You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jm...@apache.org on 2009/03/30 00:30:48 UTC
svn commit: r759795 - in /spamassassin/rules/trunk/sandbox: dos/70_other.cf
emailed/00_FVGT_File001.cf jm/20_basic.cf kb/20_header.cf
Author: jm
Date: Sun Mar 29 22:30:47 2009
New Revision: 759795
URL: http://svn.apache.org/viewvc?rev=759795&view=rev
Log:
bug 5856: replace almost all use of 'trusted_networks' in rules with 'internal_networks'; thanks to Henrik Krohns
Modified:
spamassassin/rules/trunk/sandbox/dos/70_other.cf
spamassassin/rules/trunk/sandbox/emailed/00_FVGT_File001.cf
spamassassin/rules/trunk/sandbox/jm/20_basic.cf
spamassassin/rules/trunk/sandbox/kb/20_header.cf
Modified: spamassassin/rules/trunk/sandbox/dos/70_other.cf
URL: http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/dos/70_other.cf?rev=759795&r1=759794&r2=759795&view=diff
==============================================================================
--- spamassassin/rules/trunk/sandbox/dos/70_other.cf (original)
+++ spamassassin/rules/trunk/sandbox/dos/70_other.cf Sun Mar 29 22:30:47 2009
@@ -113,7 +113,7 @@
# text messages from my phone to email addresses often end up with a score of 4.9+
-header __BELL_MOBILITY_RELAY X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=mail\.txt\.bellmobilite\.ca helo=erwdbmgweb02\.bellmobilite\.ca /
+header __BELL_MOBILITY_RELAY X-Spam-Relays-External =~ /^[^\]]+ rdns=mail\.txt\.bellmobilite\.ca helo=erwdbmgweb02\.bellmobilite\.ca /
meta BELL_MOBILITY_TXT_MSG INVALID_DATE && MISSING_SUBJECT && FROM_STARTS_WITH_NUMS && __BELL_MOBILITY_RELAY
describe BELL_MOBILITY_TXT_MSG Adjustment for poorly formatted text->email messages
tflags BELL_MOBILITY_TXT_MSG nice
Modified: spamassassin/rules/trunk/sandbox/emailed/00_FVGT_File001.cf
URL: http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/emailed/00_FVGT_File001.cf?rev=759795&r1=759794&r2=759795&view=diff
==============================================================================
--- spamassassin/rules/trunk/sandbox/emailed/00_FVGT_File001.cf (original)
+++ spamassassin/rules/trunk/sandbox/emailed/00_FVGT_File001.cf Sun Mar 29 22:30:47 2009
@@ -291,7 +291,7 @@
#counts FB_DDDD_BUCKS 34s/0h of 47019 corpus (37183s/9836h FVGT) 12/23/06
-header FH_HOST_IN_ADDRARPA X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^ ]{0,25}\.in-addr\.arpa /
+header FH_HOST_IN_ADDRARPA X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]{0,25}\.in-addr\.arpa /
describe FH_HOST_IN_ADDRARPA HOST dns says "in-addr.arpa"
##score FH_HOST_IN_ADDRARPA 3.9 2 2 1
#counts FH_HOST_IN_ADDRARPA 20s/0h of 43891 corpus (34132s/9759h FVGT) 11/30/06
@@ -2005,7 +2005,7 @@
#counts FH_HAS_UID 129s/0h of 47019 corpus (37183s/9836h FVGT) 12/23/06
-header FH_HELO_ALMOST_IP X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^ ]+[a-z][-.]\d{1,3}[-.]\d{1,3}[-.]\d{1,3}[-.][a-z][^ ]+ /i
+header FH_HELO_ALMOST_IP X-Spam-Relays-External =~ /^[^\]]+ helo=[^ ]+[a-z][-.]\d{1,3}[-.]\d{1,3}[-.]\d{1,3}[-.][a-z][^ ]+ /i
describe FH_HELO_ALMOST_IP Helo is almost an IP addr.
##score FH_HELO_ALMOST_IP 5.417
#counts FH_HELO_ALMOST_IP 82s/0h of 32547 corpus (23290s/9257h FVGT) 11/14/06
@@ -2021,7 +2021,7 @@
#counts FH_HELO_GMAILSMTP 1s/0h of 47019 corpus (37183s/9836h FVGT) 12/23/06
-header FH_HELO_ENDS_DOT X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^ ]+\. by=/
+header FH_HELO_ENDS_DOT X-Spam-Relays-External =~ /^[^\]]+ helo=[^ ]+\. by=/
describe FH_HELO_ENDS_DOT Helo ends with a dot.
