You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by ma...@apache.org on 2009/06/02 01:39:15 UTC
svn commit: r780884 - /spamassassin/rules/trunk/sandbox/maddoc/99_doc_test.cf
Author: maddoc
Date: Mon Jun 1 23:39:15 2009
New Revision: 780884
URL: http://svn.apache.org/viewvc?rev=780884&view=rev
Log:
New Testing Rules
Modified:
spamassassin/rules/trunk/sandbox/maddoc/99_doc_test.cf
Modified: spamassassin/rules/trunk/sandbox/maddoc/99_doc_test.cf
URL: http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/maddoc/99_doc_test.cf?rev=780884&r1=780883&r2=780884&view=diff
==============================================================================
--- spamassassin/rules/trunk/sandbox/maddoc/99_doc_test.cf (original)
+++ spamassassin/rules/trunk/sandbox/maddoc/99_doc_test.cf Mon Jun 1 23:39:15 2009
@@ -1,92 +1,113 @@
-#####################
-# FSL Testing rules #
-# Updated: 20090430 #
-#####################
-
-####################
-# Rules from Bayes #
-####################
-#
-# H*m = Message-Id
-# H*r = Received
-# H*u = User-Agent
-# H*f = References
-# H*i = In-Reply-To
-# H*F = From
-# H*R = Reply-To
-# H*p = Return-Path
-# H*rp = Return-path
-# H*x = X-Mailer
-# H*a = X-Authentication-Warning
-# H*o = Organization|Organisation
-# H*c = Content-Type
-# H*RT = X-Spam-Relays-Trusted
-# H*RU = X-Spam-Relays-Untrusted
-# H*MI = In-Reply-To|References|Message-ID
-# H*Ad = From|To|Cc
-# H*UA = X-Mailer|User-Agent
-#
-
-# | 156002 | 153 | 99.9020 | H*UA:6.00.2600.0000 |
-# | 156001 | 153 | 99.9020 | H*x:6.00.2600.0000 |
+# Testing rules
header __FSL_UA_1 User-Agent =~ /6\.00\.2600\.000/
header __FSL_UA_2 X-Mailer =~ /6\.00\.2600\.000/
-meta FSL_UA_1 (__FSL_UA_1 || __FSL_UA_2)
-score FSL_UA_1 1.0
+meta FSL_UA (__FSL_UA_1 || __FSL_UA_2)
+score FSL_UA 3.0
-# | 26237 | 0 | 100.0000 | H*u:2.0.0.12 |
-header FSL_UA_2 User-Agent =~ /2\.0\.0\.12/
-score FSL_UA_2 1.0
-
-# | 26237 | 0 | 100.0000 | H*u:20080213 |
-header FSL_UA_3 User-Agent =~ /20080213/
-score FSL_UA_3 1.0
-
-#| 17011 | 0 | 100.0000 | H*UA:6.00.2800.1081 |
-#| 17011 | 0 | 100.0000 | H*x:6.00.2800.1081 |
-header __FSL_UA_3 User-Agent =~ /6\.00\.2800\.1081/
-header __FSL_UA_4 X-Mailer =~ /6\.00\.2800\.1081/
-meta FSL_UA_4 (__FSL_UA_3 || __FSL_UA_4)
-score FSL_UA_4 1.0
-
-# | 151401 | 15 | 99.9901 | HX-Spam-Relays-External:User
-header FSL_HELO_1 X-Spam-Relays-External =~ /\bUser\b/
-score FSL_HELO_1 1.0
-
-###################
-# Abused services #
-###################
+header FSL_UA2 User-Agent =~ /6\.00\.2800\.1081/
+score FSL_UA2 3.0
-uri FSL_GG_ABUSE /google\.com\/group\/\S+\/web\//
-score FSL_GG_ABUSE 1.0
+uri FSL_GG_ABUSE /\/google\.com\/group\/\S+\/web\//
+score FSL_GG_ABUSE 15.0
-uri FSL_YG_ABUSE /groups\.yahoo\.com\/group\/\S+\/message\/1$/
-score FSL_YG_ABUSE 1.0
+uri FSL_YG_ABUSE /\/groups\.yahoo\.com\/group\/\S+\/message\/1$/
+score FSL_YG_ABUSE 15.0
-uri FSL_INTERIA_ABUSE /\S+\.(?:w|eu|fm)\.interia\.pl/
-score FSL_INTERIA_ABUSE 1.0
+uri FSL_INTERIA_ABUSE /\/\S+\.(?:w|eu|fm)\.interia\.pl/
+score FSL_INTERIA_ABUSE 15.0
uri FSL_GEO_ABUSE /\/geocities\.com\/\S+$/
-score FSL_GEO_ABUSE 1.0
+score FSL_GEO_ABUSE 3.0
# http://pipes.yahoo.com/pipes/pipe.info?_id=qFf6E18w3hGt3lxD0j6skA
-uri FSL_YPIPES_ABUSE /pipes\.yahoo\.com\/pipes\/pipe\.info\?_id=\S+$/
-score FSL_YPIPES_ABUSE 1.0
+uri FSL_YPIPES_ABUSE /\/pipes\.yahoo\.com\/pipes\/pipe\.info\?_id=\S+$/
+score FSL_YPIPES_ABUSE 15.0
