You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by he...@apache.org on 2011/05/24 11:41:28 UTC
svn commit: r1126954 - /spamassassin/trunk/rulesrc/sandbox/hege/20_hk.cf
Author: hege
Date: Tue May 24 09:41:28 2011
New Revision: 1126954
URL: http://svn.apache.org/viewvc?rev=1126954&view=rev
Log:
some updates
Modified:
spamassassin/trunk/rulesrc/sandbox/hege/20_hk.cf
Modified: spamassassin/trunk/rulesrc/sandbox/hege/20_hk.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/hege/20_hk.cf?rev=1126954&r1=1126953&r2=1126954&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/hege/20_hk.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/hege/20_hk.cf Tue May 24 09:41:28 2011
@@ -3,33 +3,32 @@
#### Basic stuff
####
-# cheers to spam-l
-# lower S/O than NSL_ version in jhardin sandbox
-#header RCVD_HAS_FROM_USER Received =~ /\bfrom\sUser\b/im
-header RCVD_HAS_HELO_USER Received =~ /\bHELO[\s=]User\b/im
-
header HK_RANDOM_ENVFROM EnvelopeFrom =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr|-mailer@)|[^@]{20})[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
describe HK_RANDOM_ENVFROM Envelope sender username looks random
+score HK_RANDOM_ENVFROM 1
header HK_RANDOM_FROM From:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr|-mailer@)|[^@]{26}|.*?@.{0,20}\bcmp-info\.com$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
describe HK_RANDOM_FROM From username looks random
+score HK_RANDOM_FROM 1
header HK_RANDOM_FROM_NAME From:name =~ /^(?!.*?(?:@|cnnbc|nlpbr)).*?(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
describe HK_RANDOM_FROM_NAME From name looks random
header HK_RANDOM_REPLYTO Reply-To:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr|-mailer@)|[^@]{26}|.*?@.{0,20}\b(?:cmpgnr|cnn)\.com$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
describe HK_RANDOM_REPLYTO Reply-To username looks random
+score HK_RANDOM_REPLYTO 1
header HK_RANDOM_REPLYTO_NAME Reply-To:name =~ /^(?!.*?(?:@|cnnbc|nlpbr)).*?(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
describe HK_RANDOM_REPLYTO_NAME Reply-To name looks random
header HK_NAME_DRUGS From:name =~ /(viagra|\bcialis|cialis\b)/mi
describe HK_NAME_DRUGS From name contains drugs
+score HK_NAME_DRUGS 2
header HK_NAME_FREE From:name =~ /\b(?:get)?free(?!\.fr)\b/mi
describe HK_NAME_FREE From name mentions free stuff
+score HK_NAME_FREE 0.5
-header HK_SUBJECT_SPACES Subject =~ /^(?!.{80}\#).*?\s{10}/
-describe HK_SUBJECT_SPACES Lots of spaces in Subject
-
-header HK_SUBJECT_SPACES_SC Subject =~ /\s{10}(?:[a-z]|\d{1,4})(?:\s|$)/i
-describe HK_SUBJECT_SPACES_SC Lots of spaces in Subject with some obfuscation
+#header HK_SUBJECT_SPACES Subject =~ /^(?!.{80}\#).*?\s{10}/
+#describe HK_SUBJECT_SPACES Lots of spaces in Subject
+#header HK_SUBJECT_SPACES_SC Subject =~ /\s{10}(?:[a-z]|\d{1,4})(?:\s|$)/i
