Karsten Bräckelmann wrote: > That said, I seem to recall that at least published SARE rule-sets > have been mentioned to be added to stock and thus obsoleted.
I suppose this is a point for Daryl (DOS) or whomever "maintains" SARE (read: runs the DNS), but they are not configured to obsolete nicely: $ host -t txt 0.3.3.70_sare_spoof.cf.sare.sa-update.dostech.net 0.3.3.70_sare_spoof.cf.sare.sa-update.dostech.net descriptive text "200701151000" $ host -t txt 4.4.4.70_sare_adult.cf.sare.sa-update.dostech.net 4.4.4.70_sare_adult.cf.sare.sa-update.dostech.net descriptive text "200705210700" Obsoleted rules should be ... obsoleted. This means fixing those DNS wildcard entries well *before* any pre/alpha releases that might consider their versions 3.3+ > Also, there's no communications channel announcing sa-update rule > updates in detail. Ooh, I like the idea of an RSS feed or a bot that posts to this list (or the dev list), specifically for retractions/removals and security updates, and hopefully not for any minor score tweak (or perhaps a ~weekly digest of such things). This might be as simple as a script monitoring SVN checkins. > Speaking about rules posted to the list: Those often will be > changed slightly in the sandbox after the initial post. Let alone > some rules being posted in various versions on this list -- which > one do you run? I'm not sure if you actually want this, but ... Rules I've pushed to and taken from this list are attached. The pushed rules are a small sub-set of those available through my publicly accessible sa-update channels, http://khopesh.com/Anti-spam#sa-update_channels -- Adam Katz khopesh on irc://irc.freenode.net/#spamassassin http://khopesh.com/Anti-spam
################################# # this section was pulled from sa-users list but not syndicated in my channels # due to presence in spamassassin SVN sandbox, plugin req, or controversy header __KB_OUTLOOK_MUA X-Mailer =~ /^Microsoft (?:Office )?Outlook\b/ header __KB_MSGID_OUTLOOK_888 Message-Id =~ /^<[0-9a-f]{8}(?:\$[0-9a-f]{8}){2}\@/ meta KB_RATWARE_MSGID (__KB_MSGID_OUTLOOK_888 && __KB_OUTLOOK_MUA) describe KB_RATWARE_MSGID Ratware Message-Id score KB_RATWARE_MSGID 3.0 # from sandbox/kb/70_misc.cf header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi # " score KB_RATWARE_OUTLOOK_16 0.9 header KB_RATWARE_OUTLOOK_12 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi # " score KB_RATWARE_OUTLOOK_12 0.9 # LuKreme has this called KB_RATWARE_BOUNDARY (see his email 20090430 18:37p) header KB_RATWARE_OUTLOOK_08 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary="----=_NextPart_000_...._\1\./msi # " score KB_RATWARE_OUTLOOK_08 1.2 # LuKreme scores this 2.0 # http://ruleqa.spamassassin.org/week/KB_FAKED_THE_BAT/detail header __KB_DATE_CONTAINS_TAB Date:raw =~ /^ ?