You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jm...@apache.org on 2006/12/27 19:30:39 UTC
svn commit: r490548 - /spamassassin/rules/trunk/sandbox/jm/20_basic.cf
Author: jm
Date: Wed Dec 27 10:30:39 2006
New Revision: 490548
URL: http://svn.apache.org/viewvc?view=rev&rev=490548
Log:
rules: DIV_FONT_ARIAL_2, DIV_FONT_ARIAL_2A, DIV_FONT_ARIAL_3, DIV_CENTER_A_HREF, dealing with HTML template droppings; HELO_LOCALHOST, which I should be rejecting in the MTA anyway; CTYPE_NL_NEXTPART, a Content-Type pattern
Modified:
spamassassin/rules/trunk/sandbox/jm/20_basic.cf
Modified: spamassassin/rules/trunk/sandbox/jm/20_basic.cf
URL: http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_basic.cf?view=diff&rev=490548&r1=490547&r2=490548
==============================================================================
--- spamassassin/rules/trunk/sandbox/jm/20_basic.cf (original)
+++ spamassassin/rules/trunk/sandbox/jm/20_basic.cf Wed Dec 27 10:30:39 2006
@@ -205,3 +205,17 @@
# a blast from the past
full TRIAL_COMMUNIGATE /\*This message was transferred with a trial version of CommuniGate\(tm\) Pro\*/s
+# some handy obvious template droppings or obfuscation attempts
+full DIV_FONT_ARIAL_2 /<DIV> <\/DIV>\n<DIV><FONT face=3DArial size=3D2>/
+full DIV_FONT_ARIAL_2A /\n<DIV><FONT face=3DArial size=3D2>/
+full DIV_FONT_ARIAL_3 /\n<DIV><FONT face=3DArial size=3D3>/
+full DIV_CENTER_A_HREF /<DIV align=3Dcenter><A href=3D=$/
+
+# wow, I should really be rejecting this at MTA, but hey
+header HELO_LOCALHOST X-Spam-Relays-Untrusted =~ /[^\]]+ helo=localhost /i
+
+# a possible correlation
+header __CTYPE_NL_NEXTPART1 Content-Type:raw =~ /multipart\/alternative;\n\tboundary=\"----=_NextPart_000_/
+header __CTYPE_NL_NEXTPART2 Content-Type:raw =~ /multipart\/alternative;\n {8}boundary=\"----=_NextPart_000_/
+meta CTYPE_NL_NEXTPART (__CTYPE_NL_NEXTPART1||__CTYPE_NL_NEXTPART2) && __XM_OUTLOOK_EXPRESS
+