##score FH_HELO_ENDS_DOT 10.993
#counts FH_HELO_ENDS_DOT 211s/0h of 293382 corpus (226480s/66902h ML) 11/03/06
@@ -2030,7 +2030,7 @@
#counts FH_HELO_ENDS_DOT 57s/0h of 47019 corpus (37183s/9836h FVGT) 12/23/06
-header FH_HELO_EQ_610HEX X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=-?[A-F0-9]{6,10} /
+header FH_HELO_EQ_610HEX X-Spam-Relays-External =~ /^[^\]]+ helo=-?[A-F0-9]{6,10} /
describe FH_HELO_EQ_610HEX Helo is 6-10 hex chr's.
##score FH_HELO_EQ_610HEX 10.599
#counts FH_HELO_EQ_610HEX 9235s/0h of 222450 corpus (214521s/7929h FVGT) 04/24/06
@@ -2039,7 +2039,7 @@
#counts FH_HELO_EQ_610HEX 520s/0h of 47019 corpus (37183s/9836h FVGT) 12/23/06
-header FH_HELO_EQ_CHARTER X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\d{2,3}-\d{1,3}-\d{1,3}-\d{1,3}.{5,20}\.charter\.com /i
+header FH_HELO_EQ_CHARTER X-Spam-Relays-External =~ /^[^\]]+ helo=\d{2,3}-\d{1,3}-\d{1,3}-\d{1,3}.{5,20}\.charter\.com /i
describe FH_HELO_EQ_CHARTER Helo is d-d-d-d charter.com
##score FH_HELO_EQ_CHARTER 2.175
#counts FH_HELO_EQ_CHARTER 280s/0h of 41722 corpus (34113s/7609h FVGT) 03/27/06
@@ -2047,7 +2047,7 @@
#counts FH_HELO_EQ_CHARTER 174s/0h of 47019 corpus (37183s/9836h FVGT) 12/23/06
-header FH_HELO_EQ_D_D_D_D X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^ ]{0,15}\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}/
+header FH_HELO_EQ_D_D_D_D X-Spam-Relays-External =~ /^[^\]]+ helo=[^ ]{0,15}\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}/
describe FH_HELO_EQ_D_D_D_D Helo is d-d-d-d
##score FH_HELO_EQ_D_D_D_D 1.397
#counts FH_HELO_EQ_D_D_D_D 2911s/1h of 41684 corpus (34086s/7598h FVGT) 03/27/06
@@ -2059,7 +2059,7 @@
# redundant with RDNS_DYNAMIC, causing FPs: bug 5682
-## header FH_HOST_ALMOST_IP X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^ ]+[a-z][-.]\d{1,3}[-.]\d{1,3}[-.]\d{1,3}[-.][a-z][^ ]+ /i
+## header FH_HOST_ALMOST_IP X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+[a-z][-.]\d{1,3}[-.]\d{1,3}[-.]\d{1,3}[-.][a-z][^ ]+ /i