\t/ meta KB_FAKED_THE_BAT (__THEBAT_MUA && __KB_DATE_CONTAINS_TAB) score KB_FAKED_THE_BAT 1.0 header FH_HELO_EQ_D_D_D_D X-Spam-Relays-External =~ /^[^\]]+ helo=[^ ]{0,15}\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}/ describe FH_HELO_EQ_D_D_D_D Helo is d-d-d-d score FH_HELO_EQ_D_D_D_D 0.75 # suggested: 1.397 # Requires third-party plugin iXhash, http://wiki.apache.org/spamassassin/iXhash # Use the union rather than tweaking each one and possibly going overboard. meta IXHASH_CHECK GENERIC_IXHASH || NIXSPAM_IXHASH || CTYME_IXHASH || HOSTEUROPE_IXHASH describe IXHASH_CHECK BODY: MD5 checksum matches known spam score IXHASH_CHECK 0 2 0 2 # 20090415, sa-users @20090505 and 20090605 # CONTROVERSIAL! Requires configuring trusted_networks + whitelist_bounce_relays ifplugin Mail::SpamAssassin::Plugin::VBounce # { header __VACATION Subject =~ /\b(?:vacati|away|out.of.offic|auto.?re|confir)/i # bugzilla mail, https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6008 header __BUGZILLA_DAEMON From =~ /bugzilla/i meta KHOP_BACKSCATTER !ALL_TRUSTED && !DKIM_VERIFIED && !__VACATION && !__BUGZILLA_DAEMON && (BOUNCE_MESSAGE||VBOUNCE_MESSAGE) describe KHOP_BACKSCATTER Misdirected bounce to a forged sender address score KHOP_BACKSCATTER 4.9 # sa-users @20090515 endif # } VBounce ################################# # khop-general channel snippets, http://khopesh.com/Anti-spam#sa-update_channels # NOTE, this barfs on foreign characters header KHOP_NO_FULL_NAME From:name !~ /[A-Z][a-zA-Z]*[.,\s_]+[A-Z][a-zA-Z]*/ describe KHOP_NO_FULL_NAME Sender does not have both first and last names score KHOP_NO_FULL_NAME 0.259 # keep low! 20090220, sa-users @20090514 header KHOP_NAME_IS_EMAIL From =~ /\...@\w+\.\w\w+["'`]*\s*<\...@\w+\w\w/ describe KHOP_NAME_IS_EMAIL Sender NAME is an email address score KHOP_NAME_IS_EMAIL 0.125 # keep low! 20090220, sa-users @20090514 uri URI_HIDDEN /.{7}\/\../ describe URI_HIDDEN Contains a hidden directory score URI_HIDDEN 0.7 # 20090515 from sa-users list ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # { mimeheader DSCL4_PNG Content-Type =~ /name\=\"DS[CL]\d{4,5}\.(?:png|PNG)\"/ describe DSCL4_PNG Digital camera filename is PNG score DSCL4_PNG 1.6 body __PNG_240_400 eval:image_size_exact('png',240,400) meta DSCL4DIG_PNG DSCL4_PNG && __PNG_240_400 describe DSCL4DIG_PNG 240x400 PNG with digital camera filename score DSCL4DIG_PNG 2.0 # 20090505 from sa-users list header __CTYPE_MULTIPART_MXD Content-Type =~ /multipart\/mixed/i mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w/i meta MIME_IMAGE_ONLY (__CTYPE_MULTIPART_MXD && __ANY_IMAGE_ATTACH && !__ANY_TEXT_ATTACH) describe MIME_IMAGE_ONLY Image body part but no text body parts score MIME_IMAGE_ONLY 2.00 # 20090507 from sa-users list mimeheader MIME_IMAGE_JPG Content-Type =~ /image\/jpg/i describe MIME_IMAGE_JPG MIME type image/jpg should be image/jpeg score MIME_IMAGE_JPG 2.0 # 20090526 from sa-users list ifplugin Mail::SpamAssassin::Plugin::ImageInfo mimeheader __MIME_GIF Content-Type =~ /image\/gif/i mimeheader __MIME_PNG Content-Type =~ /image\/png/i mimeheader __MIME_JPEG Content-Type =~ /image\/jpe?g/i body __GIF_ATTACH eval:image_count('gif',1) body __PNG_ATTACH eval:image_count('png',1) body __JPEG_ATTACH eval:image_count('jpeg',1) meta IMAGE_MISMATCH (__MIME_GIF && !__GIF_ATTACH) || (__MIME_PNG && !__PNG_ATTACH) || (__MIME_JPEG && !