You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by he...@apache.org on 2023/03/15 17:11:05 UTC
svn commit: r1908419 - in /spamassassin/trunk: rules/20_head_tests.cf rulesrc/sandbox/jhardin/20_misc_testing.cf rulesrc/sandbox/jm/20_basic.cf rulesrc/sandbox/khopesh/20_khop_experimental.cf rulesrc/sandbox/pds/10_menaces.cf
Author: hege
Date: Wed Mar 15 17:11:05 2023
New Revision: 1908419
URL: http://svn.apache.org/viewvc?rev=1908419&view=rev
Log:
Fix header ALL rules (Bug 8121)
Modified:
spamassassin/trunk/rules/20_head_tests.cf
spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
spamassassin/trunk/rulesrc/sandbox/jm/20_basic.cf
spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_experimental.cf
spamassassin/trunk/rulesrc/sandbox/pds/10_menaces.cf
Modified: spamassassin/trunk/rules/20_head_tests.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rules/20_head_tests.cf?rev=1908419&r1=1908418&r2=1908419&view=diff
==============================================================================
--- spamassassin/trunk/rules/20_head_tests.cf (original)
+++ spamassassin/trunk/rules/20_head_tests.cf Wed Mar 15 17:11:05 2023
@@ -411,7 +411,7 @@ describe FROM_LOCAL_DIGITS From: localpa
header __TOCC_EXISTS exists:ToCc
-header X_PRIORITY_CC ALL =~ /^X-Priority:[^\n]{0,80}^Cc:/msi
+header X_PRIORITY_CC ALL =~ /^X-Priority:.*?^Cc:/msi
describe X_PRIORITY_CC Cc: after X-Priority: (bulk email fingerprint)
# catch non-RFC2047 compliant messages
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1908419&r1=1908418&r2=1908419&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Wed Mar 15 17:11:05 2023
@@ -486,29 +486,29 @@ describe TINY_FLOAT Has sm
# endless requests on the users list...
-header __TO_EQ_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism
-header __TO_EQ_FROM_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism
+header __TO_EQ_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*To:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism
+header __TO_EQ_FROM_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*From:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism
meta __TO_EQ_FROM (__TO_EQ_FROM_1 || __TO_EQ_FROM_2)
describe __TO_EQ_FROM To: same as From:
#tflags __TO_EQ_FROM publish
# Suggested by Hans-Werner Friedemann on users list 09/30/2010
-header __SUBJ_HAS_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*Subject:\s+[^\n]{0,100}\1[>,:\s\n]/ism
+header __SUBJ_HAS_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*Subject:\s+[^\n]{0,100}\1[>,:\s\n]/ism
meta FROM_IN_TO_AND_SUBJ (__TO_EQ_FROM && __SUBJ_HAS_FROM_1) && !__HAS_LIST_ID
describe FROM_IN_TO_AND_SUBJ From address is in To and Subject
tflags FROM_IN_TO_AND_SUBJ publish
-header __SUBJ_HAS_TO_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>,]+)>?\n(?:[^\n]{1,200}\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism
-header __SUBJ_HAS_TO_2 ALL =~ /\nReceived:[^\n]{0,200} for <?([^\n\s>;]+)>?;(?:[^\n]+\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism
-header __SUBJ_HAS_TO_3 ALL =~ /\nSubject:(?=[^\n]{0,200}@)[^\n]{0,200}([a-z][a-z0-9_.]{3,80}@(?:[a-z0-9_]{1,80}\.){1,4}[a-z]{2,30})(?:[^\n]+\n)*To:\s+[^\n]{0,100}\1[^a-z0-9.]/ism
