On 12/17/24 12:03 AM, fke...@apache.org wrote:
Author: fkento Date: Mon Dec 16 23:03:42 2024 New Revision: 1922544URL: http://svn.apache.org/viewvc?rev=1922544&view=rev Log: Add some rules for testing Added: spamassassin/trunk/rulesrc/sandbox/fkento/ spamassassin/trunk/rulesrc/sandbox/fkento/20_misc.cf Added: spamassassin/trunk/rulesrc/sandbox/fkento/20_misc.cf URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/fkento/20_misc.cf?rev=1922544&view=auto ============================================================================== --- spamassassin/trunk/rulesrc/sandbox/fkento/20_misc.cf (added) +++ spamassassin/trunk/rulesrc/sandbox/fkento/20_misc.cf Mon Dec 16 23:03:42 2024 @@ -0,0 +1,61 @@ + +uri-detail MXG_EMAIL_FRAG raw =~ /^http.*\#[a-zA-Z0-9](?:[a-zA-Z0-9\+\_\=\.\-]*[a-zA-Z0-9])?@(?:[a-z0-9_](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9][a-z0-9-]{0,61}[a-z0-9]/i domain !~ /^typeform\.com$/ +score MXG_EMAIL_FRAG 0.1 +describe MXG_EMAIL_FRAG URI with email in fragment +
You should use "ifplugin Mail::SpamAssassin::Plugin::URIDetail" before using the plugin. Other then that, from man page it's "uri_detail", not "uri-detail". Thanks Giovanni
+uri-detail MXG_BING_REDIR_SUSP raw =~ /^https?:\/\/(www\.)?bing\.com(:443)?\/ck\//i text =~ /\b(cache|documents?|messages?|now|password|preview|refill|refuel|review|update|verify|view)\b/i +score MXG_BING_REDIR_SUSP 0.1 +describe MXG_BING_REDIR_SUSP Suspicious Bing redirect + +header __MXG_SPOOFED_DOCUSIGN01 From:name =~ /docusign/i +header __MXG_SPOOFED_DOCUSIGN02 Received =~ /\bdocusign\.(com|net)\s/i +meta MXG_SPOOFED_DOCUSIGN __MXG_SPOOFED_DOCUSIGN01 && !__MXG_SPOOFED_DOCUSIGN02 && !__VIA_ML +score MXG_SPOOFED_DOCUSIGN 0.1 +describe MXG_SPOOFED_DOCUSIGN Docusign spoofing + +uri __MXG_GOOGLE_FOREIGN_REDIR01 /https?:\/\/(www\.)?google\.(com?\.)?\w\w(?<!ca|uk|za|%{MXG_FROM_TLD})\/(url|amp)/i +meta MXG_GOOGLE_FOREIGN_REDIR __MXG_GOOGLE_FOREIGN_REDIR01 && !__MXG_NOT_ENGLISH +score MXG_GOOGLE_FOREIGN_REDIR 0.1 +describe MXG_GOOGLE_FOREIGN_REDIR Foreign Google redirect + +header __MXG_NOT_ENGLISH X-Languages =~ /^(?!en)\w+/ +score __MXG_NOT_ENGLISH 0.1 +describe __MXG_NOT_ENGLISH Not English + +header __MXG_FROM_TLD From:addr =~ /\.(?<MXG_FROM_TLD>(?:\w+|com?\.)?\w{2})$/i +describe __MXG_FROM_TLD Capture From TLD + +header __MXG_PAYPAL_SCAM01 From:addr =~ /^service@paypal\.com(\.mx)?$/ +header __MXG_PAYPAL_SCAM02 Subject =~ /invoice|estimate|request|reminder from|accept/i +body __MXG_PAYPAL_SCAM03 /888-221-1161/ +meta MXG_PAYPAL_SCAM __MXG_PAYPAL_SCAM01 && __MXG_PAYPAL_SCAM02 && (__MXG_HAS_PHONE || T_MXG_PHONE_OBFU) && !__MXG_PAYPAL_SCAM03 +score MXG_PAYPAL_SCAM 0.1 +describe MXG_PAYPAL_SCAM Paypal scam + +body __MXG_HAS_PHONE01 /\b1?\d{3}[^a-zA-Z0-9]+\d{3}[^a-zA-Z0-9]+\d{4}\b/ +body __MXG_HAS_PHONE02 /\b0[\s)]*(?:\d{3} \d{3} \d{4}|\d{4} \d{6}|\d{4} \d{3} \d{3}|\d{2} \d{4} \d{4})\b/ +body __MXG_HAS_PHONE03 /\b0?(?:\d{1}\)? \d{4} \d{4}|\d{3} \d{3} \d{3})\b/ +uri __MXG_HAS_PHONE04 /tel:/ +body __MXG_HAS_PHONE05 /\+1([\W_]*[0-9]){10}(?![\W_]*[0-9])/ +meta __MXG_HAS_PHONE __MXG_HAS_PHONE01 || __MXG_HAS_PHONE02 || __MXG_HAS_PHONE03 || __MXG_HAS_PHONE04 || __MXG_HAS_PHONE05 +score __MXG_HAS_PHONE 0.001 +describe __MXG_HAS_PHONE Has a phone number + +body __T_MXG_PHONE_OBFU01 /\b[1I]?[\dOIl]{3}[^a-zA-Z0-9]+[\dOIl]{3}[^a-zA-Z0-9]+[\dOIl]{4}\b/ +meta T_MXG_PHONE_OBFU __T_MXG_PHONE_OBFU01 && !__MXG_HAS_PHONE +score T_MXG_PHONE_OBFU 0.001 +describe T_MXG_PHONE_OBFU Attempt to obfuscate a phone number + +meta MXG_LOWER_HDR_SPAM (FREEMAIL_FROM || (__FROM_RUNON && __MXG_UNSUB_LINK)) && __MXG_LOWER_HDR +score MXG_LOWER_HDR_SPAM 0.001 +describe MXG_LOWER_HDR_SPAM Lower case header spam + +uri-detail __MXG_UNSUB_LINK01 text =~ /unsubscribe|opt[\s-]out/i +uri __MXG_UNSUB_LINK02 /\b(?:unsub|opt(?:ing)?.?out)\b/i +rawbody __MXG_UNSUB_LINK03 /click here<\/a> to unsubscribe/i +meta __MXG_UNSUB_LINK __MXG_UNSUB_LINK01 || __MXG_UNSUB_LINK02 || __MXG_UNSUB_LINK03 +describe __MXG_UNSUB_LINK Contains an unsubscribe link + +header __MXG_LOWER_HDR ALL:raw =~ /^(from|to|subject):\s/m +score __MXG_LOWER_HDR 0.001 +describe __MXG_LOWER_HDR lower case header \ No newline at end of file
OpenPGP_signature.asc
Description: OpenPGP digital signature