__JPEG_ATTACH) describe IMAGE_MISMATCH Contains wrong image format for MIME header score IMAGE_MISMATCH 1.0 # 20090610, proposed to sa-users @20090524 endif # ImageInfo endif # } MIMEHeader ################################# # khop-blessed channel snippets, http://khopesh.com/Anti-spam#sa-update_channels header KHOP_SENDER_BOT ALL =~ /(?:not?\W?repl[yi]|bounce|subscrib|news|nobody)[^@ >]...@\w/i describe KHOP_SENDER_BOT Message sent from a bulk service or bot score KHOP_SENDER_BOT 0.125 header __GOOGLE_UNSUB List-Unsubscribe =~ /^http:..googlegroups.com\// header __GOOGLE_GROUPS Sender =~ /\...@googlegroups\.com$/ ifplugin Mail::SpamAssassin::DKIM meta GOOGLE_GROUPS __GOOGLE_GROUPS && __GOOGLE_UNSUB && DKIM_VERIFIED else header DKIM_EXISTS exists:DKIM-Signature meta GOOGLE_GROUPS __GOOGLE_GROUPS && __GOOGLE_UNSUB && DKIM_EXISTS endif # DKIM describe GOOGLE_GROUPS Google Groups list mail (confirmed-opt-in) score GOOGLE_GROUPS -2 # 20090527 # undo KHOP_SENDER_BOT + KHOP_NEWSLETTER + KHOP_UNSUB_LINK (0.1+0.7+0.8=1.65) # __X_IP will throw an 'undefined' if missing, but this avoids tripping over # the fix at https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5920#c2 meta KHOP_BUG5920_X_IP X_IP && GOOGLE_GROUPS && !__X_IP describe KHOP_BUG5920_X_IP Undo X_IP for Google Groups score KHOP_BUG5920_X_IP -3 # undoing X_IP's 2.840 1.943 2.744 3.177 ################################# # from khop-blessed channel, http://khopesh.com/Anti-spam#sa-update_channels # as referenced in my email to sa-users on 2009/10/05 ifplugin Mail::SpamAssassin::Plugin:SPF #ifplugin Mail::SpamAssassin::Plugin:DKIM # ... not a problem if missing meta __KHOP_NOSPOOF ALL_TRUSTED || SPF_PASS || DKIM_VERIFIED meta KHOP_RCVD_UNTRUST !__KHOP_NOSPOOF && __KHOP_DNSWLD describe KHOP_RCVD_UNTRUST DNS-whitelisted sender is not verified tflags KHOP_RCVD_UNTRUST noautolearn score KHOP_RCVD_UNTRUST 1 # 20090501 # bump for non-spoofed dns-whitelisted items that aren't already pretty low # (similar to KHOP_DNSBL_BUMP in khop-bl) meta KHOP_RCVD_TRUST __KHOP_NOSPOOF && __KHOP_DNSWLD && (4.3*RCVD_IN_BSP_TRUSTED + 8*RCVD_IN_DNSWL_HI + 1*RCVD_IN_DNSWL_LOW + 4*RCVD_IN_DNSWL_MED + 4*RCVD_IN_IADB_DOPTIN + 6*RCVD_IN_IADB_ML_DOPTIN + 2.2*RCVD_IN_IADB_VOUCHED + 3*RCVD_IN_JMF_W + 3.7*RCVD_IN_SSC_TRUSTED_COI) < 7 describe KHOP_RCVD_TRUST DNS-Whitelisted sender is verified tflags KHOP_RCVD_TRUST nice noautolearn score KHOP_RCVD_TRUST -2.5 # 20090411 #endif # DKIM endif # SPF ################################# # khop-bl channel snippets, http://khopesh.com/Anti-spam#sa-update_channels # Fight incestuous DNSBLs, posted to sa-users @20090518 ifplugin Mail::SpamAssassin::Plugin::DNSEval # { meta KHOP_DNSBL_ADJ ( 2*RCVD_IN_BL_SPAMCOP_NET + 1.6*RCVD_IN_NJABL_PROXY + 2.7*RCVD_IN_NJABL_RELAY + 2.1*RCVD_IN_NJABL_SPAM + 0.9*RCVD_IN_PBL + 1.6*RCVD_IN_SBL + 3*RCVD_IN_XBL + 0.8*RCVD_IN_SORBS_SOCKS + 1.8*RCVD_IN_PSBL + 1.7*RCVD_IN_JMF_BL + 1.8*RCVD_IN_JMF_BR + 2*RCVD_IN_BRBL_RELAY + 1*RCVD_IN_BRBL_LASTEXT ) > 8 describe KHOP_DNSBL_ADJ Undo autokill from DNSBL overlap tflags KHOP_DNSBL_ADJ nice score KHOP_DNSBL_ADJ -2.6 # hitting 50% = 10.5 -> 7.9, min=8 -> 5.4 endif # } DNSEval