You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by he...@apache.org on 2011/05/24 11:41:28 UTC
svn commit: r1126954 - /spamassassin/trunk/rulesrc/sandbox/hege/20_hk.cf

Author: hege
Date: Tue May 24 09:41:28 2011
New Revision: 1126954

URL: http://svn.apache.org/viewvc?rev=1126954&view=rev
Log:
some updates

Modified:
    spamassassin/trunk/rulesrc/sandbox/hege/20_hk.cf

Modified: spamassassin/trunk/rulesrc/sandbox/hege/20_hk.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/hege/20_hk.cf?rev=1126954&r1=1126953&r2=1126954&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/hege/20_hk.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/hege/20_hk.cf Tue May 24 09:41:28 2011
@@ -3,33 +3,32 @@
 #### Basic stuff
 ####
 
-# cheers to spam-l
-# lower S/O than NSL_ version in jhardin sandbox
-#header		RCVD_HAS_FROM_USER	Received =~ /\bfrom\sUser\b/im
-header		RCVD_HAS_HELO_USER	Received =~ /\bHELO[\s=]User\b/im
-
 header		HK_RANDOM_ENVFROM	EnvelopeFrom =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr|-mailer@)|[^@]{20})[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
 describe	HK_RANDOM_ENVFROM	Envelope sender username looks random
+score		HK_RANDOM_ENVFROM	1
 header		HK_RANDOM_FROM		From:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr|-mailer@)|[^@]{26}|.*?@.{0,20}\bcmp-info\.com$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
 describe	HK_RANDOM_FROM		From username looks random
+score		HK_RANDOM_FROM		1
 header		HK_RANDOM_FROM_NAME	From:name =~ /^(?!.*?(?:@|cnnbc|nlpbr)).*?(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
 describe	HK_RANDOM_FROM_NAME	From name looks random
 header		HK_RANDOM_REPLYTO	Reply-To:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr|-mailer@)|[^@]{26}|.*?@.{0,20}\b(?:cmpgnr|cnn)\.com$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
 describe	HK_RANDOM_REPLYTO	Reply-To username looks random
+score		HK_RANDOM_REPLYTO	1
 header		HK_RANDOM_REPLYTO_NAME	Reply-To:name =~ /^(?!.*?(?:@|cnnbc|nlpbr)).*?(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
 describe	HK_RANDOM_REPLYTO_NAME	Reply-To name looks random
 
 header		HK_NAME_DRUGS		From:name =~ /(viagra|\bcialis|cialis\b)/mi
 describe	HK_NAME_DRUGS		From name contains drugs
+score		HK_NAME_DRUGS		2
 
 header		HK_NAME_FREE		From:name =~ /\b(?:get)?free(?!\.fr)\b/mi
 describe	HK_NAME_FREE		From name mentions free stuff
+score		HK_NAME_FREE		0.5
 
-header		HK_SUBJECT_SPACES	Subject =~ /^(?!.{80}\#).*?\s{10}/
-describe	HK_SUBJECT_SPACES	Lots of spaces in Subject
-
-header		HK_SUBJECT_SPACES_SC	Subject =~ /\s{10}(?:[a-z]|\d{1,4})(?:\s|$)/i
-describe	HK_SUBJECT_SPACES_SC	Lots of spaces in Subject with some obfuscation
+#header		HK_SUBJECT_SPACES	Subject =~ /^(?!.{80}\#).*?\s{10}/
+#describe	HK_SUBJECT_SPACES	Lots of spaces in Subject
+#header		HK_SUBJECT_SPACES_SC	Subject =~ /\s{10}(?:[a-z]|\d{1,4})(?:\s|$)/i
+#describe	HK_SUBJECT_SPACES_SC	Lots of spaces in Subject with some obfuscation
 
