Karsten Bräckelmann wrote:
> That said, I seem to recall that at least published SARE rule-sets
> have been mentioned to be added to stock and thus obsoleted.
I suppose this is a point for Daryl (DOS) or whomever "maintains" SARE
(read: runs the DNS), but they are not configured to obsolete nicely:
$ host -t txt 0.3.3.70_sare_spoof.cf.sare.sa-update.dostech.net
0.3.3.70_sare_spoof.cf.sare.sa-update.dostech.net descriptive text
"200701151000"
$ host -t txt 4.4.4.70_sare_adult.cf.sare.sa-update.dostech.net
4.4.4.70_sare_adult.cf.sare.sa-update.dostech.net descriptive text
"200705210700"
Obsoleted rules should be ... obsoleted. This means fixing those DNS
wildcard entries well *before* any pre/alpha releases that might
consider their versions 3.3+
> Also, there's no communications channel announcing sa-update rule
> updates in detail.
Ooh, I like the idea of an RSS feed or a bot that posts to this list
(or the dev list), specifically for retractions/removals and security
updates, and hopefully not for any minor score tweak (or perhaps a
~weekly digest of such things). This might be as simple as a script
monitoring SVN checkins.
> Speaking about rules posted to the list: Those often will be
> changed slightly in the sandbox after the initial post. Let alone
> some rules being posted in various versions on this list -- which
> one do you run?
I'm not sure if you actually want this, but ... Rules I've pushed to
and taken from this list are attached. The pushed rules are a small
sub-set of those available through my publicly accessible sa-update
channels, http://khopesh.com/Anti-spam#sa-update_channels
--
Adam Katz
khopesh on irc://irc.freenode.net/#spamassassin
http://khopesh.com/Anti-spam
#################################
# this section was pulled from sa-users list but not syndicated in my channels
# due to presence in spamassassin SVN sandbox, plugin req, or controversy
header __KB_OUTLOOK_MUA X-Mailer =~ /^Microsoft (?:Office )?Outlook\b/
header __KB_MSGID_OUTLOOK_888 Message-Id =~
/^<[0-9a-f]{8}(?:\$[0-9a-f]{8}){2}\@/
meta KB_RATWARE_MSGID (__KB_MSGID_OUTLOOK_888 && __KB_OUTLOOK_MUA)
describe KB_RATWARE_MSGID Ratware Message-Id
score KB_RATWARE_MSGID 3.0
# from sandbox/kb/70_misc.cf
header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id:
<....([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi
# "
score KB_RATWARE_OUTLOOK_16 0.9
header KB_RATWARE_OUTLOOK_12 ALL =~ /^Message-Id:
<....([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi
# "
score KB_RATWARE_OUTLOOK_12 0.9
# LuKreme has this called KB_RATWARE_BOUNDARY (see his email 20090430 18:37p)
header KB_RATWARE_OUTLOOK_08 ALL =~ /^Message-Id:
<....([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary="----=_NextPart_000_...._\1\./msi
# "
score KB_RATWARE_OUTLOOK_08 1.2 # LuKreme scores this 2.0
# http://ruleqa.spamassassin.org/week/KB_FAKED_THE_BAT/detail
header __KB_DATE_CONTAINS_TAB Date:raw =~ /^ ?\t/
meta KB_FAKED_THE_BAT (__THEBAT_MUA && __KB_DATE_CONTAINS_TAB)
