You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2010/06/24 08:03:16 UTC
svn commit: r957426 - in /spamassassin/trunk/rulesrc/sandbox/jhardin: 20_fillform.cf 20_lotsa_money.cf

Author: jhardin
Date: Thu Jun 24 06:03:16 2010
New Revision: 957426

URL: http://svn.apache.org/viewvc?rev=957426&view=rev
Log:
tweak lotsa_money

Modified:
    spamassassin/trunk/rulesrc/sandbox/jhardin/20_fillform.cf
    spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf

Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_fillform.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_fillform.cf?rev=957426&r1=957425&r2=957426&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_fillform.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_fillform.cf Thu Jun 24 06:03:16 2010
@@ -16,44 +16,47 @@
 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
 
   # Repetitive syntactic bits
-  replace_tag FF_LNNO   (?:(?:\d+[)}\]:.,]+|\W?\([\div]+\)|\W?\{\d+\}|\[\d+\]|\*{1,5}|\#{1,5}|\(?[A-K][)}\]:.,]{1,3})\s?)
+  replace_tag FF_LNNO   (?:(?:\d{1,3}[)}\]:.,]{1,80}|\W?\([\div]{1,5}\)|\W?\{\d{1,3}\}|\[\d{1,3}\]|\*{1,5}|\#{1,5}|\(?[A-K][)}\]:.,]{1,3})\s?)
   replace_tag FF_YOUR   (?:a?\s?copy\sof\s)?(?:your[\s,:]{1,5})?(?:present\s|c[uo]rrent\s|full\s?|complete\s|direct\s|private\s|valid\s|personal\s){0,3}
   replace_tag ANDOR     (?:\s?[\/&+,]\s?|\sor\s|\sand?\s)
   replace_tag NUMBER    (?:num(?:ber)?s?|nos?\.|no\b|\#s?|nbrs?\.?)
   replace_tag FF_SUFFIX (?:\sin\s(?:full|words))?:?(?:\s?[({][^)}]{1,30}[)}])?
-  replace_tag FF_BLANK1 (?:[\s:;]{0,4}(?:(?:[-=_.,:;*\s]|&\#\d+;){3,100}))
-  replace_tag FF_BLANK2 (?:[\s\W]{0,3}(?:[-=_.,:;*\s]|&\#\d+;){1,100})
+  replace_tag FF_BLANK1 (?:[\s:;]{0,4}(?:(?:[-=_.,:;*\s]|&\#\d{1,3};){3,100}))
+  replace_tag FF_BLANK2 (?:[^-=_.,:;*\w]{0,3}(?:[-=_.,:;*\s]|&\#\d{1,3};){1,100})
 
   # Address variations
-  replace_tag FF_A1 (?:(?:ad+res+e?|countr?y|st?ates?|city|province|ter+itory|(?:zip|postal)(?:\s?code)?)<ANDOR>?){1,3}(?:\sof\s(?:residence|birth|employment|citizenship|origin))?
-  replace_tag FF_A2 (?:(?:contact|e-?mail|full|house|home|resident[ia]+l|busines+|mailing|work|of+ice|delivery|ship+ing|post(?:al)?)<ANDOR>?){0,3}\s?(?:ad+res+(?:es)?|location)(?:\sline)?(?:\s[0-9])?
+  replace_tag FF_A1 (?:(?:countr?y|city|province|ter+itory|(?:zip|postal)(?:\s?code)?|st?ates?|ad+res+e?)<ANDOR>?){1,3}(?:\sof\s(?:residence|birth|employment|citizenship|origin))?
+  replace_tag FF_A2 (?:(?:contact|full|house|home|resident[ia]+l|busines+|mailing|work|delivery|ship+ing|post(?:al)?|of+ice|e-?mail)<ANDOR>?){0,3}\s?(?:ad+res+(?:es)?|location)(?:\sline)?(?:\s[0-9])?
 
   # Name variations
   replace_tag FF_N1 (?:company|first|last|all|busines+|legal|ben[ei]ficiary|vollstaendigen)?\s?name[sn]?(?:<ANDOR>ad+res+)?
 
