You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2009/08/29 17:39:24 UTC

svn commit: r809148 - in /spamassassin/trunk/rulesrc/sandbox/jhardin: 20_lotsa_money.cf 20_misc_testing.cf 20_tbird_image_spam.cf

Author: jhardin
Date: Sat Aug 29 15:39:23 2009
New Revision: 809148

URL: http://svn.apache.org/viewvc?rev=809148&view=rev
Log:
Add metas to improve S/O

Modified:
    spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf
    spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
    spamassassin/trunk/rulesrc/sandbox/jhardin/20_tbird_image_spam.cf

Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf?rev=809148&r1=809147&r2=809148&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf Sat Aug 29 15:39:23 2009
@@ -14,8 +14,12 @@
 
   # now combine with other stuff in metas to weed out FPs
   meta     MONEY_FREEMAIL   LOTS_OF_MONEY && FREEMAIL_FROM
-  describe MONEY_FREEMAIL   Lots of money from a free email service?
+  describe MONEY_FREEMAIL   Lots of money from someone using free email?
 
+  meta     MONEY_FROM_MISSP LOTS_OF_MONEY && FROM_MISSPACED
+  describe MONEY_FROM_MISSP Lots of money and misspaced From
+
+  # The ADVANCE_FEE rules should probably be updated with LOTS_OF_MONEY
   meta     MONEY_FEE        LOTS_OF_MONEY && (ADVANCE_FEE_2 || ADVANCE_FEE_3 || ADVANCE_FEE_4)
   describe MONEY_FEE        Lots of money if you first pay a fee
 
@@ -33,17 +37,17 @@
   describe LOTTO_DEPT       Claims Department
   score    LOTTO_DEPT       0.2
 
-  describe LOTTO_AGENT_FM   Claims Agent
   header   LOTTO_AGENT_FM   From =~ /(?:claims?|fiduciary|dispatch)[\s_]?(?:agent|manager|officer)/i
+  describe LOTTO_AGENT_FM   Claims Agent
 
-  describe LOTTO_AGENT_RPLY Claims Agent
   header   LOTTO_AGENT_RPLY Reply-To =~ /(?:claims?|fiduciary|dispatch)[\s_]?(?:agent|manager|officer)/i
+  describe LOTTO_AGENT_RPLY Claims Agent
 
-  describe LOTTO_ADMITS     Admits to being a lottery
   body     LOTTO_ADMITS     /\b(?:online|ballot|(?:inter)?national|internet)\slottery/i
+  describe LOTTO_ADMITS     Admits to being a lottery
 
   meta     MONEY_LOTTERY    LOTS_OF_MONEY && (LOTTO_WINNINGS || LOTTO_WIN_01 || LOTTO_AGENT || LOTTO_DEPT || LOTTO_AGENT_FM || LOTTO_AGENT_RPLY || LOTTO_ADMITS)
-  describe MONEY_LOTTERY    Lots of money in the lottery
+  describe MONEY_LOTTERY    Lots of money from a lottery
 
 endif
 

Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=809148&r1=809147&r2=809148&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Sat Aug 29 15:39:23 2009
@@ -32,8 +32,22 @@
 uri            URI_NUMERIC_CCTLD     m;^[a-z]+://(?:\d+\.){2,}[a-z][a-z]/;i
 describe       URI_NUMERIC_CCTLD     CCTLD URI with multiple numeric subdomains
 
-header         FROM_MISSPACED        From =~ /^\s*"[^"]*"</
-describe       FROM_MISSPACED        From: missing whitespace
+
+# From should have whitespace between the comment and the address
+header         __FROM_MISSPACED      From =~ /^\s*"[^"]*"</
+describe       __FROM_MISSPACED      From: missing whitespace
+
+ifplugin Mail::SpamAssassin::Plugin::FreeMail
+  meta         FROM_MISSP_FREEMAIL   __FROM_MISSPACED && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
+  describe     FROM_MISSP_FREEMAIL   From misspaced + from freemail
+endif
+
+meta           FROM_MISSP_MSFT       __FROM_MISSPACED && (__ANY_OUTLOOK_MUA || __HAS_MIMEOLE || __MIMEOLE_MS)
+describe       FROM_MISSP_MSFT       Microsoft tools don't botch the From header
+
+meta           FROM_MISSP_DYNIP      __FROM_MISSPACED && RDNS_DYNAMIC
+describe       FROM_MISSP_DYNIP      From misspaced + dynamic rDNS
+
 
 # observed in spam 8/2009
 header         MUA_EQ_ORG         ALL =~ /\nX-Mailer: ([^\n]+)\n.*Organization: \1/sm

Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_tbird_image_spam.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_tbird_image_spam.cf?rev=809148&r1=809147&r2=809148&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_tbird_image_spam.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_tbird_image_spam.cf Sat Aug 29 15:39:23 2009
@@ -25,6 +25,16 @@
 describe   FORGED_TBIRD_IMG_ARROW  Likely forged Thunderbird image spam
 score      FORGED_TBIRD_IMG_ARROW  0.8
 
+# try it against other stuff, too
+meta       TO_NO_BRKTS_HTML        __TO_NO_ARROWS_R && HTML_MESSAGE
+
+meta       TO_NO_BRKTS_HTML_ONLY   __TO_NO_ARROWS_R && MIME_HTML_ONLY
+
+meta       TO_NO_BRKTS_DYNIP       __TO_NO_ARROWS_R && RDNS_DYNAMIC
+
+meta       TO_NO_BRKTS_NORDNS      __TO_NO_ARROWS_R && RDNS_NONE
+
+
 
 # The boundary *does* FP on legit mail.  However, all of KB's recent samples
 # have another thing in common -- direct MUA to MX spam!  Most unlikely with