+header __SUBJ_HAS_TO_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>,]+)>?\n+(?:[^\n]{1,200}\n+)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism
+header __SUBJ_HAS_TO_2 ALL =~ /\nReceived:[^\n]{0,200} for <?([^\n\s>;]+)>?;(?:[^\n]+\n+)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism
+header __SUBJ_HAS_TO_3 ALL =~ /\nSubject:(?=[^\n]{0,200}@)[^\n]{0,200}([a-z][a-z0-9_.]{3,80}@(?:[a-z0-9_]{1,80}\.){1,4}[a-z]{2,30})(?:[^\n]+\n+)*To:\s+[^\n]{0,100}\1[^a-z0-9.]/ism
meta __TO_IN_SUBJ (__SUBJ_HAS_TO_1 || __SUBJ_HAS_TO_2 || __SUBJ_HAS_TO_3)
meta TO_IN_SUBJ __TO_IN_SUBJ && !__VIA_ML && !MISSING_MIMEOLE && !__THREAD_INDEX_GOOD && !__FSL_RELAY_GOOGLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HS_SUBJ_RE_FW
describe TO_IN_SUBJ To address is in Subject
tflags TO_IN_SUBJ publish
score TO_IN_SUBJ 0.1
-header __SUBJ_HAS_TOUSR_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^@\n\s>,]+)@[^\n\s>;]+>?\n(?:[^\n]{1,200}\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism
-header __SUBJ_HAS_TOUSR_2 ALL =~ /\nReceived:[^\n]{0,200} for <?([^@\n\s>;]+)@[^\n\s>;]+>?;(?:[^\n]+\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism
+header __SUBJ_HAS_TOUSR_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^@\n\s>,]+)@[^\n\s>;]+>?\n+(?:[^\n]{1,200}\n+)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism
+header __SUBJ_HAS_TOUSR_2 ALL =~ /\nReceived:[^\n]{0,200} for <?([^@\n\s>;]+)@[^\n\s>;]+>?;(?:[^\n]+\n+)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism
meta __TOUSR_IN_SUBJ (__SUBJ_HAS_TOUSR_1 || __SUBJ_HAS_TOUSR_2) && !__TO_IN_SUBJ
header __SUBJ_HAS_ANY_EMAIL Subject =~ /\b[a-z][a-z0-9_.+]+@(?:[a-z][-a-z0-9]+\.)+[a-z]{2,8}\b/i
@@ -544,8 +544,8 @@ endif
# Paul Stead on SA list 11/2014
# ++ not liked by perl 5.8.x
if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
- header __PDS_TO_EQ_FROM_NAME_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\W+(\1)([^\n\w<]++<)?((?!\1)[^\n">]++)>?\n/ism
- header __PDS_TO_EQ_FROM_NAME_2 ALL =~ /\nFrom:\W+"([\w+.-]+\@[\w.-]+\.\w\w+)(?:[^\n\w<]{0,80}<)?((?!\1)[^\n">]++)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n<]{0,80}<)?(\1)>?/ism
+ header __PDS_TO_EQ_FROM_NAME_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*From:\W+(\1)([^\n\w<]++<)?((?!\1)[^\n">]++)>?\n/ism
+ header __PDS_TO_EQ_FROM_NAME_2 ALL =~ /\nFrom:\W+"([\w+.-]+\@[\w.-]+\.\w\w+)(?:[^\n\w<]{0,80}<)?((?!\1)[^\n">]++)>?\n+(?:[^\n]{1,100}\n+)*To:\s+(?:[^\n<]{0,80}<)?(\1)>?/ism
meta PDS_TO_EQ_FROM_NAME (__PDS_TO_EQ_FROM_NAME_1 || __PDS_TO_EQ_FROM_NAME_2) && !__HAS_SENDER
describe PDS_TO_EQ_FROM_NAME From: name same as To: address
@@ -572,8 +572,8 @@ header __FROM_ALL_NUMS From
header __TO_ALL_NUMS To:addr =~ /^\d+@/
meta __FM_TO_ALL_NUMS __FROM_ALL_NUMS && __TO_ALL_NUMS
-header __TO_EQ_FROM_DOM_1 ALL =~ /\nFrom:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+[^\n]+@\1[>,\s\n]/ism
-header __TO_EQ_FROM_DOM_2 ALL =~ /\nTo:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+[^\n]+@\1[>,\s\n]/ism
