You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by fe...@apache.org on 2005/11/28 20:22:54 UTC

svn commit: r349462 - /spamassassin/rules/trunk/sandbox/felicity/70_phishing.cf

Author: felicity
Date: Mon Nov 28 11:22:49 2005
New Revision: 349462

URL: http://svn.apache.org/viewcvs?rev=349462&view=rev
Log:
try out some new phishing rules

Modified:
    spamassassin/rules/trunk/sandbox/felicity/70_phishing.cf

Modified: spamassassin/rules/trunk/sandbox/felicity/70_phishing.cf
URL: http://svn.apache.org/viewcvs/spamassassin/rules/trunk/sandbox/felicity/70_phishing.cf?rev=349462&r1=349461&r2=349462&view=diff
==============================================================================
--- spamassassin/rules/trunk/sandbox/felicity/70_phishing.cf (original)
+++ spamassassin/rules/trunk/sandbox/felicity/70_phishing.cf Mon Nov 28 11:22:49 2005
@@ -19,6 +19,8 @@
 ########################################################################
 
 # These phrases seem to occur a lot in phishing...
+#  0.163   0.1882   0.0000    1.000   0.61    0.01  T_PH_REC
+#  0.115   0.1308   0.0091    0.935   0.57    0.01  T_PH_SEC
 body T_PH_SEC		/\byour .{0,40}account .{0,40}security/i
 describe T_PH_SEC	Message has a phrase standard for phishing mails
 body T_PH_REC		/\byour .{0,40}account .{0,40}record/i
@@ -32,7 +34,6 @@
 meta T_PP_PHISH	__FROM_PAYPAL && NORMAL_HTTP_TO_IP
 meta T_EB_PHISH	__FROM_EBAY && NORMAL_HTTP_TO_IP
 
-# tvd:
 #  1.575   1.8696   0.0000    1.000   1.00    0.01  T_SUBJ_ACC_NUM3
 #  1.532   1.8192   0.0000    1.000   0.67    0.01  T_SUBJ_ACC_NUM
 #  1.532   1.8192   0.0000    1.000   0.67    0.01  T_SUBJ_ACC_NUM2
@@ -42,3 +43,29 @@
 describe T_SUBJ_ACC_NUM		Subject has spammy looking monetary reference
 describe T_SUBJ_ACC_NUM2	Subject has spammy looking monetary reference
 describe T_SUBJ_ACC_NUM3	Subject has spammy looking monetary reference
+
+# not bad
+#  0.221   0.2514   0.0000    1.000   1.00    0.01  T_PH_TVD_7
+#  0.207   0.2352   0.0000    1.000   0.89    0.01  T_PH_TVD_11
+#  0.157   0.1784   0.0000    1.000   0.78    0.01  T_PH_TVD_2
+header T_PH_TVD_2	Subject =~ /^(?:please )?(?:re-?activate|restore|update) .{0,40}account/i
+header T_PH_TVD_11	Subject =~ /\b(?:re-?activate|restore|update) .{0,40}account/i
+body T_PH_TVD_7	/\baccount .{0,20}suspen/i
+
+# doesn't hit a lot, but let's see...
+#  0.057   0.0649   0.0000    1.000   0.67    0.01  T_PH_TVD_3
+#  0.057   0.0649   0.0000    1.000   0.67    0.01  T_PH_TVD_8
+#  0.057   0.0649   0.0000    1.000   0.67    0.01  T_PH_TVD_6
+#  0.054   0.0608   0.0000    1.000   0.56    0.01  T_PH_TVD_5
+#  0.039   0.0446   0.0000    1.000   0.44    0.01  T_PH_TVD_1
+#  0.011   0.0122   0.0000    1.000   0.33    0.01  T_PH_TVD_9
+body T_PH_TVD_1	/\bplease update .{0,40}account/i
+body T_PH_TVD_5	/\baccount .{0,20}placed? [io]n restricted status/i
+header T_PH_TVD_9	Subject =~ /\bonline bank/i
+header T_PH_TVD_3	Subject =~ /^update .{0,40}account/i
+header T_PH_TVD_6	Subject =~ /^security update notification/i
+header T_PH_TVD_8	Subject =~ /\baccount .{0,20}suspen/i
+
+#  0.200   0.2271   0.0000    1.000   1.00    0.01  T_PH_TVD_FR5
+header T__PH_TVD_FROM2	From:addr =~ /\@.*ebay/i
+meta T_PH_TVD_FR5 !__ENV_AND_HDR_FROM_MATCH && T__PH_TVD_FROM2