You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by fe...@apache.org on 2004/11/17 02:34:43 UTC

svn commit: rev 76085 - spamassassin/trunk/rules

Author: felicity
Date: Tue Nov 16 17:34:42 2004
New Revision: 76085

Modified:
   spamassassin/trunk/rules/70_testing.cf
Log:
bug 3570: added anti-phishing/forging rules

Modified: spamassassin/trunk/rules/70_testing.cf
==============================================================================
--- spamassassin/trunk/rules/70_testing.cf	(original)
+++ spamassassin/trunk/rules/70_testing.cf	Tue Nov 16 17:34:42 2004
@@ -310,6 +310,7 @@
 
 header   T_TRACKING           ALL =~ /-tracking/i
 describe T_TRACKING           There is a tracking header in the email
+
 ##########################################################################
 
 # bug 2554
@@ -390,3 +391,86 @@
 uri T_RATWARE_STORM_URI	m{^http://\S{1,100}/sp/t\.pl\?id=\d+:\d+}i
 uri T_USERPASS                    m{^https?://[^/\s]*?(?::[^/\s]+?)?\@}
 
+##########################################################################
+
+# bug 3570
+# anti-phishing rules, will probably have a low hit-rate
+header   __RCVD_USBANK		Received =~ /\busbank\.com\b/i
+header   __FROM_USBANK		From =~ /\busbank\.com\b/i
+uri      __URI_USBANK		m{^https?://.{0,32}\busbank\.com\b}i
+meta     T_FORGED_USBANK	(__FROM_USBANK && __URI_USBANK && !__RCVD_USBANK)
+
+header   __RCVD_PAYPAL		Received =~ /\.paypal\.com\b/i
+header   __FROM_PAYPAL		From =~ /[\@\.]paypal\.com\b/i
+uri      __URI_PAYPAL		m{^https?://.{0,32}\bpaypal\.com\b}i
+meta     T_FORGED_PAYPAL	(__FROM_PAYPAL && __URI_PAYPAL && !__RCVD_PAYPAL)
+describe T_FORGED_PAYPAL	Message appears to be forged, (paypal.com)
+meta     T_FORGED_PAYPAL_C	(__FROM_PAYPAL && !__RCVD_PAYPAL)
+describe T_FORGED_PAYPAL_C	Has Paypal from, no Paypal received header.
+
+header   __RCVD_EBAY		Received =~ /(?:email)?[^\s@]ebay\.com\b/i
+header   __FROM_EBAY		From =~ /\@(?:email)?ebay\.com\b/i
+uri      __URI_EBAY		m{^https?://.{0,32}\bebay\.com\b}i
+meta     T_FORGED_EBAY		(__FROM_EBAY && __URI_EBAY && !__RCVD_EBAY)
+describe T_FORGED_EBAY		Message appears to be forged, (ebay.com)
+
+header   __RCVD_CITIBNK		Received =~ /\b(?:citi(?:bank|cards|corp|bankcards)|acxiom|c2it)\.com\b/i
+header   __FROM_CITIBNK		From =~ /\bciti(?:bank)?\.com\b/i
+uri      __URI_CITIBNK		m{^https?://.{0,32}\bciti(?:bank)?\.com\b}i
+meta     T_FORGED_CITI		(__FROM_CITIBNK && __URI_CITIBNK && !__RCVD_CITIBNK)
+describe T_FORGED_CITI		Message appears to be forged, (citibank.com)
+
+header   __RCVD_SUNTRUST	Received =~ /\.suntrust\.com\b/i
+header   __FROM_SUNTRUST	From =~ /[\@\.]suntrust\.com\b/i
+uri      __URI_SUNTRUST		m{^https?://.{0,32}\bsuntrust\.com\b}i