## describe FH_HOST_ALMOST_IP The host almost looks like an IP addr.
## ##score FH_HOST_ALMOST_IP 1.889
## #counts HOST_ALMOST_IP 117s/2h of 15656 corpus (7711s/7945h FT) 04/20/06
@@ -2073,7 +2073,7 @@
# overlap spam: 90% of RDNS_DYNAMIC hits also hit FH_HOST_EQ_D_D_D_D; 84% of FH_HOST_EQ_D_D_D_D hits also hit RDNS_DYNAMIC
-## header FH_HOST_EQ_D_D_D_D X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^ ]+\d{1,3}[^0-9]\d{1,3}[^0-9]\d{1,3}[^0-9]\d{1,3}[^ ]+ /
+## header FH_HOST_EQ_D_D_D_D X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\d{1,3}[^0-9]\d{1,3}[^0-9]\d{1,3}[^0-9]\d{1,3}[^ ]+ /
## describe FH_HOST_EQ_D_D_D_D Host starts with d-d-d-d
## ##score FH_HOST_EQ_D_D_D_D 0.665
## #counts HOST_EQ_D_D_D_D 10886s/231h of 41745 corpus (34134s/7611h FVGT) 03/29/06
@@ -2083,7 +2083,7 @@
# now hits nothing in http://ruleqa.spamassassin.org/20071029-r589545-n
-## header FH_HOST_EQ_D_D_D_DB X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=\d{1,3}[^0-9]\d{1,3}[^0-9]\d{1,3}[^0-9]\d{1,3}[^ ]+ /
+## header FH_HOST_EQ_D_D_D_DB X-Spam-Relays-External =~ /^[^\]]+ rdns=\d{1,3}[^0-9]\d{1,3}[^0-9]\d{1,3}[^0-9]\d{1,3}[^ ]+ /
## describe FH_HOST_EQ_D_D_D_DB Host is d-d-d-d
## ##score FH_HOST_EQ_D_D_D_DB 0.688
## #counts HOST_EQ_D_D_D_DB 4324s/71h of 42070 corpus (34144s/7926h FVGT) 04/19/06
@@ -2093,7 +2093,7 @@
## #counts FH_HOST_EQ_D_D_D_DB 4217s/107h of 47019 corpus (37183s/9836h FVGT) 12/23/06
-header FH_HOST_EQ_DYNAMICIP X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^ ]{0,25}[dD][yY][nN][aA][mM][iI][cC][iI][pP][^ ]{5,25} helo=/
+header FH_HOST_EQ_DYNAMICIP X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]{0,25}[dD][yY][nN][aA][mM][iI][cC][iI][pP][^ ]{5,25} helo=/
describe FH_HOST_EQ_DYNAMICIP Host is dynamicip
##score FH_HOST_EQ_DYNAMICIP 2.177
#counts FH_HOST_EQ_DYNAMICIP 211s/0h of 41665 corpus (34068s/7597h FVGT) 03/25/06
@@ -2102,7 +2102,7 @@
#counts FH_HOST_EQ_DYNAMICIP 832s/0h of 47019 corpus (37183s/9836h FVGT) 12/23/06
-header FH_HOST_EQ_PACBELL_D X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^ ]+\.dsl\.\w{2,10}\.pacbell\.net /
+header FH_HOST_EQ_PACBELL_D X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.dsl\.\w{2,10}\.pacbell\.net /
describe FH_HOST_EQ_PACBELL_D Host is pacbell.net dsl
##score FH_HOST_EQ_PACBELL_D 3.944
#counts FH_HOST_EQ_PACBELL_D 232s/0h of 41722 corpus (34113s/7609h FVGT) 03/27/06
@@ -2110,7 +2110,7 @@
#counts FH_HOST_EQ_PACBELL_D 53s/0h of 47019 corpus (37183s/9836h FVGT) 12/23/06
-header FH_HOST_EQ_SPRINT_H X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^ ]+\.dhcp\.sprint-hsd\.net /
+header FH_HOST_EQ_SPRINT_H X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.dhcp\.sprint-hsd\.net /
describe FH_HOST_EQ_SPRINT_H Host is dhcp sprint-hsd.net
##score FH_HOST_EQ_SPRINT_H 2.293
#counts FH_HOST_EQ_SPRINT_H 44s/0h of 41789 corpus (34114s/7675h FVGT) 04/06/06
@@ -2118,7 +2118,7 @@
#counts FH_HOST_EQ_SPRINT_H 1s/0h of 47019 corpus (37183s/9836h FVGT) 12/23/06
-header FH_HOST_EQ_VERIZON_P X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=pool-\d.{5,30}\.verizon\.net/
+header FH_HOST_EQ_VERIZON_P X-Spam-Relays-External =~ /^[^\]]+ rdns=pool-\d.{5,30}\.verizon\.net/
describe FH_HOST_EQ_VERIZON_P Host is pool-.+verizon.net
##score FH_HOST_EQ_VERIZON_P 2.144
#counts FH_HOST_EQ_VERIZON_P 1393s/0h of 41686 corpus (34078s/7608h FVGT) 03/27/06
@@ -2165,7 +2165,7 @@
# Feb 7 2007 jm: replaced with RDNS_NONE!
-# header FH_RELAY_NODNS X-Spam-Relays-Untrusted =~ /^[^\]]+rdns= helo=/
+# header FH_RELAY_NODNS X-Spam-Relays-External =~ /^[^\]]+rdns= helo=/
# describe FH_RELAY_NODNS We could not determine your Reverse DNS
##score FH_RELAY_NODNS 1.451 #Prone to FPs.