# http://cid-e4cf8343be6940bb.spaces.live.com/
uri FSL_LSPACES_ABUSE /cid\-\S+\.spaces\.live\.com/
-score FSL_LSPACES_ABUSE 1.0
+score FSL_LSPACES_ABUSE 15.0
-uri FSL_FBOOK_PHISH /http:\/\/\S+\..+\/facebook\.com/
-score FSL_FBOOK_PHISH 1.0
+uri FSL_FBOOK_PHISH /\/\S+\..+\/facebook\.com/
+score FSL_FBOOK_PHISH 15.0
# http://moorevuvuz28.blogspot.com
-uri FSL_BLOGSPOT_ABUSE /http:\/\/\S+\.blogspot\.com/
-score FSL_BLOGSPOT_ABUSE 1.0
+uri FSL_BLOGSPOT_ABUSE /\/\S+\.blogspot\.com/
+score FSL_BLOGSPOT_ABUSE 5.0
-uri FSL_GD_ABUSE1 /\S+\.docs\.google\.com/
-score FSL_GD_ABUSE1 1.0
+uri FSL_GD1_URI /\/\S+\.docs\.google\.com/
+score FSL_GD1_URI 0.01
# http://docs.google.com/Doc?id=dczfbnj9_8fvfs5wc7
-uri FSL_GD_ABUSE2 /http:\/\/docs\.google\.com\/Doc\?id=\S+/
-score FSL_GD2_ABUSE2 1.0
+uri FSL_GD2_URI /\/docs\.google\.com\/Doc\?id=\S+/
+score FSL_GD2_URI 0.01
+
+# http://sites.google.com/site/1133445/
+uri FSL_GS_ABUSE /\/sites\.google\.com\/site\//
+score FSL_GS_ABUSE 3.0
+
+# http://blogs.360.yahoo.com/woodbegusug71
+uri FSL_Y360_ABUSE /\.360\.yahoo\.com\//
+score FSL_Y360_ABUSE 3.0
+
+# https://createpdf.adobe.com/cgi-pickup.pl/
+uri FSL_CREATEPDF_ABUSE /http(?:s)?:\/\/createpdf\.adobe\.com\/cgi-pickup.pl\//
+score FSL_CREATEPDF_ABUSE 3.0
+
+# http://tinyurl.com
+uri FSL_HAS_TINYURL /tinyurl\.com\//
+score FSL_HAS_TINYURL 0.01
+
+# Multipart mail with no text parts
+header __CTYPE_MULTIPART_MIXED Content-Type =~ /multipart\/mixed/i
+mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w+/i
+eta FSL_MIME_NO_TEXT (__CTYPE_MULTIPART_MIXED && !__ANY_TEXT_ATTACH)
+score FSL_MIME_NO_TEXT 1.50
+
+# Test rule from SA list
+rawbody __TWO_WORD_LINES /^\S+\s+\S+$/
+tflags __TWO_WORD_LINES multiple
+meta FSL_STACKED_TEXT (__TWO_WORD_LINES > 10)
+score FSL_STACKED_TEXT 0.001
+
+uri __ANY_HTTP_URI /^http(?:s)?:\/\//
+tflags __ANY_HTTP_URI multiple
+meta FSL_SINGLE_URI (__ANY_HTTP_URI == 1)
+score FSL_SINGLE_URI 0.001
+
+header __HAS_REPLY_TO exists:Reply-To
+header __FROM_FREEMAIL From =~ /\@(?:googlemail|gmail|yahoo|hotmail|msn|aol|aim)\./
+header __REPLY_FREEMAIL Reply-To =~ /\@(?:googlemail|gmail|yahoo|hotmail|msn|aol|aim)\./
+meta FSL_FREEMAIL_1 (__HAS_REPLY_TO && __REPLY_FREEMAIL)
+score FSL_FREEMAIL_1 0.001
+meta FSL_FREEMAIL_2 (__HAS_REPLY_TO && __REPLY_FREEMAIL && __FROM_FREEMAIL)
+score FSL_FREEMAIL_2 0.001
+
+header FSL_HELO_BARE_IP_1 X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\d+\.\d+\.\d+\.\d+ /i
+score FSL_HELO_BARE_IP_1 0.001
+
+header FSL_HELO_BARE_IP_2 X-Spam-Relays-Trusted =~ /^[^\]]+ helo=\d+\.\d+\.\d+\.\d+ /i
+score FSL_HELO_BARE_IP_2 0.001
+
+header FSL_HELO_BARE_IP_3 X-Spam-Relays-External =~ /^[^\]]+ helo=\d+\.\d+\.\d+\.\d+ /i
+score FSL_HELO_BARE_IP_3 0.001
+
+header FSL_HELO_NON_FQDN_1 X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[a-zA-Z0-9-_]+ /i
+score FSL_HELO_NON_FQDN_1 0.001
+
+header FSL_HELO_NON_FQDN_2 X-Spam-Relays-Trusted =~ /^[^\]]+ helo=[a-zA-Z0-9-_]+ /i
+score FSL_HELO_NON_FQDN_2 0.001
+
+header FSL_HELO_NON_FQDN_3 X-Spam-Relays-External =~ /^[^\]]+ helo=[a-zA-Z0-9-_]+ /i
+score FSL_HELO_NON_FQDN_3 0.001
+
+header FSL_FAKE_HOTMAIL_RVCD X-Spam-Relays-External =~ /mx[1234]\.hotmail\.com/
+score FSL_FAKE_HOTMAIL_RCVD 0.001
+
+header FSL_FAKE_YAHOO_RCVD X-Spam-Relays-External =~ /mx\.mail\.yahoo.com/
+score FSL_FAKE_YAHOO_RCVD 0.001
+
+uri FSL_SPAMWARE_STRING_1 /{\S+}/
+score FSL_SPAMWARE_STRING_1 5.0
+
+header FSL_RCVD_USER Received =~ /\bUser\b/i
+score FSL_RCVD_USER 0.001