From d318c6af4e54587ea05c940216240f3227ea4394 Mon Sep 17 00:00:00 2001 From: Don Armstrong Date: Sat, 22 Sep 2007 04:34:38 +0000 Subject: [PATCH] * Add changes from bts to spam rules git-svn-id: svn+ssh://svn.debian.org/svn/pkg-listmaster/trunk/spamassassin_config@16 0b7a5b0c-1f2c-0410-bd74-c376f8064c91 --- bugs/user_prefs | 7 ++++- common/blacklists | 2 ++ common/bts_scores | 7 +++++ common/common_rbl | 5 ++-- common/drug_spam | 26 ++++++++++++++---- common/money_spam | 14 ++++++++-- common/phrase_spam | 66 +++++++++++++++++++++++++++++++++++++++++++--- common/url_spam | 48 +++++++++++++++++++++++++++++++-- 8 files changed, 159 insertions(+), 16 deletions(-) diff --git a/bugs/user_prefs b/bugs/user_prefs index a22090d..879c985 100644 --- a/bugs/user_prefs +++ b/bugs/user_prefs @@ -68,7 +68,12 @@ trusted_networks 127.0.0.1 128.193.0.0/24 146.82.138.0/24 192.25.206.0/24 140.21 # Disable most DNSBLs -- overhead to high # blarson 2005-01-28 try reducing timeout while adding spamcop back # blarson 2005-10-29 adding some back now we are multi-threaded -rbl_timeout 10 +# blarson 2007-09-14 +rbl_timeout 15 + +# blarson 2007-09-14 +loadplugin Mail::SpamAssassin::Plugin::URIDNSBL +uridnsbl_timeout 5 include common/common_rbl diff --git a/common/blacklists b/common/blacklists index 44b0cb7..7790225 100644 --- a/common/blacklists +++ b/common/blacklists @@ -74,3 +74,5 @@ blacklist_from bornagain@gibnynex.gi # cjwatson, 2004-03-09: virus alert flood blacklist_from support@vds.it +# blarson 2007-09-16 +blacklist_from percy@mx1.eccrm.epaper.com.tw diff --git a/common/bts_scores b/common/bts_scores index 95fc5cb..0920352 100644 --- a/common/bts_scores +++ b/common/bts_scores @@ -118,3 +118,10 @@ score REMOVE_PAGE 2.5 # blarson 2004-11-08 # claiming to be amazon... score USER_IN_DEF_WHITELIST 0.5 + +# blarson 2007-09-13 +# up this one a bit +score INVALID_MSGID 3 + +# blarson 2007-09-15 +score UNPARSEABLE_RELAY 1 diff --git a/common/common_rbl b/common/common_rbl index bf23fa8..9fddd02 100644 --- a/common/common_rbl +++ b/common/common_rbl @@ -5,10 +5,11 @@ score RCVD_IN_SBL 0 # blarson 2004-11-20 header RCVD_IN_SBLXBL eval:check_rbl('SBLXBL', 'sbl-xbl.spamhaus.org') describe RCVD_IN_SBLXBL listed in spamhaus.org sbl-xbl +tflags RCVD_IN_SBLXBL net # blarson 2005-01-28 see which return part 2005-02-26 ajust scores -score RCVD_IN_SBLXBL 1 +score RCVD_IN_SBLXBL 2 header RCVD_IN_SBLXBL_SBL eval:check_rbl_sub('SBLXBL', '127.0.0.2') -score RCVD_IN_SBLXBL_SBL 2 +score RCVD_IN_SBLXBL_SBL 1.5 header RCVD_IN_SBLXBL_CBL eval:check_rbl_sub('SBLXBL', '127.0.0.4') score RCVD_IN_SBLXBL_CBL 1 header RCVD_IN_SBLXBL_5 eval:check_rbl_sub('SBLXBL', '127.0.0.5') diff --git a/common/drug_spam b/common/drug_spam index ce13021..24f9741 100644 --- a/common/drug_spam +++ b/common/drug_spam @@ -15,9 +15,10 @@ body DRUGSPAM3 /\b(v.?i.?o.?x|x.?a.?n.?