   # Telephone variations
-  replace_tag FF_P1 (?:(?:(?:busines+|contact|fax|voice|cel+(?:ular)?|house|home|mobile?|of+ice|tel+e?(?:\s?(?:ph|f)one)?|(?:ph|f)one)(?:\s(?:ph|f)one)?<ANDOR>?){1,3}(?:\s<NUMBER>)?<ANDOR>?){1,3}
+  replace_tag FF_P1 (?:(?:(?:busines+|contact|fax|voice|house|home|mobile?|cel+(?:ular)?|of+ice|tel+e?(?:\s?(?:ph|f)one)?|(?:ph|f)one)(?:\s(?:ph|f)one)?<ANDOR>?){1,3}(?:\s<NUMBER>)?<ANDOR>?){1,3}
 
   # Misc personal data
   replace_tag FF_M1 (?:(?:age|marital\s?statu[se]|sex|gender|male\sor\sfemale|(?:date\sof\s)?birth|religion|nationality|email|next\sof\skin|alter|staatsangehoerigkeit)<ANDOR>?){1,3}
 
   # Loan application details
-  replace_tag FF_L1 (?:(?:previous\s)?work(?:ing)\s?experience|employment|position|profes+ion|oc+up[ae]tion(?:\/position)?|(?:monthly|an+ual)?\s?income|an+ual\sturn\s?over|purpose\sof\sl(?:oa|ao)n|l(?:oa|ao)n\sduration|(?:l(?:oa|ao)n\s|the\s)?amount(?:\sneed(ed)?|\sdesired)?(?:\s(?:as|of)\sloan)?|beruf)
+  replace_tag FF_L1 (?:(?:previous\s)?work(?:ing)\s?experience|employment|position|profes+ion|(?:monthly|an+ual)?\s?income|purpose\sof\sl(?:oa|ao)n|an+ual\sturn\s?over|l(?:oa|ao)n\sduration|oc+up[ae]tion(?:\/position)?|(?:l(?:oa|ao)n\s|the\s)?amount(?:\sneed(ed)?|\sdesired)?(?:\s(?:as|of)\sloan)?|beruf)
 
   # Financial/ID details (scams and phishing)
-  replace_tag FF_F1 (?:(?:bank|beneficiary|billing|acc(?:oun)?t|a\/c|rout(?:ing)?|swift|receiver|user)<ANDOR>?){1,3}\s(?:(?:name|ad+res+(?:es)?|location|code|details|<NUMBER>)<ANDOR>?){1,3}
-  replace_tag FF_F2 (?:(?:(?:international\s)?driver'?s?\sli[sc]+(:?en[sc]e)?|pas+\s?port|[ia]d(?:entification|entity)(?:\s(?:card|<NUMBER>|papers?))?|id\scard)<ANDOR>?){1,3}(?:\s<NUMBER>)?
-  replace_tag FF_F3 (?:picture|(?:e-?mail\s)?pas+word|e-?mai?l\sid|test\squestion|answer|amount\swon|(?:inheritance\s)?funds?\svalue|amount\s[\w\s]{0,30}lost[\w\s]{0,15})
+  replace_tag FF_F1 (?:(?:bank|beneficiary|billing|acc(?:oun)?t|rout(?:ing)?|swift|receiver|user)<ANDOR>?){1,3}\s(?:(?:name|ad+res+(?:es)?|location|code|details|a\/c|<NUMBER>)<ANDOR>?){1,3}
+  replace_tag FF_F2 (?:(?:(?:international\s)?driver'?s?\sli[sc]+(:?en[sc]e)?|pas+\s?port|id\scard|[ia]d(?:entification|entity)(?:\s(?:card|<NUMBER>|papers?))?)<ANDOR>?){1,3}(?:\s<NUMBER>)?
+  replace_tag FF_F3 (?:picture|test\squestion|answer|amount\swon|(?:inheritance\s)?funds?\svalue|(?:e-?mail\s)?pas+word|e-?mai?l\sid|amount\s[\w\s]{0,30}lost[\w\s]{0,15})
   replace_tag FF_F4 (?:log[-\s]?in|(?:e-?mail\s)?user)\s?names?
-  replace_tag FF_F5 (?:reference|batch|win+ing)\s?<NUMBER>
+  replace_tag FF_F5 (?:ref(?:erence)?|batch|win+ing)\s?<NUMBER>
 