+#describe HK_SUBJECT_SPACES_SC Lots of spaces in Subject with some obfuscation
body __hk_million /(?:(?:[0-9]{3}[ ,.]?){2,4}|[0-9] ?M\b|mill(?:(?:es?|ons?)(?: de\b)?|ion)).{0,18}(?:\$|[\xa3\xa4]|eur\b|usd\b|gbp\b|cfa\b|euro?s?\b|dollard?s?\b|pounds?\b|francs?\b)/i
body __hk_million2 /(?:\$|[\xa3\xa4]|eur|usd?|gbp|cfa|euro?s?|dollard?s?|pounds?|francs?)(?: de\b)? mill(?:(?:es?|ons?)|ion)/
@@ -64,7 +63,8 @@ body __hk_win_l /\b(?:make|file) (?:fo
body __hk_win_m /\br.clamation de votre prix/i
body __hk_win_n /\bcollect your prize/i
body __hk_win_o /\bclarification and procedure/i
-meta HK_WIN __hk_win_1 || __hk_win_2 || __hk_win_3 || __hk_win_4 || __hk_win_5 || __hk_win_6 || __hk_win_7 || __hk_win_8 || __hk_win_9 || __hk_win_0 || __hk_win_a || __hk_win_b || __hk_win_c || __hk_win_d || __hk_win_e || __hk_win_f || __hk_win_g || __hk_win_h || __hk_win_i || __hk_win_j || __hk_win_k || __hk_win_l || __hk_win_m || __hk_win_n || __hk_win_o
+meta HK_WIN ((__hk_win_1 || __hk_win_2 || __hk_win_3 || __hk_win_4 || __hk_win_5 || __hk_win_6 || __hk_win_7 || __hk_win_8 || __hk_win_9 || __hk_win_0 || __hk_win_a || __hk_win_b || __hk_win_c || __hk_win_d || __hk_win_e || __hk_win_f || __hk_win_g || __hk_win_h || __hk_win_i || __hk_win_j || __hk_win_k || __hk_win_l || __hk_win_m || __hk_win_n || __hk_win_o) > 2)
+score HK_WIN 1
body __HK_LOTTO_1 /\b(?:(?:inter)?national|foundation|mercato|univers|euro ?million|e-?mail|euro-pw|bill ?gates|swiss|prestige|cristal|am.ricaine|coca.?cola|fiduciary|department) ?lot(?:eri[ej]|t(?:ery|o))/i
body __HK_LOTTO_2 /\blot(?:eri[ej]|t(?:ery|o)) ?(?:(?:inter)?national|foundation|mercato|univers|euro ?million|e-?mail|euro-pw|bill ?gates|swiss|prestige|cristal|am.ricaine|coca.?cola|fiduciary|department)/i
@@ -73,9 +73,12 @@ body __HK_LOTTO_STAATS /\bstaatsloteri/
body __HK_LOTTO_BALLOT /\b(?:promotional|on.?line|computer|internet|e-?mail|fran.aise) (?:ballot|draw|sweepstake)/i
body __HK_LOTTO_AWARD /(?:cash prize|prize awards?|you have been awarded|award (?:notification|notice))/i
meta HK_LOTTO __HK_LOTTO_1 || __HK_LOTTO_2 || __HK_LOTTO_JACKPOT || __HK_LOTTO_STAATS || __HK_LOTTO_BALLOT
+score HK_LOTTO 1
header HK_LOTTO_SUBJECT Subject =~ /\blot(?:eri[ej]|t(?:ery|o))\b/mi
+score HK_LOTTO_SUBJECT 1
header HK_LOTTO_NAME From =~ /^[^@]*(?:lot(?:eri[ej]|t(?:ery|o))|award|winner)/mi
+score HK_LOTTO_NAME 1
body HK_SCAM_N1 /\b(?:widow|son|daughter|husband|wife|brother|sister) of (?:the )?(?:late|sacked|dead|passed)\b/i
body HK_SCAM_N2 /\bnext of kin\b/i
@@ -103,7 +106,9 @@ body HK_SCAM_S23 /(?:\b(?:urgent alert
body HK_GOLDDUST /\bgold ?dust\b/i
body HK_PNIS /\bpenis\b/i
+score HK_PNIS 1
body HK_PNISES /\bpenises\b/i
+score HK_PNISES 1
# From Mike Cappella
header TAB_IN_FROM From:raw =~ /^\t/s
@@ -145,31 +150,31 @@ endif