(a|@).?x|p.?h.?e.?n.?t.?r.?e.?m.?i.?n.? describe DRUGSPAM3 yet more drugs score DRUGSPAM3 1.5 -body MURPHY_DRUGS1 /v.?i.?a.?g.?r.?a/i +# blarson 2007-09-13 +body MURPHY_DRUGS1 /\bv.?i.?a.?g.?r.?a\b/i describe MURPHY_DRUGS1 Viagra -score MURPHY_DRUGS1 0.5 +score MURPHY_DRUGS1 1.5 body MURPHY_DRUGS2 /v.?i.?o.?x/i describe MURPHY_DRUGS2 Viox @@ -161,8 +162,8 @@ header MED subject =~ /\b(?:doctor|health|medic(?:al|ine))$/ describe MED medical spam score MED 2 -# blarson 2006-09-25 -body HOODIA /\bh.?oodia/i +# blarson 2006-09-25 2007-09-18 +body HOODIA /\bh.?oo+dia/i describe HOODIA weight loss scam score HOODIA 3 @@ -215,4 +216,19 @@ score PEN1S 3 # blarson 2007-09-12 body PILLS /\bx\s+\d+\s+pills\b/ describe PILLS pills spam -score PILLS 3 +score PILLS 3.5 + +# blarson 2007-09-13 +body PFIZER /\bPfizer\b/i +describe PFIZER Pfizer +score PFIZER 2 + +# blarson 2007-09-19 +body WONDERCUM /\bwondercum\b/i +describe WONDERCUM more drug spam +score WONDERCUM 4 + +# blarson 2007-09-21 +body DRUGSTORE /\bdrug store\b/i +describe DRUGSTORE drug store +score DRUGSTORE 3 diff --git a/common/money_spam b/common/money_spam index 32cc87d..d351514 100644 --- a/common/money_spam +++ b/common/money_spam @@ -203,6 +203,10 @@ full COMPANYSYMBOLPRICE /((company|symbol|price|marke?t|schlusskurs)\:.+){3, describe COMPANYSYMBOLPRICE Stock scam score COMPANYSYMBOLPRICE 3 +full COMPANYSYMBOLPRICE2 /(^(company|symb?o?l?|price|cost|marke?t)\:\s+.+\n){2,}/mi +describe COMPANYSYMBOLPRICE2 Stock scam left column 2 +score COMPANYSYMBOLPRICE2 3 + # blarson 2007-04-09 body PRETTYRUS /\b(pretty|cute) russian (girl|woman)\b/i describe PRETTYRUS pretty russian spam @@ -218,8 +222,8 @@ body ANALLE /\bAN ALLE FINANZINVESTOREN\b/ describe ANALLE stock spam in german score ANALLE 3 -# blarson 2007-06-17 2007-09-10 -body REPWATCH2 /\breplica watch/i +# blarson 2007-06-17 2007-09-21 +body REPWATCH2 /\breplica (?:watch|timepiece)/i describe REPWATCH2 still pushing fake watches score REPWATCH2 3.5 @@ -243,3 +247,9 @@ body REFI /\bRe-Fi\b/i describe REFI mortgage spam score REFI 2 +# don 2007-09-21 +body BIGMONEY /(b|tr|m|z)[i1][l1]+[i1][0o]n\s+(d[o0][l1]+ar|yen|buck|pound|euro)/i +describe BIGMONEY Money money money money! +score BIGMONEY 1.5 + + diff --git a/common/phrase_spam b/common/phrase_spam index de3de0e..05f50a0 100644 --- a/common/phrase_spam +++ b/common/phrase_spam @@ -188,8 +188,13 @@ header MESSAGESUB subject =~ /^\s*\(?message\s*(subject)?\)?$/i describe MESSAGESUB really descriptive subject score MESSAGESUB 3 -# blarson 2006-03-16 2007-09-11 -body DEARDIGIT /^(?:well\s+)?