You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2013/02/09 06:19:32 UTC
svn commit: r1444329 - in /spamassassin/trunk/rulesrc/sandbox/jhardin: 20_fillform.cf 20_misc_testing.cf

Author: jhardin
Date: Sat Feb  9 05:19:32 2013
New Revision: 1444329

URL: http://svn.apache.org/r1444329
Log:
Tune phishing rules; ensure __RP_MATCHES_RCVD always exists

Modified:
    spamassassin/trunk/rulesrc/sandbox/jhardin/20_fillform.cf
    spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf

Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_fillform.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_fillform.cf?rev=1444329&r1=1444328&r2=1444329&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_fillform.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_fillform.cf Sat Feb  9 05:19:32 2013
@@ -29,13 +29,13 @@ ifplugin Mail::SpamAssassin::Plugin::Rep
   replace_tag FF_A2 (?:(?:contact|full|house|home|resident[ia]+l|busines+|mailing|work|delivery|ship+ing|post(?:al)?|of+ice|e-?mail|bostads|wohn)<ANDOR>?){0,3}\s?(?:ad+res+[es]{0,2}|location|endere[\xe7]o)(?:\sline)?(?:\s[0-9])?
 
   # Name variations
-  replace_tag FF_N1 (?:company|first|last|all|busines+|legal|ben[ei]ficiary|vollstaendigen)?\s?(?:name?[sn]?|navne|nome|nazwy)(?:<ANDOR>ad+res+)?
+  replace_tag FF_N1 (?:company|first|last|all|busines+|legal|ben[ei]ficiary|user|vollstaendigen)?\s?(?:name?[sn]?|navne|nome|nazwy)(?:<ANDOR>ad+res+)?
 
   # Telephone variations
   replace_tag FF_P1 (?:(?:(?:busines+|contact|fax|voice|house|home|mobile?|cel+(?:ular)?|of+ice|tel+e?(?:\s?(?:ph|f)one?)?|(?:ph|f)one|private)(?:\s(?:ph|f)one)?<ANDOR>?){1,3}(?:\s?<NUMBER>)?<ANDOR>?){1,3}
 
   # Misc personal data
-  replace_tag FF_M1 (?:(?:ages?|marital\s?statu[se]|sex|gender|male\sor\sfemale|(?:date\s(?:of\s)?)?birth|religion|nationality|email|next\sof\skin|alter|staatsangehoerigkeit|nationalitet|idade|weik)<ANDOR>?){1,3}
+  replace_tag FF_M1 (?:(?:ages?|marital\s?statu[se]|sex|gender|male\sor\sfemale|(?:date\s(?:of\s)?)?birth|religion|nationality|(?:user )?email|next\sof\skin|alter|staatsangehoerigkeit|nationalitet|idade|weik)<ANDOR>?){1,3}
 
   # Loan application details
   replace_tag FF_L1 (?:(?:previous\s)?work(?:ing)\s?experience|employment|position|profes+ion|(?:monthly|an+ual)?\s?income|purpose\sof\sl(?:oa|ao)n|an+ual\sturn\s?over|l(?:oa|ao)n\sduration|oc+up[ae]tion(?:\/position)?s?|(?:l(?:oa|ao)n\s|the\s)?amount(?:\sneed(ed)?|\sdesired)?(?:\s(?:as|of)\sloan)?|beruf|zaw(?:=F3|[\xf3])d)
@@ -98,8 +98,8 @@ ifplugin Mail::SpamAssassin::Plugin::Rep
   # Add to score if fraud/phishing question is present
   body     __FILL_THIS_FORM_FRAUD_PHISH1   /<FF_YOUR>(?:<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>)<FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i
   replace_rules   __FILL_THIS_FORM_FRAUD_PHISH1
-  meta     __FILL_THIS_FORM_FRAUD_PHISH   (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && __FILL_THIS_FORM_FRAUD_PHISH1
-  meta     FILL_THIS_FORM_FRAUD_PHISH     __FILL_THIS_FORM_FRAUD_PHISH && !__UNSUB_LINK && !__SPOOFED_URL && !__DOS_LINK && !__CAN_HELP && !__VIA_ML
+  meta     __FILL_THIS_FORM_FRAUD_PHISH   (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FILL_THIS_FORM_FRAUD_PHISH1 || __EMAIL_PHISH)
+  meta     FILL_THIS_FORM_FRAUD_PHISH     __FILL_THIS_FORM_FRAUD_PHISH && !__UNSUB_LINK && !__SPOOFED_URL && !__DOS_LINK && !__CAN_HELP && !__VIA_ML && !__COMMENT_EXISTS && !__HAS_IN_REPLY_TO && !__THREADED 
   describe FILL_THIS_FORM_FRAUD_PHISH     Answer suspicious question(s)
   #score    FILL_THIS_FORM_FRAUD_PHISH     1.50
 

Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1444329&r1=1444328&r2=1444329&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Sat Feb  9 05:19:32 2013
@@ -88,7 +88,7 @@ header  __PHPMAILER_MUA       X-Mailer =
 ifplugin Mail::SpamAssassin::Plugin::DKIM
   meta    PHP_NOVER_MUA       __PHP_NOVER_MUA && !__DKIM_DEPENDABLE && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD
 else
-  meta    PHP_NOVER_MUA       __PHP_NOVER_MUA && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50&& !__RP_MATCHES_RCVD
+  meta    PHP_NOVER_MUA       __PHP_NOVER_MUA && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD
 endif
 score     PHP_NOVER_MUA       3.50	# limit
 describe  PHP_NOVER_MUA       Mail from PHP with no version number
@@ -772,7 +772,11 @@ uri         __UPPERCASE_URI        /^[^:
 if version >= 3.003000
 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
   header      __RP_MATCHES_RCVD      eval:check_mailfrom_matches_rcvd()
+else
+  meta        __RP_MATCHES_RCVD      0
 endif
+else
+  meta        __RP_MATCHES_RCVD      0
 endif
 
 # for sale newsletters
@@ -1007,7 +1011,7 @@ body        __CLEAN_MAILBOX      /\b(?:(
 body        __VALIDATE_MAILBOX   /\b(?:(?:re-?)?(?:valida(?:te|r)|confirm)(?:\S?(?:increase|raise))? (?:your|(?:a )?sua) (?:mail\s?box|(?:e-?)?mail quota|caixa)|confirmar (?:que )?a sua conta (?:de e-?mail|ainda est(?:=E1|[\xe1]|[\xc3][\xa1]) ativa)|wprowadz dane konta ponizej|utrzymania aktywnego konta e-?mail|weryfikacji konta)\b/i
 body        __UPGR_MAILBOX       /\b(?:up(?:g[ra]+d(?:e|ing)|date) (?:[hw]as\s(?:[a-z]+\s){1,5})?(?:o[nf] )?(?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|(?:web ?|e-?)mail Upgrade cuenta|atualize sua caixa de correio|click\S{0,10} (?:here(?:[:\.\s]{0,5}\S{0,10}http\S{10,80})?|below)(?: link)? to (?:(?:complete|finish|increase) )?(?:(?:the|this|your)\s)?(?:up(?:date|grade)|(?:web ?|e-?)?mail(?:\s?box)? (?:size|quota|limit))|utrzymania aktywnego konta)\b/i
 body        __LOCK_MAILBOX       /\b(?:(?:deactivate|lock|lose access to|los[se] (?:of )?(?:important )?(?:information|mail|messages) in) (?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|ditt konto vara "?deaktiverad"?|begr(?:=E4|\xe4|[\xc3][\xa4])nsad tillg(?:=E5|[\xe5]|[\xc3][\xa5])ng till din brevl(?:=E5|[\xe5]|[\xc3][\xa5])da|conta de (?:web ?|e-?)mail (?:ser(?:=E1|[\xe1]|[\xc3][\xa1]) desativado|(?:=E9|[\xe9]|[\xc3][\xa9]) exclu(?:=ED|[\xed]|[\xc3][\xad])do)|destruir a sua caixa de correio|tw(?:=F3|[\xf3])j konto zostalo ograniczone|straci swoje e-?mail na sta[\xc5][\x82]e|konto zostanie automatycznie wy[\xc5][\x82][\xc4][\x85]czona)/i
-body        __SYSADMIN           /\b(?:help?[- ]?desk|(?:(?:web ?)?mail ?|sys(?:tem )?)admin(?:istrator)|local[- ]host|(?:support|upgrade|management) team|message from administrator|university mail server copyright|suporte t(?:=E9|[\xe9]|[\xc3][\xa9])cnico|administrador do sistema)\b/i
+body        __SYSADMIN           /\b(?:help?[- ]?desk|(?:(?:web ?)?mail ?|sys(?:tem )?)admin(?:istrator)|local[- ]host|(?:support|upgrade|management) (?:team|center)|message from administrator|university mail server copyright|suporte t(?:=E9|[\xe9]|[\xc3][\xa9])cnico|administrador do sistema)\b/i
 body        __ATTN_MAIL_USER     /\b(?:att(?:entio)?n|dear|caro) (?:web ?(?:mail)?\s\S\s)?(?:web ?|e-?)?mail (?:user|DO USU(?:=E1|[\xe1]|[\xc3][\xa1])RIO)[:;,]/i
 body        __MAIL_ACCT_ACCESS1  /\b(?:your (?:web ?|e-?)?mail (?:account|log-?in) (?:has )?been accessed|r(?:=F3|[\xf3])zne komputery zalogowaniu sie)\b/i
 body        __MAIL_ACCT_ACCESS2  /\blo+se ac+es+ to your (?:web|e-?)?mail (?:account|log-?in|box|address)\b/i