You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2021/04/17 18:40:55 UTC
svn commit: r1888867 - /spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf

Author: jhardin
Date: Sat Apr 17 18:40:55 2021
New Revision: 1888867

URL: http://svn.apache.org/viewvc?rev=1888867&view=rev
Log:
Fixes to new phishing rules; Amazon occasionally doesn't have rDNS on an MTA; remove some references to missing rules;

Modified:
    spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf

Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1888867&r1=1888866&r2=1888867&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Sat Apr 17 18:40:55 2021
@@ -590,10 +590,10 @@ endif
 
 
 # Evaluate Validity (nÃ©e ReturnPath) and blacklist collisions
-meta           __VALIDITY_SAFE_BRBL             RCVD_IN_VALIDITY_SAFE && RCVD_IN_BRBL_LASTEXT
-meta           __VALIDITY_CERTIFIED_BRBL        RCVD_IN_VALIDITY_CERTIFIED && RCVD_IN_BRBL_LASTEXT
-tflags         __VALIDITY_SAFE_BRBL             net nopublish
-tflags         __VALIDITY_CERTIFIED_BRBL        net nopublish
+#meta           __VALIDITY_SAFE_BRBL             RCVD_IN_VALIDITY_SAFE && RCVD_IN_BRBL_LASTEXT
+#meta           __VALIDITY_CERTIFIED_BRBL        RCVD_IN_VALIDITY_CERTIFIED && RCVD_IN_BRBL_LASTEXT
+#tflags         __VALIDITY_SAFE_BRBL             net nopublish
+#tflags         __VALIDITY_CERTIFIED_BRBL        net nopublish
 meta           __VALIDITY_SAFE_ZEN              RCVD_IN_VALIDITY_SAFE && __RCVD_IN_ZEN
 meta           __VALIDITY_CERTIFIED_ZEN         RCVD_IN_VALIDITY_CERTIFIED && __RCVD_IN_ZEN
 tflags         __VALIDITY_SAFE_ZEN              net nopublish
@@ -2490,7 +2490,7 @@ if can(Mail::SpamAssassin::Conf::feature
   #rawbody   __STY_INVIS_NONIMG            /<(?!img\s)[a-z]+\s[^>]{0,200}\bstyle\s*=\s*"[^">]{0,80}(?:(?<!-)visibility\s*:\s*hidden\s*|display\s*:\s*none\s*)[;"!]/i
 
   # *one* invisible style has better S/O than multiple...
-  meta      __STY_INVIS_1_MINFP           __STY_INVIS_1 && !MIME_QP_LONG_LINE && !__MOZILLA_MSGID && !__FROM_ADDRLIST_PAYPAL 
+  meta      __STY_INVIS_1_MINFP           __STY_INVIS_1 && !MIME_QP_LONG_LINE && !__MOZILLA_MSGID
 
   meta      HTML_TEXT_INVISIBLE_STYLE     __STY_INVIS_MANY && (__RDNS_NONE || __HDRS_LCASE || __UNSUB_EMAIL ||  __ADMITS_SPAM || __FROM_DOM_INFO || __HTML_TAG_BALANCE_CENTER || __MSGID_RANDY ) && !__RDNS_LONG && !__FROM_ENCODED_QP && !__HAS_THREAD_INDEX 
   describe  HTML_TEXT_INVISIBLE_STYLE     HTML hidden text + other spam signs
@@ -3180,13 +3180,14 @@ describe   EBAY_IMG_NOT_RCVD_EBAY      E
 tflags     EBAY_IMG_NOT_RCVD_EBAY      publish
 
 header     __HDR_RCVD_AMAZON           X-Spam-Relays-External =~ /\srdns=\S+\.amazon(?:ses)?\.com\s/
+header     __HDR_RCVD_AMAZON_HELO      X-Spam-Relays-External =~ /\srdns=\shelo=[^.]+\.smtp-out\.amazonses\.com\s/
 uri        __URI_IMG_AMAZON            m,://[^/?]+\.(?:ssl-)?images-amazon\.com/,i
 header     __FROM_NAME_AMAZONCOM       From:name =~ /\bamazon\.com\b/i
 