(?:Dear|Hey|H[ea]y?ll?.?o|To|Attention|Hi+|Hey+a?|Bonjorno|Yo|(?:g[o0]+d\s*)?(?:d?ay|morning|evening?|afternoon|night)|what.?i?s\s+up|wa(?:s|z)+up|greetings?|Salutations|(Mail|News)\s+to|how(?:.?s|\s+is)?\s*(?:(?:it)?(?:\s+is)??\s*going|have\s+you\s+been|are you).?\s*(?:there|to\s+you)?)\,?\s+(?:Account\s+\#?|\=?3d|)(?:bro\s+)?\d{3,}/i +# don 2007-09-20 +header SENTMESSAGE subject =~ /(sent you a( personal|) message|would like to chat)/i +describe SENTMESSAGE Sent you a message (like duh?) +score SENTMESSAGE 2 + +# blarson 2006-03-16 2007-09-18 +body DEARDIGIT /^(?:well\s+)?(?:Dear|Hey|H[ea]y?ll?.?o|To|Attention|Hi+|Hey+a?|Bonjorno|(?:Yo\s*)+|(?:g[o0]+d\s*)?(?:d?ay|morning|evening?|afternoon|night)|what.?i?s\s+up|wa(?:s|z)+up|greetings?|Salutations|(Mail|News)\s+to|how(?:.?s|\s+is)?\s*(?:(?:it)?(?:\s+is)??\s*going|have\s+you\s+been|are you).?\s*(?:there|to\s+you)?|compliments|Regards|Adieu)\,?\s+(?:Account\s+\#?|\=?3d|)(?:bro|there|sir|Mr\.?)\s*?\d{3,}/i describe DEARDIGIT Dear number score DEARDIGIT 3.9 @@ -342,11 +347,15 @@ header ACRO8PR0 subject =~ /\bAcr[0o]bat\s*[78]\s+(?:PR[0O]\b|\$?\d+\$?)/i describe ACRO8PR0 sales spam score ACRO8PR0 4 -# blarson 2007-09-11 -body WBRS /\b(WBRS|FPMC|ADYN|AFML|MISJ|HXPN|WHKA|CBFE|HSBC|PCAI|MPRG|HPRS|AUNI|TGVI|MHII|TAMG|GDKI|ACEN|CDYV|G7Q\.F|mbwc|CHFR|CDPN|DSDI|UTEV|P-S-U-D|GPSI|SGXI|CAON|SREA|ERMX|VPSN|SZSN|PAYI\.OB|LTDI|C\W\W?Y\W\W?T\W\W?V|E\WX\WM\WT|CYTV|VGPM|V\s?G\s?P\s?M(\.PK)?|wwng|WWNG)\b/ +# blarson 2007-09-15 +body WBRS /\b(WBRS|FPMC|ADYN|AFML|MISJ|HXPN|WHKA|CBFE|HSBC|PCAI|MPRG|HPRS|AUNI|TGVI|MHII|TAMG|GDKI|ACEN|CDYV|G7Q\.F|mbwc|CHFR|CDPN|DSDI|UTEV|P-S-U-D|GPSI|SGXI|CAON|SREA|ERMX|VPSN|SZSN|PAYI\.OB|LTDI|C\W\W?Y\W\W?T\W\W?V|E\WX\WM\WT|CYTV|VGPM|V\s?G\s?P\s?M(\.PK)?|wwng|WWNG|F\WD\WE\WG|FDEG|UTYW|M\s*I\s*H\s*I|O\W?N\W?C\W?O|P\W?P\W?Y\W?H)\b/ describe WBRS stock spam score WBRS 4 +body FOURLA /\b([A-Z]\s?){4}\b/ +describe FOURLA Four letter acronym (stock spam?) +score FOURLA 1 + # blarson 2007-01-26 header ACROBAT8 subject =~ /\badobe acr[o0]bat 8\b/i describe ACROBAT8 more sales spam @@ -412,3 +421,52 @@ body DELAFT /Please delete your private message after reading/ describe DELAFT more pdf spam score DELAFT 3 +# blarson 2007-09-13 +header OFF1CE subject =~ /\b[O0]ff[1i]ce 2[O0][O0]7\b/i +describe OFF1CE off1ce spam +score OFF1CE 4 + +# blarson 2007-09-13 +header SOFTSALE subject =~ /\bsoftware sales\b/i +describe SOFTSALE software spam +score SOFTSALE 3 + +# blarson 2007-09-18 +body SUPERMACHO /\bBe a supermacho/i +describe SUPERMACHO supermacho +score SUPERMACHO 4 + +# blarson 2007-09-19 +body BIGINTER /\bBig international commercial organization\b/i +describe BIGINTER job spam +score BIGINTER 4 + +# blarson 2007-09-20 +header HASSENT subject =~ /\b(?:sent you a (?:personal|confidential)?