 body		__hk_million		/(?:(?:[0-9]{3}[ ,.]?){2,4}|[0-9] ?M\b|mill(?:(?:es?|ons?)(?: de\b)?|ion)).{0,18}(?:\$|[\xa3\xa4]|eur\b|usd\b|gbp\b|cfa\b|euro?s?\b|dollard?s?\b|pounds?\b|francs?\b)/i
 body		__hk_million2		/(?:\$|[\xa3\xa4]|eur|usd?|gbp|cfa|euro?s?|dollard?s?|pounds?|francs?)(?: de\b)? mill(?:(?:es?|ons?)|ion)/
@@ -64,7 +63,8 @@ body		__hk_win_l		/\b(?:make|file) (?:fo
 body		__hk_win_m		/\br.clamation de votre prix/i
 body		__hk_win_n		/\bcollect your prize/i
 body		__hk_win_o		/\bclarification and procedure/i
-meta		HK_WIN			__hk_win_1 || __hk_win_2 || __hk_win_3 || __hk_win_4 || __hk_win_5 || __hk_win_6 || __hk_win_7 || __hk_win_8 || __hk_win_9 || __hk_win_0 || __hk_win_a || __hk_win_b || __hk_win_c || __hk_win_d || __hk_win_e || __hk_win_f || __hk_win_g || __hk_win_h || __hk_win_i || __hk_win_j || __hk_win_k || __hk_win_l || __hk_win_m || __hk_win_n || __hk_win_o
+meta		HK_WIN			((__hk_win_1 || __hk_win_2 || __hk_win_3 || __hk_win_4 || __hk_win_5 || __hk_win_6 || __hk_win_7 || __hk_win_8 || __hk_win_9 || __hk_win_0 || __hk_win_a || __hk_win_b || __hk_win_c || __hk_win_d || __hk_win_e || __hk_win_f || __hk_win_g || __hk_win_h || __hk_win_i || __hk_win_j || __hk_win_k || __hk_win_l || __hk_win_m || __hk_win_n || __hk_win_o) > 2)
+score		HK_WIN			1
 
 body		__HK_LOTTO_1		/\b(?:(?:inter)?national|foundation|mercato|univers|euro ?million|e-?mail|euro-pw|bill ?gates|swiss|prestige|cristal|am.ricaine|coca.?cola|fiduciary|department) ?lot(?:eri[ej]|t(?:ery|o))/i
 body		__HK_LOTTO_2		/\blot(?:eri[ej]|t(?:ery|o)) ?(?:(?:inter)?national|foundation|mercato|univers|euro ?million|e-?mail|euro-pw|bill ?gates|swiss|prestige|cristal|am.ricaine|coca.?cola|fiduciary|department)/i
@@ -73,9 +73,12 @@ body		__HK_LOTTO_STAATS	/\bstaatsloteri/
 body		__HK_LOTTO_BALLOT	/\b(?:promotional|on.?line|computer|internet|e-?mail|fran.aise) (?:ballot|draw|sweepstake)/i
 body		__HK_LOTTO_AWARD	/(?:cash prize|prize awards?|you have been awarded|award (?:notification|notice))/i
 meta		HK_LOTTO		__HK_LOTTO_1 || __HK_LOTTO_2 || __HK_LOTTO_JACKPOT || __HK_LOTTO_STAATS || __HK_LOTTO_BALLOT
+score		HK_LOTTO		1
 
 header		HK_LOTTO_SUBJECT	Subject =~ /\blot(?:eri[ej]|t(?:ery|o))\b/mi
+score		HK_LOTTO_SUBJECT	1
 header		HK_LOTTO_NAME		From =~ /^[^@]*(?:lot(?:eri[ej]|t(?:ery|o))|award|winner)/mi
+score		HK_LOTTO_NAME		1
 
 body		HK_SCAM_N1		/\b(?:widow|son|daughter|husband|wife|brother|sister) of (?:the )?(?:late|sacked|dead|passed)\b/i
 body		HK_SCAM_N2		/\bnext of kin\b/i
@@ -103,7 +106,9 @@ body		HK_SCAM_S23		/(?:\b(?:urgent alert
 body		HK_GOLDDUST		/\bgold ?dust\b/i
 
 body		HK_PNIS			/\bpenis\b/i
+score		HK_PNIS			1
 body		HK_PNISES		/\bpenises\b/i
+score		HK_PNISES		1
 
 # From Mike Cappella
 header		TAB_IN_FROM		From:raw =~ /^\t/s
@@ -145,31 +150,31 @@ endif
 #### Some fakename tests which rely in SPF & DKIM
 ####
 
-ifplugin Mail::SpamAssassin::Plugin::SPF
-ifplugin Mail::SpamAssassin::Plugin::DKIM
+#ifplugin Mail::SpamAssassin::Plugin::SPF
+#ifplugin Mail::SpamAssassin::Plugin::DKIM
 
