You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2011/11/29 15:27:44 UTC
svn commit: r1207886 -
/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Author: jhardin
Date: Tue Nov 29 14:27:43 2011
New Revision: 1207886
URL: http://svn.apache.org/viewvc?rev=1207886&view=rev
Log:
tune ACH_CANCELLED
Modified:
spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1207886&r1=1207885&r2=1207886&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Tue Nov 29 14:27:43 2011
@@ -787,9 +787,15 @@ if can(Mail::SpamAssassin::Conf::feature
endif
# phish/malware 11/2011
-body __ACH_CANCELLED_01 /\b(?-i:ACH) (?:payment|transfer|transaction) (?:rejected|cancel+ed)/i
-body __ACH_CANCELLED_02 /(?:rejected|cancel+ed) (?-i:ACH) (?:payment|transfer|transaction)/i
-meta ACH_CANCELLED (__ACH_CANCELLED_01 || __ACH_CANCELLED_02) && __HAS_ANY_URI
+body __ACH_CANCELLED_01 /\b(?-i:ACH) (?:payment|transfer|transaction) (?:rejected|cancel+ed|declined)/i
+body __ACH_CANCELLED_02 /(?:rejected|cancel+ed|declined|your) (?-i:ACH) (?:payment|transfer|transaction)/i
+body __ACH_CANCELLED_03 /(?:rejected|cancel+ed|declined) direct[-_ ]deposit[-_ ](?:payment|transfer|transaction)/i
describe ACH_CANCELLED "ACH cancelled" probable malware
+ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+ mimeheader __EXE_ATTACH Content-Type =~ /\.exe\b/i
+ meta ACH_CANCELLED (__ACH_CANCELLED_01 || __ACH_CANCELLED_02 || __ACH_CANCELLED_03) && (__HAS_ANY_URI || __EXE_ATTACH)
+else
+ meta ACH_CANCELLED (__ACH_CANCELLED_01 || __ACH_CANCELLED_02 || __ACH_CANCELLED_03) && __HAS_ANY_URI
+endif