+header __TO_EQ_FROM_DOM_1 ALL =~ /\nFrom:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*To:\s+[^\n]+@\1[>,\s\n]/ism
+header __TO_EQ_FROM_DOM_2 ALL =~ /\nTo:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*From:\s+[^\n]+@\1[>,\s\n]/ism
meta __TO_EQ_FROM_DOM (__TO_EQ_FROM_DOM_1 || __TO_EQ_FROM_DOM_2)
describe __TO_EQ_FROM_DOM To: domain same as From: domain
@@ -2415,7 +2415,7 @@ score HAS_X_NO_RELAY
tflags HAS_X_NO_RELAY publish
-header __DUP_SUSP_HDR ALL =~ /\n(X-No-Relay)\s*:[ ][^\n]{1,100}\n\1\s*:[ ]/ism
+header __DUP_SUSP_HDR ALL =~ /\n(X-No-Relay)\s*:[ \t][^\n]{1,100}\n+\1\s*:[ \t]/ism
meta DUP_SUSP_HDR __DUP_SUSP_HDR
describe DUP_SUSP_HDR Duplicate suspicious message headers
score DUP_SUSP_HDR 2.500 # limit
@@ -2664,7 +2664,7 @@ score HACKED_PHP_URI
#meta __PUNCT_ODD_SPACING_MANY __PUNCT_ODD_SPACING > 2
# poor S/O - how is this in ham?
-#header XMAILER_MANY ALL =~ /\nX-Mailer:(?:[^\n]+\n)+X-Mailer:/ism
+#header XMAILER_MANY ALL =~ /\nX-Mailer:(?:[^\n]+\n+)+X-Mailer:/ism
#describe XMAILER_MANY Has multiple X-Mailer: headers
body __RAW_TOKEN_BODY /\#(?:(?:First|Last)Name|Email)\#/i
@@ -3923,7 +3923,7 @@ uri GOOG_REDIR_DOCUSIGN m
describe GOOG_REDIR_DOCUSIGN Indirect docusign link, probable phishing
tflags GOOG_REDIR_DOCUSIGN publish
-header __LUNSUB_BEFORE_SUBJDT ALL =~ /^List-unsubscribe: (?:[^\n]+\n){1,40}^(?:Subject|Date): /ism
+header __LUNSUB_BEFORE_SUBJDT ALL =~ /^List-unsubscribe: (?:[^\n]+\n+){1,40}^(?:Subject|Date): /ism
header __LUNSUB_BRKT_MALF List-Unsubscribe =~ /<[^>]*$/
header REPTO_SPOTTY Reply-To:addr =~ /^(?:[a-z]{1,3}\.){4,}[a-z]+\d+\@/i
Modified: spamassassin/trunk/rulesrc/sandbox/jm/20_basic.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jm/20_basic.cf?rev=1908419&r1=1908418&r2=1908419&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jm/20_basic.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jm/20_basic.cf Wed Mar 15 17:11:05 2023
@@ -240,7 +240,7 @@ tflags JM_I_FEEL_LUCKY publish # lo
# some auto-discovered header rules
header JM_0800_GMT Received =~ / \+0800 \(GMT\)$/
-header JM_GMT_RCVD ALL =~ /0 \(GMT\)\nReceived: by 192\.168\./s
+header JM_GMT_RCVD ALL =~ /0 \(GMT\)\n+Received: by 192\.168\./s
header JM_EXIM_462 Received =~ /with smtp \(Exim 4.62 \(FreeBSD\)\)/
@@ -315,7 +315,7 @@ header __MSNBC_THREAD_INDEX ALL =~ /
header __MSNBC_NOT_EXCH X-MimeOLE =~ /^Produced By Microsoft Exchange/
meta MSNBC_THREAD_INDEX (__MSNBC_THREAD_INDEX && !__MSNBC_NOT_EXCH)
-header MSNBC_HDR_ORDER ALL =~ /\nContent-Transfer-Encoding: 7bit\nX-Mailer: Microsoft CDO for Windows 2000\nContent-Class: urn:content-classes:message\nImportance: normal\nPriority: normal\nX-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119\n/s
+header MSNBC_HDR_ORDER ALL =~ /\nContent-Transfer-Encoding: 7bit\n+X-Mailer: Microsoft CDO for Windows 2000\n+Content-Class: urn:content-classes:message\n+Importance: normal\n+Priority: normal\n+X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119\n/s
header MSNBC_MESSAGEGUID exists:messageGUID
body JM_HOODIA /Hoodia has been showned on/