\s*(?:message|note)|would like to chat)\b/i +describe HASSENT sent a message +score HASSENT 4 + +# blarson 2007-09-20 +header ORDERNUM subject =~ /\b(?:Order|Recipet)\s*.?\d{3,}/i +describe ORDERNUM order number +score ORDERNUM 3 + +# don 2007-09-20 +header DICTIONARYSEQ subject =~ /\b(\w{3})\w*(?:\s+\1\w*){2}/i +describe DICTIONARYSEQ Ventricular Vents Venting Ventures +score DICTIONARYSEQ 3.5 + +# blarson 2007-09-21 +header NOLET subject =~ /^\W{4,}$/ +describe NOLET swearing subject +score NOLET 2 + +# blarson 2007-09-21 +body SSIST /^ssistant Manager/ +describe SSIST ssistant Manager +score SSIST 4 + +# blarson 2007-09-21 +body GRADUATEUNDER /\bgraduate in under\b/i +describe GRADUATEUNDER graduate in under +score GRADUATEUNDER 3 diff --git a/common/url_spam b/common/url_spam index 961f110..6a9b814 100644 --- a/common/url_spam +++ b/common/url_spam @@ -115,8 +115,8 @@ body BESTLOANS /www.bestmortloans.com/i describe BESTLOANS Best loans url score BESTLOANS 2 -# blarson 2007-07-22 2007-09-11 -body PENPRO /\@(?:penmailpro|OnsetIng|openprotection)\.info\b/i +# blarson 2007-07-22 2007-09-12 +body PENPRO /\@(?:penmailpro|OnsetIng|openprotection|NearOut)\.info\b/i describe PENPRO penmailpro spam score PENPRO 3.5 @@ -144,3 +144,47 @@ score SIZMATZ 3 body EMAGX /\bhttp\:\/\/emagx\.net\b/i describe EMAGX wondercum spammer score EMAGX 3.5 + +# blarson 2007-09-13 +body FREENFL /\bhttp\:\/\/freeNFLtracker\.com\b/i +describe FREENFL nfl spam +score FREENFL 3 + +# blarson 2007-09-13 +body SPAMARREST /\bhttp\:\/\/www\.spamarrest\.com\b/ +describe SPAMARREST forwards thier spam problem +score SPAMARREST 4 + +# blarson 2007-09-14 +body FROMAD /\bhttp\:\/\/(?:budhipps|fromad|conavel|cliensy|comnoe)\.com\b/i +describe FROMAD more penis spam +score FROMAD 4 + +# blarson 2007-09-14 +uridnsbl URIBL_CNKR cn-kr.blackholes.us. A +body URIBL_CNKR eval:check_uridnsbl('URIBL_CNKR') +describe URIBL_CNKR china or korea hosted web site +tflags URIBL_CNKR net +score URIBL_CNKR 2.5 + +# blarson 2007-09-14 +uridnsbl_skip_domain debian.org debian.net + +# blarson 2007-09-14 +uridnsbl URIBL_SBL sbl.spamhaus.org. A +body URIBL_SBL eval:check_uridnsbl('URIBL_SBL') +describe URIBL_SBL Contains an URL listed in the SBL blocklist +tflags URIBL_SBL net +#reuse URIBL_SBL +score URIBL_SBL 3.5 + +# blarson 2007-09-17 +body MYCHEAP /\b(?:my)?cheap(?:oem|soft)(?:now)?\s*\.\s*com\b/i +describe MYCHEAP software spam +score MYCHEAP 4 + +# blarson 2007-09-16 +body WWWRU /\b(?:www\.|https?\:.*)\w+\.ru\b/i +describe WWWRU russian web site +score WWWRU 2 + -- 2.39.2