Author: jhardin
Date: Sat Aug 21 02:50:31 2021
New Revision: 1892485
URL: http://svn.apache.org/viewvc?rev=1892485&view=rev
Log:
Recognize font tag with negative size as tiny. Lots of low-contrast ham in the masscheck corpora now, retire some poor metas and add some new ones.
Modified:
spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1892485&r1=1892484&r2=1892485&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Sat Aug 21 02:50:31 2021
@@ -1345,8 +1345,8 @@ body __PASSWORD_EXP_CLUMSY /\bpa
meta __EMAIL_PHISH (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + __PASSWORD_UPGRADE + __PENDING_MESSAGES + __RELEASE_MESSAGES + __PASSWORD_EXP_CLUMSY + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST || __PDS_FROM_NAME_TO_DOMAIN) > 1) && !__EMAIL_PHISH_MANY
meta __EMAIL_PHISH_MANY (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + __PASSWORD_UPGRADE + __PENDING_MESSAGES + __RELEASE_MESSAGES + __PASSWORD_EXP_CLUMSY + __TO_IN_SUBJ + __SUBJ_DOM_ADMIN + __FROM_DOM_ADMIN + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST || __PDS_FROM_NAME_TO_DOMAIN || __TO_IN_SUBJ) > 3)
-meta UPGRADE_MAILBOX __UPGR_MAILBOX && __HTML_FONT_LOW_CONTRAST_MINFP
-describe UPGRADE_MAILBOX Upgrade your mailbox! (phishing?)
+#meta UPGRADE_MAILBOX __UPGR_MAILBOX && __HTML_FONT_LOW_CONTRAST_MINFP
+#describe UPGRADE_MAILBOX Upgrade your mailbox! (phishing?)
body __ACCESS_SUSPENDED /\b(?:(?:access|account|e?-?mails) (?:suspension|(?:has|have) (?:been )?(?:temporar(?:il)?y (?:been )?)?(?:suspended|blocked|locked|blacklisted))|suspend (?:you from|your) access(?:ing)?|suspen(?:sion|se|ded) noti(?:ce|fication))\b/i
tflags __ACCESS_SUSPENDED multiple maxhits=2
@@ -1430,9 +1430,11 @@ uri __URI_TLD_MC /\.(?!(
uri __URI_GOOG_MC /(?!(?-i:[Gg]oogle))google/i
rawbody __HTML_FONT_TINY_01 /font-size:\s{0,5}[0-4]px;/i
-meta HTML_FONT_TINY_NORDNS __HTML_FONT_TINY_01 && __RDNS_NONE
+rawbody __HTML_FONT_TINY_02 /<font\s[^>]{0,80}size\s*=\s*["']?-(?:[2-9]|[1-9]\d+)["']?[^>]{0,80}>/i
+rawbody __AC_TINY_FONT /(?:font-size)\s*:\s*[1-3]\s*(?:em|p[tx]|%)?(?:\s*!important)?\s*[";]/i
+meta HTML_FONT_TINY_NORDNS (__HTML_FONT_TINY_01 || __HTML_FONT_TINY_02 || __AC_TINY_FONT) && __RDNS_NONE
describe HTML_FONT_TINY_NORDNS Font too small to read, no rDNS
-score HTML_FONT_TINY_NORDNS 1.500 # limit
+score HTML_FONT_TINY_NORDNS 2.000 # limit
body __BODY_TEXT_LINE /^\s*\S/
tflags __BODY_TEXT_LINE multiple maxhits=3
@@ -1486,11 +1488,11 @@ body __URI_DBL_PROTO m,\b(?:ht
uri __URI_DOS_FILE /^[A-Z]:\\/i
-meta __FORM_LOW_CONTRAST (__FILL_THIS_FORM_SHORT2 || __FILL_THIS_FORM_SHORT2) && __HTML_FONT_LOW_CONTRAST_MINFP
-meta FORM_LOW_CONTRAST __FORM_LOW_CONTRAST && !__BUGGED_IMG && !__HAS_REPLY_TO && !__DKIM_EXISTS && !__DOS_HAS_LIST_UNSUB && !__MSGID_JAVAMAIL
-describe FORM_LOW_CONTRAST Fill in a form with hidden text
-score FORM_LOW_CONTRAST 2.500 # Limit
-tflags FORM_LOW_CONTRAST publish
+#meta __FORM_LOW_CONTRAST (__FILL_THIS_FORM_SHORT1 || __FILL_THIS_FORM_SHORT2) && __HTML_FONT_LOW_CONTRAST_MINFP
+#meta FORM_LOW_CONTRAST __FORM_LOW_CONTRAST && !__BUGGED_IMG && !__HAS_REPLY_TO && !__DKIM_EXISTS && !__DOS_HAS_LIST_UNSUB && !__MSGID_JAVAMAIL
+#describe FORM_LOW_CONTRAST Fill in a form with hidden text
