You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2021/01/29 19:49:40 UTC

svn commit: r1886032 - /spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf

Author: jhardin
Date: Fri Jan 29 19:49:40 2021
New Revision: 1886032

URL: http://svn.apache.org/viewvc?rev=1886032&view=rev
Log:
Add rules for eval; expose rules for scoring; rule tweaks

Modified:
    spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf

Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1886032&r1=1886031&r2=1886032&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Fri Jan 29 19:49:40 2021
@@ -2277,13 +2277,26 @@ describe    RCVD_DBL_DQ                M
 tflags      RCVD_DBL_DQ                publish
 
 # reported on users list 09/2014 George Johnson <ge...@talaya.net>
-header    __RAND_HEADER                ALL =~ /^(?!Accept-Language|Authentication-Results|Content-|DomainKey-Signature|DKIM-|List-|MIME-|Received-SPF|Return-Path|Thread-|User-Agent)(?:[a-z]{4,}-[a-z]{3,}|[a-z]{3,}-[a-z]{4,}):\s+\d(?=\S{6,}\s*$)[\da-f]*(?:[-.]\w+)*\s*$/ism
+header    __RAND_HEADER                ALL =~ /^(?!Accept-Language|Authentication-Results|Content-|DomainKey-Signature|DKIM-|List-|MIME-|Received-SPF|Return-Path|Thread-|User-Agent|Tracking-Code)(?:[a-z]{4,}-[a-z]{3,}|[a-z]{3,}-[a-z]{4,}):\s+\d(?=\S{6,}\s*$)[\da-f]*(?:[-.]\w+)*\s*$/ism
 tflags    __RAND_HEADER                multiple maxhits=4
-meta      RAND_HEADER_MANY             __RAND_HEADER > 3
+meta      __RAND_HEADER_2              __RAND_HEADER > 1
+meta      __RAND_HEADER_3              __RAND_HEADER > 2
+meta      __RAND_HEADER_4              __RAND_HEADER > 3
+
+#meta      RAND_HEADER                  __RAND_HEADER && !RAND_HEADER_MANY && !__HAS_THREAD_INDEX && !__HAS_LIST_ID && !__HAS_TNEF && !__HAS_IN_REPLY_TO 
+#describe  RAND_HEADER                  Random gibberish message header(s)
+#score     RAND_HEADER                  3.000   # limit
+#tflags    RAND_HEADER                  publish
+
+meta      RAND_HEADER_MANY             __RAND_HEADER_4
 describe  RAND_HEADER_MANY             Many random gibberish message headers
 score     RAND_HEADER_MANY             3.000   # limit
 tflags    RAND_HEADER_MANY             publish
 
+header    __RAND_MKTG_HEADER           ALL =~ /^X-(?:[a-z]{2}){1,2}-(?:(?:Tracking|Subscriber|Delivery|EBS|Customer|Campaign)-[DSU]?id):/ism
+
+header    __HEADER_START_NUM           ALL =~ /^\d[-a-z0-9]*:/ism
+
 
 #body      FR_SPAM_LAW                  /article 34 de la loi 78-17\b/i
 #describe  FR_SPAM_LAW                  References French privacy law
@@ -3543,6 +3556,11 @@ describe   URI_AZURE_CLOUDAPP          L
 score      URI_AZURE_CLOUDAPP          3.000	# limit
 tflags     URI_AZURE_CLOUDAPP          publish
 
+uri        __URI_ADOBESPARK            m,https?://branchlink\.adobespark\.com/,i
+meta       URI_ADOBESPARK              __URI_ADOBESPARK
+score      URI_ADOBESPARK              3.500	# limit
+tflags     URI_ADOBESPARK              publish
+
 
 # seen in a few spams
 body       __BTC_MLM                   /Block[-\s]?chain network marketing/i
@@ -3590,10 +3608,18 @@ meta       OBFU_UNSUB_UL               _
 describe   OBFU_UNSUB_UL               Obfuscated unsubscribe text
 tflags     OBFU_UNSUB_UL               publish
 
+header     __HAS_GOOGLE_DKIM_SIG       exists:X-Google-DKIM-Signature
+header     __HAS_X_SENDER              exists:X-Sender
+header     __HAS_XM_SENT_BY            exists:X-Mailer-Sent-By
+
 header     __HAS_COMPLAINT_TO          exists:Complaint-To
-header     __HAS_TRACKING_CODE         exists:tracking-code
+header     __HAS_TRACKING_CODE         exists:Tracking-Code
 header     __HAS_LOGID                 exists:logid
 
+meta       JH_SPAMMY_HEADERS           __HAS_COMPLAINT_TO || __HAS_TRACKING_CODE || __HAS_LOGID
+describe   JH_SPAMMY_HEADERS           Has unusual message header(s) seen primarily in spam
+score      JH_SPAMMY_HEADERS           3.500	# limit
+
 # observed in some phish/419 spams
 header     __HAS_MAIL_REPLY_TO         exists:Mail-Reply-To
 
@@ -3606,11 +3632,13 @@ ifplugin Mail::SpamAssassin::Plugin::Fre
   tflags     ODD_FREEM_REPTO             publish
 endif
 
-rawbody    __CONTENT_AFTER_HTML        /<\/html>\s*\S/i
-meta       CONTENT_AFTER_HTML          __CONTENT_AFTER_HTML && !MIME_QP_LONG_LINE 
-describe   CONTENT_AFTER_HTML          More content after HTML close tag
-score      CONTENT_AFTER_HTML          2.500	# limit
-
-uri        __GOOG_REDIR_DOCUSIGN       m;://www\.google\.com/url\?.*q=https?://www\.docusign\.com/;i
-uri        __URI_ADOBESPARK            m;https?://branchlink\.adobespark\.com/;i
+rawbody    __CONTENT_AFTER_HTML        /<\/html>\s*[a-z0-9]/i
+#meta       CONTENT_AFTER_HTML          __CONTENT_AFTER_HTML
+#describe   CONTENT_AFTER_HTML          More content after HTML close tag
+#score      CONTENT_AFTER_HTML          2.500	# limit
+
+# High S/O but rare - ahead of the curve?
+uri        GOOG_REDIR_DOCUSIGN         m;://www\.google\.com/url\?.*q=https?://www\.docusign\.com/;i
+describe   GOOG_REDIR_DOCUSIGN         Indirect docusign link, probable phishing
+tflags     GOOG_REDIR_DOCUSIGN         publish