 # check spf and dkim for all, false hits per bug 6417
 
-header		__HK_NAME_MICROSOFT	From:name =~ /(microsoft|\bmsn\b)/i
-header		__HK_HELO_MICROSOFT	X-Spam-Relays-External =~ / helo=\S+\.(?:microsoft(?:email)?|msn)\.com /
-meta		HK_FAKENAME_MICROSOFT	__HK_NAME_MICROSOFT && !__HK_HELO_MICROSOFT && !SPF_PASS && !DKIM_VALID_AU
-describe	HK_FAKENAME_MICROSOFT	From name mentions Microsoft, but not relayed from there
-
-header		__HK_NAME_YAHOO		From:name =~ /\byahoo\b/i
-header		__HK_HELO_YAHOO		X-Spam-Relays-External =~ / helo=[^ ]+\.yahoo\.com /
-meta		HK_FAKENAME_YAHOO	__HK_NAME_YAHOO && !__HK_HELO_YAHOO && !SPF_PASS && !DKIM_VALID_AU
-describe	HK_FAKENAME_YAHOO	From name mentions Yahoo, but not relayed from there
-
-header		__HK_NAME_PAYPAL	From:name =~ /\bpaypal\b/i
-header		__HK_HELO_PAYPAL	X-Spam-Relays-External =~ / helo=[^ ]+\.paypal\b/
-meta		HK_FAKENAME_PAYPAL	__HK_NAME_PAYPAL && !__HK_HELO_PAYPAL && !SPF_PASS && !DKIM_VALID_AU
-describe	HK_FAKENAME_PAYPAL	From name mentions PayPal, but not relayed from there
-
-header		__HK_NAME_EBAY		From:name =~ /\bebay\b/i
-header		__HK_HELO_EBAY		X-Spam-Relays-External =~ / helo=[^ ]+\.(?:ebay|emarsys)\b/
-meta		HK_FAKENAME_EBAY	__HK_NAME_EBAY && !__HK_HELO_EBAY && !SPF_PASS && !DKIM_VALID_AU
-describe	HK_FAKENAME_EBAY	From name mentions eBay, but not relayed from there
+#header		__HK_NAME_MICROSOFT	From:name =~ /(microsoft|\bmsn\b)/i
+#header		__HK_HELO_MICROSOFT	X-Spam-Relays-External =~ / helo=\S+\.(?:microsoft(?:email)?|msn)\.com /
+#meta		HK_FAKENAME_MICROSOFT	__HK_NAME_MICROSOFT && !__HK_HELO_MICROSOFT && !SPF_PASS && !DKIM_VALID_AU
+#describe	HK_FAKENAME_MICROSOFT	From name mentions Microsoft, but not relayed from there
+
+#header		__HK_NAME_YAHOO		From:name =~ /\byahoo\b/i
+#header		__HK_HELO_YAHOO		X-Spam-Relays-External =~ / helo=[^ ]+\.yahoo\.com /
+#meta		HK_FAKENAME_YAHOO	__HK_NAME_YAHOO && !__HK_HELO_YAHOO && !SPF_PASS && !DKIM_VALID_AU
+#describe	HK_FAKENAME_YAHOO	From name mentions Yahoo, but not relayed from there
+
+#header		__HK_NAME_PAYPAL	From:name =~ /\bpaypal\b/i
+#header		__HK_HELO_PAYPAL	X-Spam-Relays-External =~ / helo=[^ ]+\.paypal\b/
+#meta		HK_FAKENAME_PAYPAL	__HK_NAME_PAYPAL && !__HK_HELO_PAYPAL && !SPF_PASS && !DKIM_VALID_AU
+#describe	HK_FAKENAME_PAYPAL	From name mentions PayPal, but not relayed from there
+
+#header		__HK_NAME_EBAY		From:name =~ /\bebay\b/i
+#header		__HK_HELO_EBAY		X-Spam-Relays-External =~ / helo=[^ ]+\.(?:ebay|emarsys)\b/
+#meta		HK_FAKENAME_EBAY	__HK_NAME_EBAY && !__HK_HELO_EBAY && !SPF_PASS && !DKIM_VALID_AU
+#describe	HK_FAKENAME_EBAY	From name mentions eBay, but not relayed from there
 
-endif
-endif
+#endif
+#endif