+#score FORM_LOW_CONTRAST 2.500 # Limit
+#tflags FORM_LOW_CONTRAST publish
# try to FP-reduce HTML_FONT_LOW_CONTRAST
@@ -1516,15 +1518,26 @@ meta URI_DOTDOT_LOW_CNTRST HTML_F
describe URI_DOTDOT_LOW_CNTRST Suspicious URI + hidden text
score URI_DOTDOT_LOW_CNTRST 2.500 # limit
-meta STOCK_LOW_CONTRAST (__HTML_FONT_LOW_CONTRAST_MINFP && __FB_S_STOCK) && !__BUGGED_IMG
-describe STOCK_LOW_CONTRAST Stocks + hidden text
-score STOCK_LOW_CONTRAST 2.500 # limit
-tflags STOCK_LOW_CONTRAST publish
+#meta STOCK_LOW_CONTRAST (__HTML_FONT_LOW_CONTRAST_MINFP && __FB_S_STOCK) && !__BUGGED_IMG
+#describe STOCK_LOW_CONTRAST Stocks + hidden text
+#score STOCK_LOW_CONTRAST 2.500 # limit
+#tflags STOCK_LOW_CONTRAST publish
-meta NORDNS_LOW_CONTRAST (__HTML_FONT_LOW_CONTRAST_MINFP && __RDNS_NONE) && !ALL_TRUSTED && !__HAS_CID
+meta __NORDNS_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __RDNS_NONE
+meta NORDNS_LOW_CONTRAST __NORDNS_LOW_CONTRAST && !ALL_TRUSTED && !__HAS_CID
describe NORDNS_LOW_CONTRAST No rDNS + hidden text
score NORDNS_LOW_CONTRAST 2.500 # limit
+meta __DIRECT_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __DOS_DIRECT_TO_MX_UNTRUSTED
+meta DIRECT_LOW_CONTRAST __DIRECT_LOW_CONTRAST && !ALL_TRUSTED
+describe DIRECT_LOW_CONTRAST Direct-to-MX + hidden text
+score DIRECT_LOW_CONTRAST 2.500 # limit
+
+meta __LONGLN_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __LONGLINE
+meta LONGLN_LOW_CONTRAST __LONGLN_LOW_CONTRAST && !ALL_TRUSTED
+describe LONGLN_LOW_CONTRAST Excessively long line + hidden text
+score LONGLN_LOW_CONTRAST 2.500 # limit
+
uri __URI_DOM_DOTDOT m,://[^/]+\.\.,
@@ -2620,9 +2633,9 @@ describe HTML_SINGLET_MANY
score HTML_SINGLET_MANY 2.500 # limit
tflags HTML_SINGLET_MANY publish
-meta SINGLETS_LOW_CONTRAST __HTML_SINGLET_MANY && __HTML_FONT_LOW_CONTRAST_MINFP
-describe SINGLETS_LOW_CONTRAST Single-letter formatted HTML + hidden text
-tflags SINGLETS_LOW_CONTRAST publish
+#meta SINGLETS_LOW_CONTRAST __HTML_SINGLET_MANY && __HTML_FONT_LOW_CONTRAST_MINFP
+#describe SINGLETS_LOW_CONTRAST Single-letter formatted HTML + hidden text
+#tflags SINGLETS_LOW_CONTRAST publish
# per users list, 10-11 2014
uri MALWARE_HACKED_URI m;/(?:dropbox|googlebox|bank\w+|newgdoc)/(?:doc(?:ument)?|invoice|message|index)\.php$;
@@ -3121,7 +3134,7 @@ describe HTML_ENTITY_ASCII O
score HTML_ENTITY_ASCII 3.000 # limit
tflags HTML_ENTITY_ASCII publish
-meta HTML_ENTITY_ASCII_TINY __HTML_ENTITY_ASCII_MINFP && __HTML_FONT_TINY_01
+meta HTML_ENTITY_ASCII_TINY __HTML_ENTITY_ASCII && (__HTML_FONT_TINY_01 || __HTML_FONT_TINY_02 || __AC_TINY_FONT)
describe HTML_ENTITY_ASCII_TINY Obfuscated ASCII + tiny fonts
score HTML_ENTITY_ASCII_TINY 3.000 # limit
tflags HTML_ENTITY_ASCII_TINY publish
@@ -3153,7 +3166,6 @@ describe AC_POST_EXTRAS S
score AC_POST_EXTRAS 2.500 # limit
tflags AC_POST_EXTRAS publish
-rawbody __AC_TINY_FONT /(?:font-size)\s*:\s*[1-3]\s*(?:em|p[tx]|%)?(?:\s*!important)?\s*[";]/i
Date: Sat Aug 21 02:50:31 2021
New Revision: 1892485
URL: http://svn.apache.org/viewvc?rev=1892485&view=rev
Log:
Recognize font tag with negative size as tiny. Lots of low-contrast ham in the masscheck corpora now, retire some poor metas and add some new ones.
