
 
-body     __WIRE_XFR       /\b(?:wire|telegraph(?:ic)?|bank)\stransfer/i
+body     __WIRE_XFR       /\b(?:wire|telegraph(?:ic)?|bank)\s?transfer/i
 body     __TRUSTED_CHECK  /\b(?:cashier'?s?|certified)\sche(?:ck|que)/i
 body     __BANK_DRAFT     /\bbank\sdraft/i
 meta     __XFER_MONEY     (__WIRE_XFR || __TRUSTED_CHECK || __BANK_DRAFT)
@@ -184,13 +184,13 @@
 body     __SCAM           /\bscam(?:me[dr])?s?\b/i
 body     __UN             /\bunited\snations?\b/i
 body     __AFR_UNION      /\bafrican\sunion\b/i
-body     __COMPENSATION   /\bcompensation\b/i
+body     __COMPENSATION   /\bcompensat(?:e|ion)\b/i
 body     __FRAUD          /\b(?:de)?fraud/i
 #meta     MONEY_FRAUD_COMP  LOTS_OF_MONEY && __BARRISTER && (__SCAM || __FRAUD) && (__UN || __AFR_UNION) && __COMPENSATION
 #describe MONEY_FRAUD_COMP  Lots of money from a fraud compensation
 #score    MONEY_FRAUD_COMP  1.0
  
-body     __TRUNK_BOX      /\b(?:trunk|metallic|proof|security)\sbox(?:es)?\b/i
+body     __TRUNK_BOX      /\b(?:trunk|metallic|proof|security|consignment)\sbox(?:es)?\b/i
 body     __COURIER        /\bcourier\s(?:company|service)\b/i
 #meta     MONEY_FRAUD_BOX  LOTS_OF_MONEY && __TRUNK_BOX && __COURIER
 #describe MONEY_FRAUD_BOX  Lots of money in a box, lots of money from a fox
@@ -204,7 +204,7 @@
 body     __DIPLOMATIC     /\bdiplomatic\b/i
 body     __FEES           /\b(?:security|safe\w*|courier|registration|pay|paid|up-?front|processing|delivery|transfer)[\s\w]{1,15}\s(?:fee|charge)s?\b/i 
 body     __LUCKY_WINNER   /\blucky\swin+ers?\b/i
-body     __YOUR_FUND      /\byour\sfund\b/i
+body     __YOUR_FUND      /\byour\s(?:unpaid\s)fund\b/i
 body     __NIGERIA        /\bnigeria\b/i
 body     __IVORY_COAST    /\b(?:Cote\s?D.Ivoire|Ivory\s?Coast)\b/i
 body     __BURKINA_FASO   /\bburkina\s?faso\b/i

Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=907514&r1=907513&r2=907514&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Sun Feb  7 23:32:30 2010
@@ -1,19 +1,19 @@
 #
-#header		REPLYTO_MANY_AT	Reply-To =~ /\@.+\@/
-#describe	REPLYTO_MANY_AT	More than one @ in Reply-To:
+#header         REPLYTO_MANY_AT Reply-To =~ /\@.+\@/
+#describe       REPLYTO_MANY_AT More than one @ in Reply-To:
 #
-#header		SENDER_MANY_AT	Sender =~ /\@.+\@/
-#describe	SENDER_MANY_AT	More than one @ in Sender:
+#header         SENDER_MANY_AT  Sender =~ /\@.+\@/
+#describe       SENDER_MANY_AT  More than one @ in Sender:
 #
-#header		FROM_MANY_AT	From =~ /\@.+\@/
-#describe	FROM_MANY_AT	More than one @ in From:
+#header         FROM_MANY_AT    From =~ /\@.+\@/
+#describe       FROM_MANY_AT    More than one @ in From:
 #
 
 header         RDNS_LOCALHOST  X-Spam-Relays-External =~ /^\[ ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i
 describe       RDNS_LOCALHOST  Sender's public rDNS is "localhost"
 
-#body		EU_SPAM_LAW	m,Directive 2000/31/EC of the European Parliament,i
-#describe	EU_SPAM_LAW	Quoting "European Parliament" spam law
+#body           EU_SPAM_LAW     m,Directive 2000/31/EC of the European Parliament,i
+#describe       EU_SPAM_LAW     Quoting "European Parliament" spam law
 
 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
   mimeheader   HTML_ATTACH    Content-Type =~ m,text/html;.+\.html?\b,i
@@ -38,13 +38,13 @@
 #header         MUA_ONE_WORD       X-Mailer =~ /^[A-Za-z][a-z]*$/
 #describe       MUA_ONE_WORD       Single word X-Mailer: not CamelCase
 
