You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2009/08/29 17:39:24 UTC
svn commit: r809148 - in /spamassassin/trunk/rulesrc/sandbox/jhardin:
20_lotsa_money.cf 20_misc_testing.cf 20_tbird_image_spam.cf
Author: jhardin
Date: Sat Aug 29 15:39:23 2009
New Revision: 809148
URL: http://svn.apache.org/viewvc?rev=809148&view=rev
Log:
Add metas to improve S/O
Modified:
spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf
spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
spamassassin/trunk/rulesrc/sandbox/jhardin/20_tbird_image_spam.cf
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf?rev=809148&r1=809147&r2=809148&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf Sat Aug 29 15:39:23 2009
@@ -14,8 +14,12 @@
# now combine with other stuff in metas to weed out FPs
meta MONEY_FREEMAIL LOTS_OF_MONEY && FREEMAIL_FROM
- describe MONEY_FREEMAIL Lots of money from a free email service?
+ describe MONEY_FREEMAIL Lots of money from someone using free email?
+ meta MONEY_FROM_MISSP LOTS_OF_MONEY && FROM_MISSPACED
+ describe MONEY_FROM_MISSP Lots of money and misspaced From
+
+ # The ADVANCE_FEE rules should probably be updated with LOTS_OF_MONEY
meta MONEY_FEE LOTS_OF_MONEY && (ADVANCE_FEE_2 || ADVANCE_FEE_3 || ADVANCE_FEE_4)
describe MONEY_FEE Lots of money if you first pay a fee
@@ -33,17 +37,17 @@
describe LOTTO_DEPT Claims Department
score LOTTO_DEPT 0.2
- describe LOTTO_AGENT_FM Claims Agent
header LOTTO_AGENT_FM From =~ /(?:claims?|fiduciary|dispatch)[\s_]?(?:agent|manager|officer)/i
+ describe LOTTO_AGENT_FM Claims Agent
- describe LOTTO_AGENT_RPLY Claims Agent
header LOTTO_AGENT_RPLY Reply-To =~ /(?:claims?|fiduciary|dispatch)[\s_]?(?:agent|manager|officer)/i
+ describe LOTTO_AGENT_RPLY Claims Agent
- describe LOTTO_ADMITS Admits to being a lottery
body LOTTO_ADMITS /\b(?:online|ballot|(?:inter)?national|internet)\slottery/i
+ describe LOTTO_ADMITS Admits to being a lottery
meta MONEY_LOTTERY LOTS_OF_MONEY && (LOTTO_WINNINGS || LOTTO_WIN_01 || LOTTO_AGENT || LOTTO_DEPT || LOTTO_AGENT_FM || LOTTO_AGENT_RPLY || LOTTO_ADMITS)
- describe MONEY_LOTTERY Lots of money in the lottery
+ describe MONEY_LOTTERY Lots of money from a lottery
endif
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=809148&r1=809147&r2=809148&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Sat Aug 29 15:39:23 2009
@@ -32,8 +32,22 @@
uri URI_NUMERIC_CCTLD m;^[a-z]+://(?:\d+\.){2,}[a-z][a-z]/;i
describe URI_NUMERIC_CCTLD CCTLD URI with multiple numeric subdomains
-header FROM_MISSPACED From =~ /^\s*"[^"]*"</
-describe FROM_MISSPACED From: missing whitespace
+
+# From should have whitespace between the comment and the address
+header __FROM_MISSPACED From =~ /^\s*"[^"]*"</
+describe __FROM_MISSPACED From: missing whitespace
+
+ifplugin Mail::SpamAssassin::Plugin::FreeMail
+ meta FROM_MISSP_FREEMAIL __FROM_MISSPACED && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
+ describe FROM_MISSP_FREEMAIL From misspaced + from freemail
+endif
+
+meta FROM_MISSP_MSFT __FROM_MISSPACED && (__ANY_OUTLOOK_MUA || __HAS_MIMEOLE || __MIMEOLE_MS)
+describe FROM_MISSP_MSFT Microsoft tools don't botch the From header
+
+meta FROM_MISSP_DYNIP __FROM_MISSPACED && RDNS_DYNAMIC
+describe FROM_MISSP_DYNIP From misspaced + dynamic rDNS
+
# observed in spam 8/2009
header MUA_EQ_ORG ALL =~ /\nX-Mailer: ([^\n]+)\n.*Organization: \1/sm
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_tbird_image_spam.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_tbird_image_spam.cf?rev=809148&r1=809147&r2=809148&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_tbird_image_spam.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_tbird_image_spam.cf Sat Aug 29 15:39:23 2009
@@ -25,6 +25,16 @@
describe FORGED_TBIRD_IMG_ARROW Likely forged Thunderbird image spam
score FORGED_TBIRD_IMG_ARROW 0.8
+# try it against other stuff, too
+meta TO_NO_BRKTS_HTML __TO_NO_ARROWS_R && HTML_MESSAGE
+
+meta TO_NO_BRKTS_HTML_ONLY __TO_NO_ARROWS_R && MIME_HTML_ONLY
+
+meta TO_NO_BRKTS_DYNIP __TO_NO_ARROWS_R && RDNS_DYNAMIC
+
+meta TO_NO_BRKTS_NORDNS __TO_NO_ARROWS_R && RDNS_NONE
+
+
# The boundary *does* FP on legit mail. However, all of KB's recent samples
# have another thing in common -- direct MUA to MX spam! Most unlikely with