#counts FH_RELAY_NODNS 12654s/99h of 41713 corpus (34082s/7631h FVGT) 04/03/06
@@ -3101,8 +3101,8 @@
#counts FM_DEBT_HELP 7s/0h of 47019 corpus (37183s/9836h FVGT) 12/23/06
-header __HOTMAILCOM X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=hotmail\.com /i
-header __HOST_HOTMAIL X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^ ]+\.hotmail\.com /
+header __HOTMAILCOM X-Spam-Relays-External =~ /^[^\]]+ helo=hotmail\.com /i
+header __HOST_HOTMAIL X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.hotmail\.com /
meta FM_FAKE_HELO_HOTMAIL (__HOTMAILCOM && !__HOST_HOTMAIL)
describe FM_FAKE_HELO_HOTMAIL Looks like a fake hotmail.com helo.
##score FM_FAKE_HELO_HOTMAIL 2.353
@@ -3110,8 +3110,8 @@
#counts FM_FAKE_HELO_HOTMAIL 0s/0h of 47019 corpus (37183s/9836h FVGT) 12/23/06
-header __FHELO_VERIZON X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^ ]+verizon\.net /i
-header __FHOST_VERIZON X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^ ]+verizon\.net /i
+header __FHELO_VERIZON X-Spam-Relays-External =~ /^[^\]]+ helo=[^ ]+verizon\.net /i
+header __FHOST_VERIZON X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+verizon\.net /i
meta FM_FAKE_HELO_VERIZON (__FHELO_VERIZON && !__FHOST_VERIZON)
describe FM_FAKE_HELO_VERIZON Looks like a fake verizon.net helo.
##score FM_FAKE_HELO_VERIZON 1.229
Modified: spamassassin/rules/trunk/sandbox/jm/20_basic.cf
URL: http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_basic.cf?rev=759795&r1=759794&r2=759795&view=diff
==============================================================================
--- spamassassin/rules/trunk/sandbox/jm/20_basic.cf (original)
+++ spamassassin/rules/trunk/sandbox/jm/20_basic.cf Sun Mar 29 22:30:47 2009
@@ -81,7 +81,7 @@
## score CTYPE_8SPACE_GIF 2.0
endif
-header __HELO_NO_DOMAIN X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^\.]+ /
+header __HELO_NO_DOMAIN X-Spam-Relays-External =~ /^[^\]]+ helo=[^\.]+ /
meta STOCK_IMG_HDR_FROM (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&TVD_FW_GRAPHIC_ID1&&__HTML_IMG_ONLY)
describe STOCK_IMG_HDR_FROM Stock spam image part, with distinctive From line
@@ -135,11 +135,11 @@
# HELO as localhost. we should really be rejecting this at MTA, but hey.
# it seems most of us let these slip through our MTA configs; 3% of spam, no FPs
-header HELO_LOCALHOST X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=localhost /i
+header HELO_LOCALHOST X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i
-header HELO_OEM X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=(?:pc|oem\S*) /i
+header HELO_OEM X-Spam-Relays-External =~ /^[^\]]+ helo=(?:pc|oem\S*) /i
-header HELO_FRIEND X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=friend /i
+header HELO_FRIEND X-Spam-Relays-External =~ /^[^\]]+ helo=friend /i
header MIME_BOUND_EQ_REL Content-Type =~ /boundary="=====================_\d+==\.REL"/s
@@ -185,8 +185,8 @@
tflags OE_MULTIPART_RELATED nopublish
# more trials of bad HELO strings
-header HELO_LH_LD X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=localhost\.localdomain /i
-header HELO_LH_HOME X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\S+\.(?:home|lan) /i
+header HELO_LH_LD X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i