   # All variations together
-  replace_tag FF_ALL (?:<FF_A1>|<FF_A2>|<FF_N1>|<FF_P1>|<FF_M1>|<FF_L1>|<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>)
+  replace_tag FF_ALL (?:<FF_A1>|<FF_A2>|<FF_N1>|<FF_P1>|<FF_M1>|<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>|<FF_L1>)
 
   # 5+ fields (high reliability)
   # Leave this exposed, it's a fairly good spam sign by itself
-  body     FILL_THIS_FORM_LONG /(?:<FF_LNNO>?<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i
-  replace_rules   FILL_THIS_FORM_LONG
+  body     __FILL_THIS_FORM_LONG1 /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i
+  body     __FILL_THIS_FORM_LONG2 /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i
+  replace_rules   __FILL_THIS_FORM_LONG1
+  replace_rules   __FILL_THIS_FORM_LONG2
+  meta     FILL_THIS_FORM_LONG    __FILL_THIS_FORM_LONG1 || __FILL_THIS_FORM_LONG2
   describe FILL_THIS_FORM_LONG    Fill in a form with personal information
   score    FILL_THIS_FORM_LONG    1.00
 
@@ -72,9 +75,11 @@ ifplugin Mail::SpamAssassin::Plugin::Rep
   score    FILL_THIS_FORM    1.00
 
   # 3 or 4 fields (low reliability, but still useful in metas
-  body     __FILL_THIS_FORM_SHORT /(?:<FF_LNNO>?<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i
-  replace_rules   __FILL_THIS_FORM_SHORT
-  meta     FILL_THIS_FORM_SHORT !FILL_THIS_FORM && (__FILL_THIS_FORM_SHORT || __FILL_THIS_FORM_PARTIAL > 2 || __FILL_THIS_FORM_PARTIAL_RAW > 2)
+  body     __FILL_THIS_FORM_SHORT1 /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i
+  body     __FILL_THIS_FORM_SHORT2 /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i
+  replace_rules   __FILL_THIS_FORM_SHORT1
+  replace_rules   __FILL_THIS_FORM_SHORT2
+  meta     FILL_THIS_FORM_SHORT !FILL_THIS_FORM && (__FILL_THIS_FORM_SHORT1 || __FILL_THIS_FORM_SHORT2 || __FILL_THIS_FORM_PARTIAL > 2 || __FILL_THIS_FORM_PARTIAL_RAW > 2)
   describe FILL_THIS_FORM_SHORT Fill in a short form with personal information
   score    FILL_THIS_FORM_SHORT 0.25
 

Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf?rev=957426&r1=957425&r2=957426&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf Thu Jun 24 06:03:16 2010
@@ -190,7 +190,7 @@ body     __BENEFICIARY    /\bb(?:[e\xe9]
 body     __DIPLOMATIC     /\bdiplomatic\b/i
 body     __FEES           /\b(?:security|safe\w*|courier|registration|pay|paid|up-?front|processing|delivery|transfer)[\s\w]{0,15}\s(?:fee|charge)s?\b/i 
 body     __LUCKY_WINNER   /\b(?:lucky|gl.cklich(?:en)?)\s(?:ge)?win+ers?\b/i
-body     __YOUR_FUND      /\b(?:your|ihr)\s(?:unpaid\s|win+ing\s|nicht\sausbezahlten\s)?(?:fund|geld)\b/i
+body     __YOUR_FUND      /\b(?:your|ihr)\s(?:unpaid\s|win+ing\s|ap+roved\s|foreign\s|nicht\sausbezahlten\s)?(?:fund|payment|geld)\b/i
 body     __NIGERIA        /\bnigeria\b/i
 body     __IVORY_COAST    /\b(?:Cote\s?D.Ivoire|Ivory\s?Coast)\b/i
 body     __BURKINA_FASO   /\bburkina\s?faso\b/i