jhardin at apache
Feb 7, 2010, 3:32 PM
Post #1 of 1
(186 views)
Permalink
|
|
svn commit: r907514 - in /spamassassin/trunk/rulesrc/sandbox/jhardin: 20_lotsa_money.cf 20_misc_testing.cf
|
|
Author: jhardin
Date: Sun Feb 7 23:32:30 2010
New Revision: 907514
URL: http://svn.apache.org/viewvc?rev=907514&view=rev
Log:
Tweak 419 subrules, add some stock-spam-related rules
Modified:
spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf
spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf?rev=907514&r1=907513&r2=907514&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf Sun Feb 7 23:32:30 2010
@@ -66,7 +66,7 @@
describe LOTTO_AGENT Claims Agent
score LOTTO_AGENT 0.50
-body LOTTO_DEPT /\b(?:claim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:international|foreign)\sremittance|payment|award)\s?(?:department|dept|unit|group|committee|bureau)/i
+body LOTTO_DEPT /\b(?:claim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:international|foreign)\s(?:remittance|settlement)|payment|award)\s?(?:department|dept|unit|group|committee|bureau)/i
describe LOTTO_DEPT Claims Department
score LOTTO_DEPT 0.50
@@ -134,7 +134,7 @@
#describe MONEY_DEAL Lots of money in a suspicious deal
#score MONEY_DEAL 1.5
-body __ATM_CARD /\b(?:your|the|this)\s(?:atm|debit)(?:\smaster)?\scard/i
+body __ATM_CARD /\b(?:your|the|this)\s(?:atm|debit)(?:\smaster|swift)?\scard/i
#meta MONEY_ATM LOTS_OF_MONEY && __ATM_CARD
#describe MONEY_ATM Lots of money on an ATM card
#score MONEY_ATM 1.5
@@ -162,7 +162,7 @@
#score MONEY_INHERIT 1.5
#tflags MONEY_INHERIT nopublish
-body __WIRE_XFR /\b(?:wire|telegraph(?:ic)?|bank)\stransfer/i
+body __WIRE_XFR /\b(?:wire|telegraph(?:ic)?|bank)\s?transfer/i
body __TRUSTED_CHECK /\b(?:cashier'?s?|certified)\sche(?:ck|que)/i
body __BANK_DRAFT /\bbank\sdraft/i
meta __XFER_MONEY (__WIRE_XFR || __TRUSTED_CHECK || __BANK_DRAFT)
@@ -184,13 +184,13 @@
body __SCAM /\bscam(?:me[dr])?s?\b/i
body __UN /\bunited\snations?\b/i
body __AFR_UNION /\bafrican\sunion\b/i
-body __COMPENSATION /\bcompensation\b/i
+body __COMPENSATION /\bcompensat(?:e|ion)\b/i
body __FRAUD /\b(?:de)?fraud/i
#meta MONEY_FRAUD_COMP LOTS_OF_MONEY && __BARRISTER && (__SCAM || __FRAUD) && (__UN || __AFR_UNION) && __COMPENSATION
#describe MONEY_FRAUD_COMP Lots of money from a fraud compensation
#score MONEY_FRAUD_COMP 1.0
-body __TRUNK_BOX /\b(?:trunk|metallic|proof|security)\sbox(?:es)?\b/i
+body __TRUNK_BOX /\b(?:trunk|metallic|proof|security|consignment)\sbox(?:es)?\b/i
body __COURIER /\bcourier\s(?:company|service)\b/i
#meta MONEY_FRAUD_BOX LOTS_OF_MONEY && __TRUNK_BOX && __COURIER
#describe MONEY_FRAUD_BOX Lots of money in a box, lots of money from a fox
@@ -204,7 +204,7 @@
body __DIPLOMATIC /\bdiplomatic\b/i
body __FEES /\b(?:security|safe\w*|courier|registration|pay|paid|up-?front|processing|delivery|transfer)[\s\w]{1,15}\s(?:fee|charge)s?\b/i
body __LUCKY_WINNER /\blucky\swin+ers?\b/i
-body __YOUR_FUND /\byour\sfund\b/i
+body __YOUR_FUND /\byour\s(?:unpaid\s)fund\b/i
body __NIGERIA /\bnigeria\b/i
body __IVORY_COAST /\b(?:Cote\s?D.Ivoire|Ivory\s?Coast)\b/i
body __BURKINA_FASO /\bburkina\s?faso\b/i
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=907514&r1=907513&r2=907514&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Sun Feb 7 23:32:30 2010
@@ -1,19 +1,19 @@
#
-#header REPLYTO_MANY_AT Reply-To =~ /\@.+\@/
-#describe REPLYTO_MANY_AT More than one @ in Reply-To:
+#header REPLYTO_MANY_AT Reply-To =~ /\@.+\@/
+#describe REPLYTO_MANY_AT More than one @ in Reply-To:
#
-#header SENDER_MANY_AT Sender =~ /\@.+\@/
-#describe SENDER_MANY_AT More than one @ in Sender:
+#header SENDER_MANY_AT Sender =~ /\@.+\@/
+#describe SENDER_MANY_AT More than one @ in Sender:
#
-#header FROM_MANY_AT From =~ /\@.+\@/
-#describe FROM_MANY_AT More than one @ in From:
+#header FROM_MANY_AT From =~ /\@.+\@/
+#describe FROM_MANY_AT More than one @ in From:
#
header RDNS_LOCALHOST X-Spam-Relays-External =~ /^\[. ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i
describe RDNS_LOCALHOST Sender's public rDNS is "localhost"
-#body EU_SPAM_LAW m,Directive 2000/31/EC of the European Parliament,i
-#describe EU_SPAM_LAW Quoting "European Parliament" spam law
+#body EU_SPAM_LAW m,Directive 2000/31/EC of the European Parliament,i
+#describe EU_SPAM_LAW Quoting "European Parliament" spam law
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader HTML_ATTACH Content-Type =~ m,text/html;.+\.html?\b,i
@@ -38,13 +38,13 @@
#header MUA_ONE_WORD X-Mailer =~ /^[A-Za-z][a-z]*$/
#describe MUA_ONE_WORD Single word X-Mailer: not CamelCase
-body DEAR_BENEFICIARY /^\s?(?:Dear\s|At+(?:ention|n):?\s?)Beneficiary\b/i
-describe DEAR_BENEFICIARY Dear Beneficiary:
-score DEAR_BENEFICIARY 2.0
-
-body DEAR_EMAIL_USER /^\s?(?:Dear\s|Attention:?\s?)(?:E|Web)-?mail\s(?:account\s)?User\b/i
-describe DEAR_EMAIL_USER Dear Email User:
-score DEAR_EMAIL_USER 3.0
+body DEAR_BENEFICIARY /^\s?(?:Dear\s|At+(?:ention|n):?\s?)Beneficiary\b/i
+describe DEAR_BENEFICIARY Dear Beneficiary:
+score DEAR_BENEFICIARY 2.0
+
+body DEAR_EMAIL_USER /^\s?(?:Dear\s|Attention:?\s?)(?:E|Web)-?mail\s(?:account\s)?User\b/i
+describe DEAR_EMAIL_USER Dear Email User:
+score DEAR_EMAIL_USER 3.0
# from users list spamples 8/2009
@@ -238,3 +238,49 @@
# simplistic URI format for now
header FROM_URI From =~ /[^<].*www\.[^\s"<]+\.(?:com|net|info|biz|org|\w\w)\b.*["<]/i
+# observed in spam feb 2010
+# Apparently-To per RFC2821 SHOULD NOT be used
+header __APPARENTLY_TO Apparently-To =~ /<.*>/
+tflags __APPARENTLY_TO multiple nopublish
+meta HAS_APPARENTLY_TO __APPARENTLY_TO > 0
+describe HAS_APPARENTLY_TO Has deprecated Apparently-To header
+score HAS_APPARENTLY_TO 0.50
+tflags HAS_APPARENTLY_TO nopublish
+meta MANY_APPARENTLY_TO __APPARENTLY_TO > 20
+describe MANY_APPARENTLY_TO Has many Apparently-To headers
+score MANY_APPARENTLY_TO 2.00
+tflags MANY_APPARENTLY_TO nopublish
+
+# obfuscation of "opt out"
+ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
+ body FUZZY_OPTOUT /\b(?!opt.?out)<O><P><T>.?<O><U><T>\b/i
+ replace_rules FUZZY_OPTOUT
+ describe FUZZY_OPTOUT Obfuscated opt-out text
+endif
+
+# stock spam disclaimer obfuscation
+body GAPPY_TRADING /\b(?!trading)t[^a-z]?r[^a-z]?a[^a-z]?d[^a-z]?i[^a-z]?n[^a-z]?g/i
+body GAPPY_SECURITIES /\b(?!securities)s[^a-z]?e[^a-z]?c[^a-z]?u[^a-z]?r[^a-z]?i[^a-z]?t[^a-z]?i[^a-z]?e[^a-z]?s/i
+body GAPPY_RISK /\b(?!risky?)r[^a-z]?i[^a-z]?s[^a-z]?k(?:[^a-z]?y)?/i
+body GAPPY_SELLING /\b(?!selling)s[^a-z]?e[^a-z]?l[^a-z]?l[^a-z]?i[^a-z]?n[^a-z]?g/i
+body GAPPY_HUNDRED /\b(?!hundred)h[^a-z]?u[^a-z]?n[^a-z]?d[^a-z]?r[^a-z]?e[^a-z]?d/i
+body GAPPY_THOUSAND /\b(?!thousand)t[^a-z]?h[^a-z]?o[^a-z]?u[^a-z]?s[^a-z]?a[^a-z]?n[^a-z]?d/i
+body GAPPY_EXPENSES /\b(?!expenses)e[^a-z]?x[^a-z]?p[^a-z]?e[^a-z]?n[^a-z]?s[^a-z]?e[^a-z]?s/i
+body GAPPY_DOLLARS /\b(?!dollars)d[^a-z]?o[^a-z]?l[^a-z]?l[^a-z]?a[^a-z]?r[^a-z]?s/i
+
+describe GAPPY_TRADING Possible obfuscated stock disclaimer
+describe GAPPY_SECURITIES Possible obfuscated stock disclaimer
+describe GAPPY_RISK Possible obfuscated stock disclaimer
+describe GAPPY_SELLING Possible obfuscated stock disclaimer
+describe GAPPY_HUNDRED Possible obfuscated stock disclaimer
+describe GAPPY_THOUSAND Possible obfuscated stock disclaimer
+describe GAPPY_EXPENSES Possible obfuscated stock disclaimer
+describe GAPPY_DOLLARS Possible obfuscated stock disclaimer
+
+# talking about a stock symbol
+body __DISCUSS_STOCK /(?:[a-z]{2,}\s|^)[A-Z]{4}(?:\s[a-z]{2,}|[,.!])/
+tflags __DISCUSS_STOCK multiple
+meta MANY_DISCUSS_STOCK __DISCUSS_STOCK > 5
+describe MANY_DISCUSS_STOCK Talks about apparent stock symbols a lot
+
+
|
