svn commit: r1054351 - in /spamassassin/trunk: lib/Mail/SpamAssassin/Plugin/URIDNSBL.pm rulesrc/sandbox/wtogami/20_uri_skipped.cf

[wt...@apache.org]

Author: wtogami
Date: Sun Jan  2 05:25:13 2011
New Revision: 1054351

URL: http://svn.apache.org/viewvc?rev=1054351&view=rev
Log:
URI_SKIPPED_* detects attempts of known good URI flooding, which seems to be targeted at defeating URIBL filtering of some other filter software.
This is fairly common in my own corpus, but I don't know how widespread it is.  Masschecks should tell us if this is worthwhile to keep.

Added:
    spamassassin/trunk/rulesrc/sandbox/wtogami/20_uri_skipped.cf
Modified:
    spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/URIDNSBL.pm

Modified: spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/URIDNSBL.pm
URL: http://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/URIDNSBL.pm?rev=1054351&r1=1054350&r2=1054351&view=diff
==============================================================================
--- spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/URIDNSBL.pm (original)
+++ spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/URIDNSBL.pm Sun Jan  2 05:25:13 2011
@@ -306,7 +306,9 @@ sub new {
   $self->{finished} = { };
 
   $self->register_eval_rule ("check_uridnsbl");
+  $self->register_eval_rule ("domains_skipped");
   $self->set_config($samain->{conf});
+  $self->{skipped} = 0;
 
   return $self;
 }
@@ -389,6 +391,9 @@ sub parsed_metadata {
   # Generate the full list of html-parsed domains.
   my $uris = $scanner->get_uri_detail_list();
 
+  # Reset the skipped counter
+  $self->{skipped} = 0;
+
   # go from uri => info to uri_ordered
   # 0: a
   # 1: form
@@ -430,6 +435,7 @@ sub parsed_metadata {
     while (my($host,$domain) = each( %{$info->{hosts}} )) {
       if ($skip_domains->{$domain}) {
         dbg("uridnsbl: domain $domain in skip list");
+        $self->{skipped}++;
       } else {
         # use hostname as a key, and drag along the stipped domain name part
         $uri_ordered[$entry]->{$host} = $domain;
@@ -1151,6 +1157,23 @@ sub res_bgsend {
 
 # ---------------------------------------------------------------------------
 
+sub domains_skipped {
+  my ($self, $pms) = @_;
+  my $skipped = defined $self->{skipped} ? $self->{skipped} : 0;
+  if ($skipped >= 20) {
+    $pms->got_hit('URI_SKIPPED_20');
+  } elsif ($skipped >= 15) {
+    $pms->got_hit('URI_SKIPPED_15');
+  } elsif ($skipped >= 10) {
+    $pms->got_hit('URI_SKIPPED_10');
+  } elsif ($skipped >= 5) {
+    $pms->got_hit('URI_SKIPPED_5');
+  }
+  return 0;
+}
+
+# ---------------------------------------------------------------------------
+
 # capability checks for "if can()":
 #
 sub has_tflags_domains_only { 1 }

Added: spamassassin/trunk/rulesrc/sandbox/wtogami/20_uri_skipped.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/wtogami/20_uri_skipped.cf?rev=1054351&view=auto
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/wtogami/20_uri_skipped.cf (added)
+++ spamassassin/trunk/rulesrc/sandbox/wtogami/20_uri_skipped.cf Sun Jan  2 05:25:13 2011
@@ -0,0 +1,19 @@
+body     URI_SKIPPED_20 eval:domains_skipped()
+describe URI_SKIPPED_20 Whitelisted URI's skipped: 20+
+score    URI_SKIPPED_20 0.01
+tflags   net nopublish
+
+body     URI_SKIPPED_15 eval:domains_skipped()
+describe URI_SKIPPED_15 Whitelisted URI's skipped: 15-19
+score    URI_SKIPPED_15 0.01
+tflags   net nopublish
+
+body     URI_SKIPPED_10 eval:domains_skipped()
+describe URI_SKIPPED_10 Whitelisted URI's skipped: 10-14
+score    URI_SKIPPED_10 0.01
+tflags   net nopublish
+
+body     URI_SKIPPED_5 eval:domains_skipped()
+describe URI_SKIPPED_5 Whitelisted URI's skipped: 5-9
+score    URI_SKIPPED_5 0.01
+tflags   net nopublish