You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2020/11/18 19:18:13 UTC
svn commit: r1883619 - in /spamassassin/trunk/rulesrc/sandbox/jhardin:
20_misc_testing.cf 20_shared_subrules.cf
Author: jhardin
Date: Wed Nov 18 19:18:13 2020
New Revision: 1883619
URL: http://svn.apache.org/viewvc?rev=1883619&view=rev
Log:
Disable FROM_WORDY scored family, S/O very low and FP-ing; add some rules for eval; add exception for t-online.de MTAs in SPOOFED_FREEMAIL as they do not provide SPF or DKIM;
Modified:
spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
spamassassin/trunk/rulesrc/sandbox/jhardin/20_shared_subrules.cf
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1883619&r1=1883618&r2=1883619&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Wed Nov 18 19:18:13 2020
@@ -2568,16 +2568,22 @@ header __FROM_WORDY F
#header __FROM_WORDY From:addr =~ /^(?:(?:[A-Z][A-Za-z]+|or|&)\.)+[A-Z][A-Za-z]+(?<!Customer\.S(?:ervice|upport))\@/
header __FROM_WORDY_3 From:addr =~ /(?:(?:[A-Z][A-Za-z]+|or|&)\.){2,}[A-Z][A-Za-z]+\@/
-meta __FROM_WORDY_SONLY __FROM_WORDY && (__XPRIO_MINFP || __TO_NO_BRKTS_MSFT || __FILL_THIS_FORM_SHORT || __HAS_MSMAIL_PRI || DEAR_FRIEND || __TO_NO_BRKTS_FROM_MSSP || FREEMAIL_REPLYTO )
-meta FROM_WORDY ((__FROM_WORDY_SONLY && !__DKIM_EXISTS) || __FROM_WORDY_3) && !__HAS_TNEF && !__USING_VERP1 && !__HAS_THREAD_INDEX && !__HAS_LIST_ID && !__RCD_RDNS_MTA && !__RCD_RDNS_MX
-describe FROM_WORDY From address looks like a sentence
-score FROM_WORDY 2.500 # limit
-tflags FROM_WORDY publish
-
-meta FROM_WORDY_SHORT ((__FROM_WORDY_SONLY || __FROM_WORDY_3) && __HTML_LENGTH_0000_1024) && !__HAS_TNEF && !__USING_VERP1
-describe FROM_WORDY_SHORT From address looks like a sentence + short message
-score FROM_WORDY_SHORT 2.500 # limit
-tflags FROM_WORDY_SHORT publish
+# __FROM_WORDY S/O now very poor (ham sign? :) ), don't score even with FP avoidance
+#meta __FROM_WORDY_SONLY __FROM_WORDY && (__XPRIO_MINFP || __TO_NO_BRKTS_MSFT || __FILL_THIS_FORM_SHORT || __HAS_MSMAIL_PRI || DEAR_FRIEND || __TO_NO_BRKTS_FROM_MSSP || FREEMAIL_REPLYTO )
+#meta FROM_WORDY ((__FROM_WORDY_SONLY && !__DKIM_EXISTS) || __FROM_WORDY_3) && !__HAS_TNEF && !__USING_VERP1 && !__HAS_THREAD_INDEX && !__HAS_LIST_ID && !__RCD_RDNS_MTA && !__RCD_RDNS_MX
+#describe FROM_WORDY From address looks like a sentence
+#score FROM_WORDY 2.500 # limit
+#tflags FROM_WORDY publish
+#
+#meta FROM_WORDY_SHORT ((__FROM_WORDY_SONLY || __FROM_WORDY_3) && __HTML_LENGTH_0000_1024) && !__HAS_TNEF && !__USING_VERP1
+#describe FROM_WORDY_SHORT From address looks like a sentence + short message
+#score FROM_WORDY_SHORT 2.500 # limit
+#tflags FROM_WORDY_SHORT publish
+
+meta PHP_SCRIPT __HAS_PHP_SCRIPT && !ALL_TRUSTED && !__PHP_NOVER_MUA && !__TO___LOWER && !__MIME_BASE64
+describe PHP_SCRIPT Sent by PHP script
+score PHP_SCRIPT 2.500 # limit
+tflags PHP_SCRIPT publish
meta PHP_SCRIPT_MUA __HAS_PHP_SCRIPT && __PHP_NOVER_MUA
describe PHP_SCRIPT_MUA Sent by PHP script, no version number
@@ -2594,9 +2600,12 @@ tflags PHP_ORIG_SCRIPT p
# noted 5/26/2016 on list by RW
header __PHP_ORIG_SCRIPT_EVAL X-PHP-Originating-Script =~ /\beval\b.*\bcode\b/i
+meta PHP_ORIG_SCRIPT_EVAL __PHP_ORIG_SCRIPT_EVAL
+describe PHP_ORIG_SCRIPT_EVAL From suspicious PHP source
+score PHP_ORIG_SCRIPT_EVAL 3.000 # limit
-#header __FROM_AUTHORITY_COMPANY From:name =~ /\b(?:court|fed-?ex|dhl|e-?zpass|invoice)\b/
+#header __FROM_AUTHORITY_COMPANY From:name =~ /\b(?:court|fed-?ex|dhl|e-?zpass|invoice)\b/i
#meta __PHP_MALWARE_ATTACH __HAS_PHP_SCRIPT && __FROM_AUTHORITY_COMPANY && __ZIP_ATTACH_MT
meta __XMSID __HAS_XM_SID && !__CTYPE_MULTIPART_MIXED
@@ -3298,3 +3307,8 @@ header __LW_TEST_03 F
header __HDR_RCVD_TONLINEDE X-Spam-Relays-External =~ /\srdns=\S+\.t-online\.de\s/
+header __MSMAIL_PRI_NORMAL X-MSMail-Priority =~ /^normal$/i
+meta __MSMAIL_PRI_ABNORMAL __HAS_MSMAIL_PRI && !__MSMAIL_PRI_NORMAL
+header __MSMAIL_PRI_HIGH X-MSMail-Priority =~ /^(?:high|urgent)$/i
+
+
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_shared_subrules.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_shared_subrules.cf?rev=1883619&r1=1883618&r2=1883619&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_shared_subrules.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_shared_subrules.cf Wed Nov 18 19:18:13 2020
@@ -8,10 +8,11 @@ rawbody __BUGGED_IMG m{<img\b[^>]{0,100
# originally from khopesh/20_s25r.cf
# Sanity check: how much freemail lacks spf or dkim?
+# Explicitly exclude freemail providers that do not implement either SPF or DKIM - !__NOT_SPOOFED is not reliable for that
# JHardin: convert to subrule and scored meta
meta __SPOOFED_FREEMAIL !__NOT_SPOOFED && FREEMAIL_FROM
tflags __SPOOFED_FREEMAIL net
-meta SPOOFED_FREEMAIL __SPOOFED_FREEMAIL && !__FS_SUBJ_RE && !__freemail_safe && !__DOS_HAS_LIST_ID && !__HAS_X_MAILING_LIST && !__HAS_X_REF && !__HAS_THREAD_INDEX && !__HDRS_LCASE_KNOWN && !__FSL_RELAY_GOOGLE
+meta SPOOFED_FREEMAIL __SPOOFED_FREEMAIL && !__HAS_IN_REPLY_TO && !__FS_SUBJ_RE && !__MSGID_GUID && !__freemail_safe && !__THREADED && !__HDRS_LCASE_KNOWN && !__HDR_RCVD_GOOGLE && !__HDR_RCVD_TONLINEDE
score SPOOFED_FREEMAIL 2.000 # limit
tflags SPOOFED_FREEMAIL net