+header HELO_LH_HOME X-Spam-Relays-External =~ /^[^\]]+ helo=\S+\.(?:home|lan) /i
# requested experiment: PBL hitrates on URIs
@@ -300,10 +300,10 @@
meta REPLYTO_WITHOUT_TO_CC (__REPLYTO_EXISTS && !__TOCC_EXISTS)
# thanks to Suresh for these tips
-header FAKE_OUTBLAZE_RCVD_168 X-Spam-Relays-Untrusted =~ /^[^\]]+168city\./
-header FAKE_OUTBLAZE_RCVD_PURIN X-Spam-Relays-Untrusted =~ /^[^\]]+purinmail\./
-header FAKE_OUTBLAZE_RCVD_168_2 X-Spam-Relays-Untrusted =~ /168city\./
-header FAKE_OUTBLAZE_RCVD_PURIN_2 X-Spam-Relays-Untrusted =~ /purinmail\./
+header FAKE_OUTBLAZE_RCVD_168 X-Spam-Relays-External =~ /^[^\]]+168city\./
+header FAKE_OUTBLAZE_RCVD_PURIN X-Spam-Relays-External =~ /^[^\]]+purinmail\./
+header FAKE_OUTBLAZE_RCVD_168_2 X-Spam-Relays-External =~ /168city\./
+header FAKE_OUTBLAZE_RCVD_PURIN_2 X-Spam-Relays-External =~ /purinmail\./
# some rules from the MSNBC spam run (Rustock trojan)
header __MSNBC_THREAD_INDEX ALL =~ /\nthread-index: /s
Modified: spamassassin/rules/trunk/sandbox/kb/20_header.cf
URL: http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/kb/20_header.cf?rev=759795&r1=759794&r2=759795&view=diff
==============================================================================
--- spamassassin/rules/trunk/sandbox/kb/20_header.cf (original)
+++ spamassassin/rules/trunk/sandbox/kb/20_header.cf Sun Mar 29 22:30:47 2009
@@ -10,20 +10,20 @@
# bug 5817 -- Forged Relay, direct MUA to MX
-header FORGED_RELAY_MUA_TO_MX X-Spam-Relays-Untrusted =~ /^\[ ip=(?!127)([\d.]+) [^\[]*\[ ip=\1 [^\[]+ helo=(!(?!(?:10|127|169\.254|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\.)| )[^\[]+$/
+header FORGED_RELAY_MUA_TO_MX X-Spam-Relays-External =~ /^\[ ip=(?!127)([\d.]+) [^\[]*\[ ip=\1 [^\[]+ helo=(!(?!(?:10|127|169\.254|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\.)| )[^\[]+$/
# Plus quite a few devel variants and accompanying tests. This mess needs
# cleaning up, probably after re-investigation. See dos/70_bugs.cf for history.
-# header FORGED_RELAY_MUA_TO_MX_A X-Spam-Relays-Untrusted =~ /^\[ ip=(?!127)([\d.]+) [^\[]*\[ ip=\1 [^\[]+ helo=(!(?!127)| )[^\[]+$/
+# header FORGED_RELAY_MUA_TO_MX_A X-Spam-Relays-External =~ /^\[ ip=(?!127)([\d.]+) [^\[]*\[ ip=\1 [^\[]+ helo=(!(?!127)| )[^\[]+$/
-# header __RELAYS_IP_MATCH X-Spam-Relays-Untrusted =~ /^\[ ip=(?!127)([\d.]+) [^\[]*\[ ip=\1 /
-# header __RELAYS_THREE_PLUS X-Spam-Relays-Untrusted =~ /(\[.+){3}/
-# header __RELAY_MUA_HELO_IP_OR_NONE X-Spam-Relays-Untrusted =~ / helo=(!(?!127)| )[^\[]+$/
+# header __RELAYS_IP_MATCH X-Spam-Relays-External =~ /^\[ ip=(?!127)([\d.]+) [^\[]*\[ ip=\1 /
+# header __RELAYS_THREE_PLUS X-Spam-Relays-External =~ /(\[.+){3}/
+# header __RELAY_MUA_HELO_IP_OR_NONE X-Spam-Relays-External =~ / helo=(!(?!127)| )[^\[]+$/
# meta FORGED_RELAY_MUA_TO_MX_B __RELAYS_IP_MATCH && !__RELAYS_THREE_PLUS && __RELAY_MUA_HELO_IP_OR_NONE
-# header __RDNS_EQ_BY X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=([^ ]*) [^\]]+][^\]]+ by=\1 /
+# header __RDNS_EQ_BY X-Spam-Relays-External =~ /^[^\]]+ rdns=([^ ]*) [^\]]+][^\]]+ by=\1 /
# meta FORGED_RELAY_MUA_TO_MX_C __RELAYS_IP_MATCH && !__RELAYS_THREE_PLUS && __RELAY_MUA_HELO_IP_OR_NONE && !__RDNS_EQ_BY