You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2020/12/30 18:36:52 UTC
svn commit: r1884952 -
/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Author: jhardin
Date: Wed Dec 30 18:36:51 2020
New Revision: 1884952
URL: http://svn.apache.org/viewvc?rev=1884952&view=rev
Log:
FP Avoidance tuning, expose some rules for scoring
Modified:
spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1884952&r1=1884951&r2=1884952&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Wed Dec 30 18:36:51 2020
@@ -1053,7 +1053,7 @@ meta GAPPY_HTML __GAP
describe GAPPY_HTML HTML body with much useless whitespace
# Try to improve S/O per bug 6119
-meta TVD_SPACE_RATIO_MINFP __TVD_SPACE_RATIO && !__CT_ENCRYPTED && !__X_CRON_ENV && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !ALL_TRUSTED && !__MIME_NO_TEXT && !__LONGLINE && !__THREADED && !__SUBSCRIPTION_INFO && !__VIA_ML && !__HELO_HIGHPROFILE && !__DKIM_EXISTS && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MAIL && !__EMPTY_BODY
+meta TVD_SPACE_RATIO_MINFP __TVD_SPACE_RATIO && !__CT_ENCRYPTED && !__X_CRON_ENV && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !ALL_TRUSTED && !__MIME_NO_TEXT && !__LONGLINE && !__THREADED && !__SUBSCRIPTION_INFO && !__VIA_ML && !__HELO_HIGHPROFILE && !__DKIM_EXISTS && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MAIL && !__EMPTY_BODY && !__XM_APPLEMAIL
#tflags TVD_SPACE_RATIO_MINFP nopublish
score TVD_SPACE_RATIO_MINFP 2.500 # limit
describe TVD_SPACE_RATIO_MINFP Space ratio (vertical text obfuscation?)
@@ -3390,7 +3390,7 @@ full __TO_ADDR_BODY_DOC /
body __BODY_HAS_ISBN /(?:^|[^-\d])97[89]-\d(?:(?!--)[-\d]){10,14}(?:$|[^-\d])/
header __REPLYTO_NOREPLY Reply-To =~ /\bno-?reply@/i
-meta __REPLYTO_NOREPLY_SUSP __REPLYTO_NOREPLY && (__HAS_DOMAINKEY_SIG || FORGED_RELAY_MUA_TO_MX || __MSGID_NOFQDN2 || __URI_DBL_SUBDOM)
+#meta __REPLYTO_NOREPLY_SUSP __REPLYTO_NOREPLY && (__HAS_DOMAINKEY_SIG || FORGED_RELAY_MUA_TO_MX || __MSGID_NOFQDN2 || __URI_DBL_SUBDOM)
# S/O good but bulk already scoring >6 points
body __ORDER_TODAY /\border (?:it|one|yours|this) (?:today|now|right\saway)\b/i
@@ -3435,8 +3435,21 @@ uri URI_FREELOGO m
describe URI_FREELOGO Free logo image, possible phishing
# observed in tons of spam 12/2020
-rawbody __MIXEDCASE_FONT /<(?!FONT|font)[Ff][Oo][Nn][Tt]\s/
-rawbody __TWO_IMAGE_PATTERN m;<img src="(https?://[^"]{1,80}/)C([^/.]{1,30}\.jpg)">.{0,200}<img src="\1U\2";ism
+rawbody JH_SPAMMY_PATTERN01 m;<img src="(https?://[^"]{1,80}/)C([^/.]{1,30}\.jpg)">.{0,200}<img src="\1U\2";ism
+describe JH_SPAMMY_PATTERN01 Unusual pattern seen in spam campaign
+score JH_SPAMMY_PATTERN01 3.000 # limit
+tflags JH_SPAMMY_PATTERN01 publish
+
+# observed in tons of spam 12/2020
+rawbody __MIXED_FONT_CASE /<(?!FONT|font)[Ff][Oo][Nn][Tt]\s/
+meta MIXED_FONT_CASE __MIXED_FONT_CASE
+describe MIXED_FONT_CASE Has font tag with mixed case
+score MIXED_FONT_CASE 2.500 # limit
+tflags MIXED_FONT_CASE publish
+
+# crosscheck BC's similar rules that use more-indirect logic
+rawbody __MIXED_IMG_CASE_JH /<(?!IMG|img)[Ii][Mm][Gg]\s/
+rawbody __MIXED_HREF_CASE_JH /<(?!HREF|href)[Hh][Rr][Ee][Ff]\s/