score KB_FAKED_THE_BAT 1.0
header FH_HELO_EQ_D_D_D_D X-Spam-Relays-External =~ /^[^\]]+ helo=[^
]{0,15}\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}/
describe FH_HELO_EQ_D_D_D_D Helo is d-d-d-d
score FH_HELO_EQ_D_D_D_D 0.75 # suggested: 1.397
# Requires third-party plugin iXhash, http://wiki.apache.org/spamassassin/iXhash
# Use the union rather than tweaking each one and possibly going overboard.
meta IXHASH_CHECK GENERIC_IXHASH || NIXSPAM_IXHASH || CTYME_IXHASH ||
HOSTEUROPE_IXHASH
describe IXHASH_CHECK BODY: MD5 checksum matches known spam
score IXHASH_CHECK 0 2 0 2 # 20090415, sa-users @20090505 and 20090605
# CONTROVERSIAL! Requires configuring trusted_networks + whitelist_bounce_relays
ifplugin Mail::SpamAssassin::Plugin::VBounce # {
header __VACATION Subject =~ /\b(?:vacati|away|out.of.offic|auto.?re|confir)/i
# bugzilla mail, https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6008
header __BUGZILLA_DAEMON From =~ /bugzilla/i
meta KHOP_BACKSCATTER !ALL_TRUSTED && !DKIM_VERIFIED && !__VACATION
&& !__BUGZILLA_DAEMON && (BOUNCE_MESSAGE||VBOUNCE_MESSAGE)
describe KHOP_BACKSCATTER Misdirected bounce to a forged sender address
score KHOP_BACKSCATTER 4.9 # sa-users @20090515
endif # } VBounce
#################################
# khop-general channel snippets, http://khopesh.com/Anti-spam#sa-update_channels
# NOTE, this barfs on foreign characters
header KHOP_NO_FULL_NAME From:name !~ /[A-Z][a-zA-Z]*[.,\s_]+[A-Z][a-zA-Z]*/
describe KHOP_NO_FULL_NAME Sender does not have both first and last names
score KHOP_NO_FULL_NAME 0.259 # keep low! 20090220, sa-users @20090514
header KHOP_NAME_IS_EMAIL From =~ /\...@\w+\.\w\w+["'`]*\s*<\...@\w+\w\w/
describe KHOP_NAME_IS_EMAIL Sender NAME is an email address
score KHOP_NAME_IS_EMAIL 0.125 # keep low! 20090220, sa-users @20090514
uri URI_HIDDEN /.{7}\/\../
describe URI_HIDDEN Contains a hidden directory
score URI_HIDDEN 0.7 # 20090515 from sa-users list
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {
mimeheader DSCL4_PNG Content-Type =~ /name\=\"DS[CL]\d{4,5}\.(?:png|PNG)\"/
describe DSCL4_PNG Digital camera filename is PNG
score DSCL4_PNG 1.6
body __PNG_240_400 eval:image_size_exact('png',240,400)
meta DSCL4DIG_PNG DSCL4_PNG && __PNG_240_400
describe DSCL4DIG_PNG 240x400 PNG with digital camera filename
score DSCL4DIG_PNG 2.0 # 20090505 from sa-users list
header __CTYPE_MULTIPART_MXD Content-Type =~ /multipart\/mixed/i
mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w/i
meta MIME_IMAGE_ONLY (__CTYPE_MULTIPART_MXD && __ANY_IMAGE_ATTACH &&
!__ANY_TEXT_ATTACH)
describe MIME_IMAGE_ONLY Image body part but no text body parts
score MIME_IMAGE_ONLY 2.00 # 20090507 from sa-users list
mimeheader MIME_IMAGE_JPG Content-Type =~ /image\/jpg/i
describe MIME_IMAGE_JPG MIME type image/jpg should be image/jpeg
score MIME_IMAGE_JPG 2.0 # 20090526 from sa-users list
ifplugin Mail::SpamAssassin::Plugin::ImageInfo
mimeheader __MIME_GIF Content-Type =~ /image\/gif/i
mimeheader __MIME_PNG Content-Type =~ /image\/png/i
mimeheader __MIME_JPEG Content-Type =~ /image\/jpe?g/i
body __GIF_ATTACH eval:image_count('gif',1)
body __PNG_ATTACH eval:image_count('png',1)
body __JPEG_ATTACH eval:image_count('jpeg',1)