+meta     T_FORGED_SUNTRUST	(__FROM_SUNTRUST && __URI_SUNTRUST && !__RCVD_SUNTRUST)
+describe T_FORGED_SUNTRUST	Message appears to be forged, (suntrust.com)
+
+header   __RCVD_ABOUT_COM	Received =~ /\babout\.com\b/i
+header   __FROM_ABOUT_COM	From =~ /\babout\.com\b/i
+uri      __URI_ABOUT_COM	m{^https?://.{0,32}\babout\.com\b}i
+meta     T_FORGED_ABOUT		(!__RCVD_ABOUT_COM && __FROM_ABOUT_COM && !__URI_ABOUT_COM)
+describe T_FORGED_ABOUT		Message appears to be forged, (about.com)
+
+header   __AT_YAHOO_MSGID	MESSAGEID =~ /\@yahoo\.com\b/i
+header   __FROM_YAHOO_COM	From =~ /\@yahoo\.com\b/i
+meta     T_FORGED_MSGID_YAHOO	(__AT_YAHOO_MSGID && !__FROM_YAHOO_COM)
+describe T_FORGED_MSGID_YAHOO	Message-ID is forged, (yahoo.com)
+
+header   __AT_MSN_MSGID		MESSAGEID =~ /\@msn\.com\b/i
+header   __FROM_MSN_COM		From =~ /\@msn\.com\b/i
+meta     T_FORGED_MSGID_MSN	(__AT_MSN_MSGID && (!__FROM_MSN_COM && !__FROM_HOTMAIL_COM && !__FROM_YAHOO_COM))
+describe T_FORGED_MSGID_MSN	Message-ID is forged, (msn.com)
+
+header   __AT_HOTMAIL_MSGID	MESSAGEID =~ /\@hotmail\.com\b/i
+header   __FROM_HOTMAIL_COM	From =~ /\@hotmail\.com\b/i
+meta     T_FORGED_MSGID_HOTMAIL	(__AT_HOTMAIL_MSGID && (!__FROM_HOTMAIL_COM && !__FROM_MSN_COM && !__FROM_YAHOO_COM))
+describe T_FORGED_MSGID_HOTMAIL	Message-ID is forged, (hotmail.com)
+
+header   __AT_AOL_MSGID		MESSAGEID =~ /\@aol\.com\b/i
+header   __FROM_AOL_COM		From =~ /\@aol\.com\b/i
+meta     T_FORGED_MSGID_AOL	(__AT_AOL_MSGID && !__FROM_AOL_COM)
+describe T_FORGED_MSGID_AOL	Message-ID is forged, (aol.com)
+
+header   __AT_EXCITE_MSGID	MESSAGEID =~ /\@excite\.com\b/i
+header   __MY_RCVD_EXCITE	Received =~ /\.excite\.com\b/i
+meta     T_FORGED_MSGID_EXCITE	(__AT_EXCITE_MSGID && !__MY_RCVD_EXCITE)
+describe T_FORGED_MSGID_EXCITE	Message-ID is forged, (excite.com)
+
+header   __AT_CBS_MSGID		MESSAGEID =~ /\@cbs\.com\b/i
+header   __FROM_CBS_COM		From =~ /\@cbs\.com\b/i
+header   __MY_RCVD_CBS		Received =~ /\.cbs\.com\b/i
+meta     T_FORGED_MSGID_CBS	(__AT_CBS_MSGID && !__FROM_CBS_COM && !__MY_RCVD_CBS)
+describe T_FORGED_MSGID_CBS	Message-ID is forged, (cbs.com)
+
+uri      T_SPOOF_COM2OTH 	m{^https?://(?:\w+\.)+?com\.(?:\w+\.){2,}}i
+describe T_SPOOF_COM2OTH	 a.com.b.c
+
+uri      T_SPOOF_COM2COM	 m{^https?://(?:\w+\.)+?com\.(?:\w+\.)+?com}i
+describe T_SPOOF_COM2COM 	a.com.b.com
+
+# CDNs (Akamai (edgesuite), Speedera, and NYUD, so far) do this, so skip them.
+uri      T_SPOOF_OURI		m{^https?:/{0,2}(?:[^@/]+@)*?(?:[a-z0-9_-]+?\.){2,}(?:com|net|org|biz|info|edu|www)(?!\.(?:\w+\.)?(?:edgesuite|nyud|speedera)\.net)(?:\.[a-z0-9_%-]+?){2,}(?:(?::|%3a)\d+)?}i
+describe T_SPOOF_OURI	 	URL has items in odd places
+
+##########################################################################