On 12/17/24 12:03 AM, [email protected] wrote:
Author: fkento Date: Mon Dec 16 23:03:42 2024 New Revision: 1922544URL: http://svn.apache.org/viewvc?rev=1922544&view=rev Log: Add some rules for testing Added: spamassassin/trunk/rulesrc/sandbox/fkento/ spamassassin/trunk/rulesrc/sandbox/fkento/20_misc.cf Added: spamassassin/trunk/rulesrc/sandbox/fkento/20_misc.cf URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/fkento/20_misc.cf?rev=1922544&view=auto ============================================================================== --- spamassassin/trunk/rulesrc/sandbox/fkento/20_misc.cf (added) +++ spamassassin/trunk/rulesrc/sandbox/fkento/20_misc.cf Mon Dec 16 23:03:42 2024 @@ -0,0 +1,61 @@ + +uri-detail MXG_EMAIL_FRAG raw =~ /^http.*\#[a-zA-Z0-9](?:[a-zA-Z0-9\+\_\=\.\-]*[a-zA-Z0-9])?@(?:[a-z0-9_](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9][a-z0-9-]{0,61}[a-z0-9]/i domain !~ /^typeform\.com$/ +score MXG_EMAIL_FRAG 0.1 +describe MXG_EMAIL_FRAG URI with email in fragment +
You should use "ifplugin Mail::SpamAssassin::Plugin::URIDetail" before using the plugin. Other then that, from man page it's "uri_detail", not "uri-detail". Thanks Giovanni
+uri-detail MXG_BING_REDIR_SUSP raw =~
/^https?:\/\/(www\.)?bing\.com(:443)?\/ck\//i text =~
/\b(cache|documents?|messages?|now|password|preview|refill|refuel|review|update|verify|view)\b/i
+score MXG_BING_REDIR_SUSP 0.1
+describe MXG_BING_REDIR_SUSP Suspicious Bing redirect
+
+header __MXG_SPOOFED_DOCUSIGN01 From:name =~ /docusign/i
+header __MXG_SPOOFED_DOCUSIGN02 Received =~ /\bdocusign\.(com|net)\s/i
+meta MXG_SPOOFED_DOCUSIGN __MXG_SPOOFED_DOCUSIGN01 &&
!__MXG_SPOOFED_DOCUSIGN02 && !__VIA_ML
+score MXG_SPOOFED_DOCUSIGN 0.1
+describe MXG_SPOOFED_DOCUSIGN Docusign spoofing
+
+uri __MXG_GOOGLE_FOREIGN_REDIR01
/https?:\/\/(www\.)?google\.(com?\.)?\w\w(?<!ca|uk|za|%{MXG_FROM_TLD})\/(url|amp)/i
+meta MXG_GOOGLE_FOREIGN_REDIR __MXG_GOOGLE_FOREIGN_REDIR01 &&
!__MXG_NOT_ENGLISH
+score MXG_GOOGLE_FOREIGN_REDIR 0.1
+describe MXG_GOOGLE_FOREIGN_REDIR Foreign Google redirect
+
+header __MXG_NOT_ENGLISH X-Languages =~ /^(?!en)\w+/
+score __MXG_NOT_ENGLISH 0.1
+describe __MXG_NOT_ENGLISH Not English
+
+header __MXG_FROM_TLD From:addr =~
/\.(?<MXG_FROM_TLD>(?:\w+|com?\.)?\w{2})$/i
+describe __MXG_FROM_TLD Capture From TLD
+
+header __MXG_PAYPAL_SCAM01 From:addr =~ /^service@paypal\.com(\.mx)?$/
+header __MXG_PAYPAL_SCAM02 Subject =~
/invoice|estimate|request|reminder from|accept/i
+body __MXG_PAYPAL_SCAM03 /888-221-1161/
+meta MXG_PAYPAL_SCAM __MXG_PAYPAL_SCAM01 && __MXG_PAYPAL_SCAM02 &&
(__MXG_HAS_PHONE || T_MXG_PHONE_OBFU) && !__MXG_PAYPAL_SCAM03
+score MXG_PAYPAL_SCAM 0.1
+describe MXG_PAYPAL_SCAM Paypal scam
+
+body __MXG_HAS_PHONE01
/\b1?\d{3}[^a-zA-Z0-9]+\d{3}[^a-zA-Z0-9]+\d{4}\b/
+body __MXG_HAS_PHONE02 /\b0[\s)]*(?:\d{3} \d{3} \d{4}|\d{4}
\d{6}|\d{4} \d{3} \d{3}|\d{2} \d{4} \d{4})\b/
+body __MXG_HAS_PHONE03 /\b0?(?:\d{1}\)? \d{4} \d{4}|\d{3} \d{3}
\d{3})\b/
+uri __MXG_HAS_PHONE04 /tel:/
+body __MXG_HAS_PHONE05 /\+1([\W_]*[0-9]){10}(?![\W_]*[0-9])/
+meta __MXG_HAS_PHONE __MXG_HAS_PHONE01 || __MXG_HAS_PHONE02 ||
__MXG_HAS_PHONE03 || __MXG_HAS_PHONE04 || __MXG_HAS_PHONE05
+score __MXG_HAS_PHONE 0.001
+describe __MXG_HAS_PHONE Has a phone number
+
+body __T_MXG_PHONE_OBFU01
/\b[1I]?[\dOIl]{3}[^a-zA-Z0-9]+[\dOIl]{3}[^a-zA-Z0-9]+[\dOIl]{4}\b/
+meta T_MXG_PHONE_OBFU __T_MXG_PHONE_OBFU01 && !__MXG_HAS_PHONE
+score T_MXG_PHONE_OBFU 0.001
+describe T_MXG_PHONE_OBFU Attempt to obfuscate a phone number
+
+meta MXG_LOWER_HDR_SPAM (FREEMAIL_FROM || (__FROM_RUNON &&
__MXG_UNSUB_LINK)) && __MXG_LOWER_HDR
+score MXG_LOWER_HDR_SPAM 0.001
+describe MXG_LOWER_HDR_SPAM Lower case header spam
+
+uri-detail __MXG_UNSUB_LINK01 text =~ /unsubscribe|opt[\s-]out/i
+uri __MXG_UNSUB_LINK02 /\b(?:unsub|opt(?:ing)?.?out)\b/i
+rawbody __MXG_UNSUB_LINK03 /click here<\/a> to unsubscribe/i
+meta __MXG_UNSUB_LINK __MXG_UNSUB_LINK01 || __MXG_UNSUB_LINK02 ||
__MXG_UNSUB_LINK03
+describe __MXG_UNSUB_LINK Contains an unsubscribe link
+
+header __MXG_LOWER_HDR ALL:raw =~ /^(from|to|subject):\s/m
+score __MXG_LOWER_HDR 0.001
+describe __MXG_LOWER_HDR lower case header
\ No newline at end of file
OpenPGP_signature.asc
Description: OpenPGP digital signature
