You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2021/01/21 16:27:26 UTC
svn commit: r1885764 -
/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Author: jhardin
Date: Thu Jan 21 16:27:26 2021
New Revision: 1885764
URL: http://svn.apache.org/viewvc?rev=1885764&view=rev
Log:
More phishing and malware tweaks; add subrules for evaluation
Modified:
spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1885764&r1=1885763&r2=1885764&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Thu Jan 21 16:27:26 2021
@@ -121,9 +121,9 @@ ifplugin Mail::SpamAssassin::Plugin::MIM
mimeheader __MALW_ATTACH_01_01 Content-Disposition =~ /\bfilename="?[^"]+\.SettingContent-ms\b/i
mimeheader __MALW_ATTACH_01_02 Content-Type =~ /\bname="?[^"]+\.SettingContent-ms\b/i
# others
- mimeheader __MALW_ATTACH_02_01 Content-Disposition =~ /\bfilename="?[^"]+pdf\.(?:ace|zip|7z|rar)[";$]/i
- mimeheader __MALW_ATTACH_02_02 Content-Type =~ /\bname="?[^"]+pdf\.(?:ace|zip|7z|rar)[";$]/i
- meta MALW_ATTACH __MALW_ATTACH_01_01 || __MALW_ATTACH_01_02
+ mimeheader __MALW_ATTACH_02_01 Content-Disposition =~ /\bfilename="?[^"]*(?:invoice|pdf)\.(?:ace|zip|7z|rar)[";$]/i
+ mimeheader __MALW_ATTACH_02_02 Content-Type =~ /\bname="?[^"]*(?:invoice|pdf)\.(?:ace|zip|7z|rar)[";$]/i
+ meta MALW_ATTACH __MALW_ATTACH_01_01 || __MALW_ATTACH_01_02 || __MALW_ATTACH_02_01 || __MALW_ATTACH_02_02
describe MALW_ATTACH Attachment filename suspicious, probable malware exploit
mimeheader __ISO_ATTACH Content-Disposition =~ m,\bfilename="?[^"]+\.iso[";$],i
@@ -1371,9 +1371,9 @@ tflags GOOGLE_DOC_SUSP publish
meta __URI_PHISH __HAS_ANY_URI && !__URI_GOOGLE_DOC && !__URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH)
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
- meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__REMOTE_IMAGE && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY
+ meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__REMOTE_IMAGE && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR
else
- meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY
+ meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR
endif
describe URI_PHISH Phishing using web form
score URI_PHISH 4.00 # limit
@@ -3530,6 +3530,14 @@ body __BTC_MLM /
# phishing
meta __PHISH_FBASE_01 (__URI_FIREBASEAPP || __URI_WEBAPP) && __PDS_FROM_NAME_TO_DOMAIN && __MAIL_LINK
+meta PHISH_FBASEAPP __PHISH_FBASE_01
+describe PHISH_FBASEAPP Probable phishing via hosted web app
+score PHISH_FBASEAPP 3.000 # limit
+
+meta __UNDISC_MONEY __TO_UNDISCLOSED && (__ADVANCE_FEE_2_NEW || LOTS_OF_MONEY)
+
+meta __UNDISC_FREEM __TO_UNDISCLOSED && __freemail_replyto
+