You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by fe...@apache.org on 2004/11/17 02:34:43 UTC
svn commit: rev 76085 - spamassassin/trunk/rules
Author: felicity
Date: Tue Nov 16 17:34:42 2004
New Revision: 76085
Modified:
spamassassin/trunk/rules/70_testing.cf
Log:
bug 3570: added anti-phishing/forging rules
Modified: spamassassin/trunk/rules/70_testing.cf
==============================================================================
--- spamassassin/trunk/rules/70_testing.cf (original)
+++ spamassassin/trunk/rules/70_testing.cf Tue Nov 16 17:34:42 2004
@@ -310,6 +310,7 @@
header T_TRACKING ALL =~ /-tracking/i
describe T_TRACKING There is a tracking header in the email
+
##########################################################################
# bug 2554
@@ -390,3 +391,86 @@
uri T_RATWARE_STORM_URI m{^http://\S{1,100}/sp/t\.pl\?id=\d+:\d+}i
uri T_USERPASS m{^https?://[^/\s]*?(?::[^/\s]+?)?\@}
+##########################################################################
+
+# bug 3570
+# anti-phishing rules, will probably have a low hit-rate
+header __RCVD_USBANK Received =~ /\busbank\.com\b/i
+header __FROM_USBANK From =~ /\busbank\.com\b/i
+uri __URI_USBANK m{^https?://.{0,32}\busbank\.com\b}i
+meta T_FORGED_USBANK (__FROM_USBANK && __URI_USBANK && !__RCVD_USBANK)
+
+header __RCVD_PAYPAL Received =~ /\.paypal\.com\b/i
+header __FROM_PAYPAL From =~ /[\@\.]paypal\.com\b/i
+uri __URI_PAYPAL m{^https?://.{0,32}\bpaypal\.com\b}i
+meta T_FORGED_PAYPAL (__FROM_PAYPAL && __URI_PAYPAL && !__RCVD_PAYPAL)
+describe T_FORGED_PAYPAL Message appears to be forged, (paypal.com)
+meta T_FORGED_PAYPAL_C (__FROM_PAYPAL && !__RCVD_PAYPAL)
+describe T_FORGED_PAYPAL_C Has Paypal from, no Paypal received header.
+
+header __RCVD_EBAY Received =~ /(?:email)?[^\s@]ebay\.com\b/i
+header __FROM_EBAY From =~ /\@(?:email)?ebay\.com\b/i
+uri __URI_EBAY m{^https?://.{0,32}\bebay\.com\b}i
+meta T_FORGED_EBAY (__FROM_EBAY && __URI_EBAY && !__RCVD_EBAY)
+describe T_FORGED_EBAY Message appears to be forged, (ebay.com)
+
+header __RCVD_CITIBNK Received =~ /\b(?:citi(?:bank|cards|corp|bankcards)|acxiom|c2it)\.com\b/i
+header __FROM_CITIBNK From =~ /\bciti(?:bank)?\.com\b/i
+uri __URI_CITIBNK m{^https?://.{0,32}\bciti(?:bank)?\.com\b}i
+meta T_FORGED_CITI (__FROM_CITIBNK && __URI_CITIBNK && !__RCVD_CITIBNK)
+describe T_FORGED_CITI Message appears to be forged, (citibank.com)
+
+header __RCVD_SUNTRUST Received =~ /\.suntrust\.com\b/i
+header __FROM_SUNTRUST From =~ /[\@\.]suntrust\.com\b/i
+uri __URI_SUNTRUST m{^https?://.{0,32}\bsuntrust\.com\b}i
+meta T_FORGED_SUNTRUST (__FROM_SUNTRUST && __URI_SUNTRUST && !__RCVD_SUNTRUST)