#### Some fakename tests which rely in SPF & DKIM
####
-ifplugin Mail::SpamAssassin::Plugin::SPF
-ifplugin Mail::SpamAssassin::Plugin::DKIM
+#ifplugin Mail::SpamAssassin::Plugin::SPF
+#ifplugin Mail::SpamAssassin::Plugin::DKIM
# check spf and dkim for all, false hits per bug 6417
-header __HK_NAME_MICROSOFT From:name =~ /(microsoft|\bmsn\b)/i
-header __HK_HELO_MICROSOFT X-Spam-Relays-External =~ / helo=\S+\.(?:microsoft(?:email)?|msn)\.com /
-meta HK_FAKENAME_MICROSOFT __HK_NAME_MICROSOFT && !__HK_HELO_MICROSOFT && !SPF_PASS && !DKIM_VALID_AU
-describe HK_FAKENAME_MICROSOFT From name mentions Microsoft, but not relayed from there
-
-header __HK_NAME_YAHOO From:name =~ /\byahoo\b/i
-header __HK_HELO_YAHOO X-Spam-Relays-External =~ / helo=[^ ]+\.yahoo\.com /
-meta HK_FAKENAME_YAHOO __HK_NAME_YAHOO && !__HK_HELO_YAHOO && !SPF_PASS && !DKIM_VALID_AU
-describe HK_FAKENAME_YAHOO From name mentions Yahoo, but not relayed from there
-
-header __HK_NAME_PAYPAL From:name =~ /\bpaypal\b/i
-header __HK_HELO_PAYPAL X-Spam-Relays-External =~ / helo=[^ ]+\.paypal\b/
-meta HK_FAKENAME_PAYPAL __HK_NAME_PAYPAL && !__HK_HELO_PAYPAL && !SPF_PASS && !DKIM_VALID_AU
-describe HK_FAKENAME_PAYPAL From name mentions PayPal, but not relayed from there
-
-header __HK_NAME_EBAY From:name =~ /\bebay\b/i
-header __HK_HELO_EBAY X-Spam-Relays-External =~ / helo=[^ ]+\.(?:ebay|emarsys)\b/
-meta HK_FAKENAME_EBAY __HK_NAME_EBAY && !__HK_HELO_EBAY && !SPF_PASS && !DKIM_VALID_AU
-describe HK_FAKENAME_EBAY From name mentions eBay, but not relayed from there
+#header __HK_NAME_MICROSOFT From:name =~ /(microsoft|\bmsn\b)/i
+#header __HK_HELO_MICROSOFT X-Spam-Relays-External =~ / helo=\S+\.(?:microsoft(?:email)?|msn)\.com /
+#meta HK_FAKENAME_MICROSOFT __HK_NAME_MICROSOFT && !__HK_HELO_MICROSOFT && !SPF_PASS && !DKIM_VALID_AU
+#describe HK_FAKENAME_MICROSOFT From name mentions Microsoft, but not relayed from there
+
+#header __HK_NAME_YAHOO From:name =~ /\byahoo\b/i
+#header __HK_HELO_YAHOO X-Spam-Relays-External =~ / helo=[^ ]+\.yahoo\.com /
+#meta HK_FAKENAME_YAHOO __HK_NAME_YAHOO && !__HK_HELO_YAHOO && !SPF_PASS && !DKIM_VALID_AU
+#describe HK_FAKENAME_YAHOO From name mentions Yahoo, but not relayed from there
+
+#header __HK_NAME_PAYPAL From:name =~ /\bpaypal\b/i
+#header __HK_HELO_PAYPAL X-Spam-Relays-External =~ / helo=[^ ]+\.paypal\b/
+#meta HK_FAKENAME_PAYPAL __HK_NAME_PAYPAL && !__HK_HELO_PAYPAL && !SPF_PASS && !DKIM_VALID_AU
+#describe HK_FAKENAME_PAYPAL From name mentions PayPal, but not relayed from there
+
+#header __HK_NAME_EBAY From:name =~ /\bebay\b/i
+#header __HK_HELO_EBAY X-Spam-Relays-External =~ / helo=[^ ]+\.(?:ebay|emarsys)\b/
+#meta HK_FAKENAME_EBAY __HK_NAME_EBAY && !__HK_HELO_EBAY && !SPF_PASS && !DKIM_VALID_AU
+#describe HK_FAKENAME_EBAY From name mentions eBay, but not relayed from there
-endif
-endif
+#endif
+#endif