You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by kh...@apache.org on 2011/09/30 06:20:59 UTC
svn commit: r1177502 - in /spamassassin/trunk/rules: 20_fake_helo_tests.cf
20_uri_tests.cf
Author: khopesh
Date: Fri Sep 30 04:20:59 2011
New Revision: 1177502
URL: http://svn.apache.org/viewvc?rev=1177502&view=rev
Log:
FP redux for SPOOF_COM2OTH SPOOF_COM2COM SPOOF_NET2COM and HELO_DYNAMIC_IPADDR2
Modified:
spamassassin/trunk/rules/20_fake_helo_tests.cf
spamassassin/trunk/rules/20_uri_tests.cf
Modified: spamassassin/trunk/rules/20_fake_helo_tests.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rules/20_fake_helo_tests.cf?rev=1177502&r1=1177501&r2=1177502&view=diff
==============================================================================
--- spamassassin/trunk/rules/20_fake_helo_tests.cf (original)
+++ spamassassin/trunk/rules/20_fake_helo_tests.cf Fri Sep 30 04:20:59 2011
@@ -121,7 +121,13 @@ describe HELO_DYNAMIC_SPLIT_IP Relay HEL
# YahooBB219173000034.bbtec.net [219.173.0.34]
-header HELO_DYNAMIC_IPADDR2 X-Spam-Relays-External =~ /^[^\]]+ helo=\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]\d+[^\d\s][^\.]*\.\S+\.\S+[^\]]+ auth= /i
+# 10-35-124-91.pool.ukrtel.net [91.124.35.10]
+# 89-215-186-91.2073241113.ddns-lan.rakovski.ekk.bg [217.18.240.147]
+# 200.109.193-29.dyn.dsl.cantv.net [200.109.193.29]
+# 113x35x70x11.ap113.ftth.ucom.ne.jp [113.35.70.11]
+# 98x9x3p5siouq.kvknv3sv1quk.3ejp4xzv.com [213.250.20.156]
+# 1.0/24.137.95.202.in-addr.arpa [202.95.137.1]
+header HELO_DYNAMIC_IPADDR2 X-Spam-Relays-External =~ /^[^\]]+ helo=\d{1,3}(?:[\Wx_]\d{1,3}){3}[^\d\s][^\s.]*\.\S+\.\S+[^\]]+ auth= /i
describe HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2)
# h234n2fls32o895.telia.com [217.208.73.234]
Modified: spamassassin/trunk/rules/20_uri_tests.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rules/20_uri_tests.cf?rev=1177502&r1=1177501&r2=1177502&view=diff
==============================================================================
--- spamassassin/trunk/rules/20_uri_tests.cf (original)
+++ spamassassin/trunk/rules/20_uri_tests.cf Fri Sep 30 04:20:59 2011
@@ -85,15 +85,15 @@ uri HTTP_77 /http:\/\/.{0,2}\%77/
describe HTTP_77 Contains an URL-encoded hostname (HTTP77)
# a.com.b.c
-uri SPOOF_COM2OTH m{^https?://(?:\w+\.)+?com\.(?!s3\.amazonaws\.com)(?:\w+\.){2}}i
+uri SPOOF_COM2OTH m{^https?://(?:\w+\.)+?com\.(?!(?:[a-z]{2}\.)?s3\.amazonaws\.com)(?:\w+\.){2}}i
describe SPOOF_COM2OTH URI contains ".com" in middle
# a.com.b.com
-uri SPOOF_COM2COM m{^https?://(?:\w+\.)+?com\.(?!s3\.amazonaws\.com)(?:\w+\.)+?com\b}i
+uri SPOOF_COM2COM m{^https?://(?:\w+\.)+?com\.(?!(?:[a-z]{2}\.)?s3\.amazonaws\.com)(?:\w+\.)+?com\b}i
describe SPOOF_COM2COM URI contains ".com" in middle and end
# a.net.b.com
-uri SPOOF_NET2COM m{^https?://(?:\w+\.)+?(?:net|org)\.(?!s3\.amazonaws\.com)(?:\w+\.)+?com\b}i
+uri SPOOF_NET2COM m{^https?://(?:\w+\.)+?(?:net|org)\.(?!(?:[a-z]{2}\.)?s3\.amazonaws\.com)(?:\w+\.)+?com\b}i
describe SPOOF_NET2COM URI contains ".net" or ".org", then ".com"
uri URI_HEX m%^https?://[^/?]*\b[0-9a-f]{6,}\b%i