Modified: spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_experimental.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_experimental.cf?rev=1908419&r1=1908418&r2=1908419&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_experimental.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_experimental.cf Wed Mar 15 17:11:05 2023
@@ -273,13 +273,13 @@ endif # }
# Requested on sa-users list
# See http://old.nabble.com/username-in-from-address-tp31213779p31213779.html
# See also __TO_EQ_FROM_DOM
-header __TO_EQ_FROM_USR_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism
-header __TO_EQ_FROM_USR_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism
+header __TO_EQ_FROM_USR_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n+(?:[^\n]{1,100}\n+)*To:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism
+header __TO_EQ_FROM_USR_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n+(?:[^\n]{1,100}\n+)*From:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism
meta __TO_EQ_FROM_USR (__TO_EQ_FROM_USR_1 || __TO_EQ_FROM_USR_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT)
describe __TO_EQ_FROM_USR To: username same as From: username
-header __TO_EQ_FROM_USR_NN_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism
-header __TO_EQ_FROM_USR_NN_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism
+header __TO_EQ_FROM_USR_NN_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n+(?:[^\n]{1,100}\n+)*To:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism
+header __TO_EQ_FROM_USR_NN_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n+(?:[^\n]{1,100}\n+)*From:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism
meta __TO_EQ_FROM_USR_NN (__TO_EQ_FROM_USR_NN_1 || __TO_EQ_FROM_USR_NN_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT)
describe __TO_EQ_FROM_USR_NN To: username same as From: username sans trailing nums
Modified: spamassassin/trunk/rulesrc/sandbox/pds/10_menaces.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/pds/10_menaces.cf?rev=1908419&r1=1908418&r2=1908419&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/pds/10_menaces.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/pds/10_menaces.cf Wed Mar 15 17:11:05 2023
@@ -2,7 +2,7 @@ meta PDS_BAD_THREAD_QP_64 __PDS_QP_6
describe PDS_BAD_THREAD_QP_64 Bad thread header - short QP
score PDS_BAD_THREAD_QP_64 1.0
-header __PDS_TO_BRAND_SUBJECT ALL =~ /^To:\s+<?[^\@]+\@([^\.]+)\.(?:[^\n]+\n)*^Subject: \"?\1\b/ism
+header __PDS_TO_BRAND_SUBJECT ALL =~ /^To:\s+<?[^\@]+\@([^\.]+)\.(?:[^\n]+\n+)*^Subject: \"?\1\b/ism
meta PDS_BRAND_SUBJ_NAKED_TO __NAKED_TO && __PDS_TO_BRAND_SUBJECT && !MAILING_LIST_MULTI
describe PDS_BRAND_SUBJ_NAKED_TO Subject starts with To: brand and naked To:
@@ -23,7 +23,7 @@ meta PDS_RDNS_DYNAMIC_FP RDNS_DYNAMI
score PDS_RDNS_DYNAMIC_FP 0.01
describe PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC with FP steps
-header __PDS_FROM_NAME_TO_DOMAIN ALL =~ /From: ["']?([a-z0-9\.-]+\.[0-9a-z\.-]+)["']? [^\n]+\nTo:[^\n]+\@\1/ism
+header __PDS_FROM_NAME_TO_DOMAIN ALL =~ /From: ["']?([a-z0-9\.-]+\.[0-9a-z\.-]+)["']? [^\n]+\n+To:[^\n]+\@\1/ism
meta PDS_SHORT_BOGUS_MSM_HDRS __PDS_HTML_LENGTH_1024 && __BOGUS_MSM_HDRS
score PDS_SHORT_BOGUS_MSM_HDRS 2.0