 # price alert site that leverages Amazon, avoid FPs
 header     __HDR_RCVD_KEEPA            X-Spam-Relays-External =~ /\srdns=\S+\.keepa\.com\s/
 
-meta       __AMAZON_IMG_NOT_RCVD_AMZN  __URI_IMG_AMAZON && !__HDR_RCVD_AMAZON
+meta       __AMAZON_IMG_NOT_RCVD_AMZN  __URI_IMG_AMAZON && !__HDR_RCVD_AMAZON && !__HDR_RCVD_AMAZON_HELO
 meta       AMAZON_IMG_NOT_RCVD_AMZN    __AMAZON_IMG_NOT_RCVD_AMZN && !__HDR_RCVD_KEEPA && !__URI_DBL_DOM && !__RCD_RDNS_SMTP && !__RCD_RDNS_MTA && !__DATE_LOWER && !__MSGID_LIST
 score      AMAZON_IMG_NOT_RCVD_AMZN    2.500	# limit
 describe   AMAZON_IMG_NOT_RCVD_AMZN    Amazon hosted image but message not from Amazon
@@ -3886,19 +3887,19 @@ tflags     ADULT_DATING_COMPANY        p
 body       CHINA_MANUFACTURER          /\bWe are China located manufacture/i
 score      CHINA_MANUFACTURER          2.500	# limit
 
-meta       POSSIBLE_AMAZON_PHISH_01    (__FROM_NAME_AMAZONCOM && NAME_EMAIL_DIFF)
-meta       POSSIBLE_AMAZON_PHISH_02    (__FROM_NAME_AMAZONCOM && !__HDR_RCVD_AMAZON)
+meta       POSSIBLE_AMAZON_PHISH_01    (__FROM_NAME_AMAZONCOM && __NAME_EMAIL_DIFF)
+meta       POSSIBLE_AMAZON_PHISH_02    (__FROM_NAME_AMAZONCOM && !__HDR_RCVD_AMAZON && !__HDR_RCVD_AMAZON_HELO)
 
-meta       POSSIBLE_EBAY_PHISH_01      (__FROM_NAME_EBAYCOM && NAME_EMAIL_DIFF)
+meta       POSSIBLE_EBAY_PHISH_01      (__FROM_NAME_EBAYCOM && __NAME_EMAIL_DIFF)
 meta       POSSIBLE_EBAY_PHISH_02      (__FROM_NAME_EBAYCOM && !__HDR_RCVD_EBAY)
 
-meta       POSSIBLE_APPLE_PHISH_01     (__FROM_NAME_APPLECOM && NAME_EMAIL_DIFF)
+meta       POSSIBLE_APPLE_PHISH_01     (__FROM_NAME_APPLECOM && __NAME_EMAIL_DIFF)
 meta       POSSIBLE_APPLE_PHISH_02     (__FROM_NAME_APPLECOM && !__HDR_RCVD_APPLE)
 
-meta       POSSIBLE_PAYPAL_PHISH_01    (__FROM_NAME_PAYPALCOM && NAME_EMAIL_DIFF)
+meta       POSSIBLE_PAYPAL_PHISH_01    (__FROM_NAME_PAYPALCOM && __NAME_EMAIL_DIFF)
 meta       POSSIBLE_PAYPAL_PHISH_02    (__FROM_NAME_PAYPALCOM && !__HDR_RCVD_PAYPAL)
 
 header     __FROM_ADDR_GMAIL           From:addr =~ /\@gmail\.com>?$/i
-meta       __POSSIBLE_GMAIL_PHISHER    (__FROM_ADDR_GMAIL && NAME_EMAIL_DIFF)
+meta       __POSSIBLE_GMAIL_PHISHER    (__FROM_ADDR_GMAIL && __NAME_EMAIL_DIFF)