meta IMAGE_MISMATCH (__MIME_GIF && !__GIF_ATTACH) || (__MIME_PNG &&
!__PNG_ATTACH) || (__MIME_JPEG && !__JPEG_ATTACH)
describe IMAGE_MISMATCH Contains wrong image format for MIME header
score IMAGE_MISMATCH 1.0 # 20090610, proposed to sa-users @20090524
endif # ImageInfo
endif # } MIMEHeader
#################################
# khop-blessed channel snippets, http://khopesh.com/Anti-spam#sa-update_channels
header KHOP_SENDER_BOT ALL =~
/(?:not?\W?repl[yi]|bounce|subscrib|news|nobody)[^@ >]...@\w/i
describe KHOP_SENDER_BOT Message sent from a bulk service or bot
score KHOP_SENDER_BOT 0.125
header __GOOGLE_UNSUB List-Unsubscribe =~ /^http:..googlegroups.com\//
header __GOOGLE_GROUPS Sender =~ /\...@googlegroups\.com$/
ifplugin Mail::SpamAssassin::DKIM
meta GOOGLE_GROUPS __GOOGLE_GROUPS && __GOOGLE_UNSUB && DKIM_VERIFIED
else
header DKIM_EXISTS exists:DKIM-Signature
meta GOOGLE_GROUPS __GOOGLE_GROUPS && __GOOGLE_UNSUB && DKIM_EXISTS
endif # DKIM
describe GOOGLE_GROUPS Google Groups list mail (confirmed-opt-in)
score GOOGLE_GROUPS -2 # 20090527
# undo KHOP_SENDER_BOT + KHOP_NEWSLETTER + KHOP_UNSUB_LINK (0.1+0.7+0.8=1.65)
# __X_IP will throw an 'undefined' if missing, but this avoids tripping over
# the fix at https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5920#c2
meta KHOP_BUG5920_X_IP X_IP && GOOGLE_GROUPS && !__X_IP
describe KHOP_BUG5920_X_IP Undo X_IP for Google Groups
score KHOP_BUG5920_X_IP -3 # undoing X_IP's 2.840 1.943 2.744 3.177
#################################
# from khop-blessed channel, http://khopesh.com/Anti-spam#sa-update_channels
# as referenced in my email to sa-users on 2009/10/05
ifplugin Mail::SpamAssassin::Plugin:SPF
#ifplugin Mail::SpamAssassin::Plugin:DKIM # ... not a problem if missing
meta __KHOP_NOSPOOF ALL_TRUSTED || SPF_PASS || DKIM_VERIFIED
meta KHOP_RCVD_UNTRUST !__KHOP_NOSPOOF && __KHOP_DNSWLD
describe KHOP_RCVD_UNTRUST DNS-whitelisted sender is not verified
tflags KHOP_RCVD_UNTRUST noautolearn
score KHOP_RCVD_UNTRUST 1 # 20090501
# bump for non-spoofed dns-whitelisted items that aren't already pretty low
# (similar to KHOP_DNSBL_BUMP in khop-bl)
meta KHOP_RCVD_TRUST __KHOP_NOSPOOF && __KHOP_DNSWLD &&
(4.3*RCVD_IN_BSP_TRUSTED + 8*RCVD_IN_DNSWL_HI + 1*RCVD_IN_DNSWL_LOW +
4*RCVD_IN_DNSWL_MED + 4*RCVD_IN_IADB_DOPTIN + 6*RCVD_IN_IADB_ML_DOPTIN +
2.2*RCVD_IN_IADB_VOUCHED + 3*RCVD_IN_JMF_W + 3.7*RCVD_IN_SSC_TRUSTED_COI) < 7
describe KHOP_RCVD_TRUST DNS-Whitelisted sender is verified
tflags KHOP_RCVD_TRUST nice noautolearn
score KHOP_RCVD_TRUST -2.5 # 20090411
#endif # DKIM
endif # SPF
#################################
# khop-bl channel snippets, http://khopesh.com/Anti-spam#sa-update_channels
# Fight incestuous DNSBLs, posted to sa-users @20090518
ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
meta KHOP_DNSBL_ADJ ( 2*RCVD_IN_BL_SPAMCOP_NET +
1.6*RCVD_IN_NJABL_PROXY + 2.7*RCVD_IN_NJABL_RELAY + 2.1*RCVD_IN_NJABL_SPAM +
0.9*RCVD_IN_PBL + 1.6*RCVD_IN_SBL + 3*RCVD_IN_XBL + 0.8*RCVD_IN_SORBS_SOCKS +
1.8*RCVD_IN_PSBL + 1.7*RCVD_IN_JMF_BL + 1.8*RCVD_IN_JMF_BR +
2*RCVD_IN_BRBL_RELAY + 1*RCVD_IN_BRBL_LASTEXT ) > 8
describe KHOP_DNSBL_ADJ Undo autokill from DNSBL overlap
tflags KHOP_DNSBL_ADJ nice
score KHOP_DNSBL_ADJ -2.6 # hitting 50% = 10.5 -> 7.9, min=8 -> 5.4
endif # } DNSEval