-body           DEAR_BENEFICIARY		/^\s?(?:Dear\s|At+(?:ention|n):?\s?)Beneficiary\b/i
-describe       DEAR_BENEFICIARY		Dear Beneficiary:
-score          DEAR_BENEFICIARY		2.0
-
-body           DEAR_EMAIL_USER		/^\s?(?:Dear\s|Attention:?\s?)(?:E|Web)-?mail\s(?:account\s)?User\b/i
-describe       DEAR_EMAIL_USER		Dear Email User:
-score          DEAR_EMAIL_USER		3.0
+body           DEAR_BENEFICIARY         /^\s?(?:Dear\s|At+(?:ention|n):?\s?)Beneficiary\b/i
+describe       DEAR_BENEFICIARY         Dear Beneficiary:
+score          DEAR_BENEFICIARY         2.0
+
+body           DEAR_EMAIL_USER          /^\s?(?:Dear\s|Attention:?\s?)(?:E|Web)-?mail\s(?:account\s)?User\b/i
+describe       DEAR_EMAIL_USER          Dear Email User:
+score          DEAR_EMAIL_USER          3.0
 
 
 # from users list spamples 8/2009
@@ -238,3 +238,49 @@
 # simplistic URI format for now
 header         FROM_URI       From =~ /[^<].*www\.[^\s"<]+\.(?:com|net|info|biz|org|\w\w)\b.*["<]/i
 
+# observed in spam feb 2010
+# Apparently-To per RFC2821 SHOULD NOT be used
+header         __APPARENTLY_TO            Apparently-To =~ /<.*>/
+tflags         __APPARENTLY_TO            multiple nopublish
+meta           HAS_APPARENTLY_TO          __APPARENTLY_TO > 0
+describe       HAS_APPARENTLY_TO          Has deprecated Apparently-To header
+score          HAS_APPARENTLY_TO          0.50
+tflags         HAS_APPARENTLY_TO          nopublish
+meta           MANY_APPARENTLY_TO         __APPARENTLY_TO > 20
+describe       MANY_APPARENTLY_TO         Has many Apparently-To headers
+score          MANY_APPARENTLY_TO         2.00
+tflags         MANY_APPARENTLY_TO         nopublish
+
+# obfuscation of "opt out"
+ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
+  body           FUZZY_OPTOUT             /\b(?!opt.?out)<O><P><T>.?<O><U><T>\b/i
+  replace_rules  FUZZY_OPTOUT
+  describe       FUZZY_OPTOUT             Obfuscated opt-out text
+endif
+
+# stock spam disclaimer obfuscation
+body           GAPPY_TRADING              /\b(?!trading)t[^a-z]?r[^a-z]?a[^a-z]?d[^a-z]?i[^a-z]?n[^a-z]?g/i
+body           GAPPY_SECURITIES           /\b(?!securities)s[^a-z]?e[^a-z]?c[^a-z]?u[^a-z]?r[^a-z]?i[^a-z]?t[^a-z]?i[^a-z]?e[^a-z]?s/i
+body           GAPPY_RISK                 /\b(?!risky?)r[^a-z]?i[^a-z]?s[^a-z]?k(?:[^a-z]?y)?/i
+body           GAPPY_SELLING              /\b(?!selling)s[^a-z]?e[^a-z]?l[^a-z]?l[^a-z]?i[^a-z]?n[^a-z]?g/i
+body           GAPPY_HUNDRED              /\b(?!hundred)h[^a-z]?u[^a-z]?n[^a-z]?d[^a-z]?r[^a-z]?e[^a-z]?d/i
+body           GAPPY_THOUSAND             /\b(?!thousand)t[^a-z]?h[^a-z]?o[^a-z]?u[^a-z]?s[^a-z]?a[^a-z]?n[^a-z]?d/i
+body           GAPPY_EXPENSES             /\b(?!expenses)e[^a-z]?x[^a-z]?p[^a-z]?e[^a-z]?n[^a-z]?s[^a-z]?e[^a-z]?s/i
+body           GAPPY_DOLLARS              /\b(?!dollars)d[^a-z]?o[^a-z]?l[^a-z]?l[^a-z]?a[^a-z]?r[^a-z]?s/i
+
+describe       GAPPY_TRADING              Possible obfuscated stock disclaimer
+describe       GAPPY_SECURITIES           Possible obfuscated stock disclaimer
+describe       GAPPY_RISK                 Possible obfuscated stock disclaimer
+describe       GAPPY_SELLING              Possible obfuscated stock disclaimer
+describe       GAPPY_HUNDRED              Possible obfuscated stock disclaimer
+describe       GAPPY_THOUSAND             Possible obfuscated stock disclaimer
+describe       GAPPY_EXPENSES             Possible obfuscated stock disclaimer
+describe       GAPPY_DOLLARS              Possible obfuscated stock disclaimer
+
+# talking about a stock symbol
+body           __DISCUSS_STOCK            /(?:[a-z]{2,}\s|^)[A-Z]{4}(?:\s[a-z]{2,}|[,.!])/
+tflags         __DISCUSS_STOCK            multiple
+meta           MANY_DISCUSS_STOCK         __DISCUSS_STOCK > 5
+describe       MANY_DISCUSS_STOCK         Talks about apparent stock symbols a lot
+
+