+describe T_FORGED_SUNTRUST Message appears to be forged, (suntrust.com)
+
+header __RCVD_ABOUT_COM Received =~ /\babout\.com\b/i
+header __FROM_ABOUT_COM From =~ /\babout\.com\b/i
+uri __URI_ABOUT_COM m{^https?://.{0,32}\babout\.com\b}i
+meta T_FORGED_ABOUT (!__RCVD_ABOUT_COM && __FROM_ABOUT_COM && !__URI_ABOUT_COM)
+describe T_FORGED_ABOUT Message appears to be forged, (about.com)
+
+header __AT_YAHOO_MSGID MESSAGEID =~ /\@yahoo\.com\b/i
+header __FROM_YAHOO_COM From =~ /\@yahoo\.com\b/i
+meta T_FORGED_MSGID_YAHOO (__AT_YAHOO_MSGID && !__FROM_YAHOO_COM)
+describe T_FORGED_MSGID_YAHOO Message-ID is forged, (yahoo.com)
+
+header __AT_MSN_MSGID MESSAGEID =~ /\@msn\.com\b/i
+header __FROM_MSN_COM From =~ /\@msn\.com\b/i
+meta T_FORGED_MSGID_MSN (__AT_MSN_MSGID && (!__FROM_MSN_COM && !__FROM_HOTMAIL_COM && !__FROM_YAHOO_COM))
+describe T_FORGED_MSGID_MSN Message-ID is forged, (msn.com)
+
+header __AT_HOTMAIL_MSGID MESSAGEID =~ /\@hotmail\.com\b/i
+header __FROM_HOTMAIL_COM From =~ /\@hotmail\.com\b/i
+meta T_FORGED_MSGID_HOTMAIL (__AT_HOTMAIL_MSGID && (!__FROM_HOTMAIL_COM && !__FROM_MSN_COM && !__FROM_YAHOO_COM))
+describe T_FORGED_MSGID_HOTMAIL Message-ID is forged, (hotmail.com)
+
+header __AT_AOL_MSGID MESSAGEID =~ /\@aol\.com\b/i
+header __FROM_AOL_COM From =~ /\@aol\.com\b/i
+meta T_FORGED_MSGID_AOL (__AT_AOL_MSGID && !__FROM_AOL_COM)
+describe T_FORGED_MSGID_AOL Message-ID is forged, (aol.com)
+
+header __AT_EXCITE_MSGID MESSAGEID =~ /\@excite\.com\b/i
+header __MY_RCVD_EXCITE Received =~ /\.excite\.com\b/i
+meta T_FORGED_MSGID_EXCITE (__AT_EXCITE_MSGID && !__MY_RCVD_EXCITE)
+describe T_FORGED_MSGID_EXCITE Message-ID is forged, (excite.com)
+
+header __AT_CBS_MSGID MESSAGEID =~ /\@cbs\.com\b/i
+header __FROM_CBS_COM From =~ /\@cbs\.com\b/i
+header __MY_RCVD_CBS Received =~ /\.cbs\.com\b/i
+meta T_FORGED_MSGID_CBS (__AT_CBS_MSGID && !__FROM_CBS_COM && !__MY_RCVD_CBS)
+describe T_FORGED_MSGID_CBS Message-ID is forged, (cbs.com)
+
+uri T_SPOOF_COM2OTH m{^https?://(?:\w+\.)+?com\.(?:\w+\.){2,}}i
+describe T_SPOOF_COM2OTH a.com.b.c
+
+uri T_SPOOF_COM2COM m{^https?://(?:\w+\.)+?com\.(?:\w+\.)+?com}i
+describe T_SPOOF_COM2COM a.com.b.com
+
+# CDNs (Akamai (edgesuite), Speedera, and NYUD, so far) do this, so skip them.
+uri T_SPOOF_OURI m{^https?:/{0,2}(?:[^@/]+@)*?(?:[a-z0-9_-]+?\.){2,}(?:com|net|org|biz|info|edu|www)(?!\.(?:\w+\.)?(?:edgesuite|nyud|speedera)\.net)(?:\.[a-z0-9_%-]+?){2,}(?:(?::|%3a)\d+)?}i
+describe T_SPOOF_OURI URL has items in odd places
+
+##########################################################################