Modified:
spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1892485&r1=1892484&r2=1892485&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Sat Aug 21 02:50:31 2021
@@ -1345,8 +1345,8 @@ body __PASSWORD_EXP_CLUMSY /\bpa
meta __EMAIL_PHISH (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + __PASSWORD_UPGRADE + __PENDING_MESSAGES + __RELEASE_MESSAGES + __PASSWORD_EXP_CLUMSY + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST || __PDS_FROM_NAME_TO_DOMAIN) > 1) && !__EMAIL_PHISH_MANY
meta __EMAIL_PHISH_MANY (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + __PASSWORD_UPGRADE + __PENDING_MESSAGES + __RELEASE_MESSAGES + __PASSWORD_EXP_CLUMSY + __TO_IN_SUBJ + __SUBJ_DOM_ADMIN + __FROM_DOM_ADMIN + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST || __PDS_FROM_NAME_TO_DOMAIN || __TO_IN_SUBJ) > 3)
-meta UPGRADE_MAILBOX __UPGR_MAILBOX && __HTML_FONT_LOW_CONTRAST_MINFP
-describe UPGRADE_MAILBOX Upgrade your mailbox! (phishing?)
+#meta UPGRADE_MAILBOX __UPGR_MAILBOX && __HTML_FONT_LOW_CONTRAST_MINFP
+#describe UPGRADE_MAILBOX Upgrade your mailbox! (phishing?)
body __ACCESS_SUSPENDED /\b(?:(?:access|account|e?-?mails) (?:suspension|(?:has|have) (?:been )?(?:temporar(?:il)?y (?:been )?)?(?:suspended|blocked|locked|blacklisted))|suspend (?:you from|your) access(?:ing)?|suspen(?:sion|se|ded) noti(?:ce|fication))\b/i
tflags __ACCESS_SUSPENDED multiple maxhits=2
@@ -1430,9 +1430,11 @@ uri __URI_TLD_MC /\.(?!(
uri __URI_GOOG_MC /(?!(?-i:[Gg]oogle))google/i
rawbody __HTML_FONT_TINY_01 /font-size:\s{0,5}[0-4]px;/i
-meta HTML_FONT_TINY_NORDNS __HTML_FONT_TINY_01 && __RDNS_NONE
+rawbody __HTML_FONT_TINY_02 /<font\s[^>]{0,80}size\s*=\s*["']?-(?:[2-9]|[1-9]\d+)["']?[^>]{0,80}>/i
+rawbody __AC_TINY_FONT /(?:font-size)\s*:\s*[1-3]\s*(?:em|p[tx]|%)?(?:\s*!important)?\s*[";]/i
+meta HTML_FONT_TINY_NORDNS (__HTML_FONT_TINY_01 || __HTML_FONT_TINY_02 || __AC_TINY_FONT) && __RDNS_NONE
describe HTML_FONT_TINY_NORDNS Font too small to read, no rDNS
-score HTML_FONT_TINY_NORDNS 1.500 # limit
+score HTML_FONT_TINY_NORDNS 2.000 # limit
body __BODY_TEXT_LINE /^\s*\S/
tflags __BODY_TEXT_LINE multiple maxhits=3
@@ -1486,11 +1488,11 @@ body __URI_DBL_PROTO m,\b(?:ht
uri __URI_DOS_FILE /^[A-Z]:\\/i
-meta __FORM_LOW_CONTRAST (__FILL_THIS_FORM_SHORT2 || __FILL_THIS_FORM_SHORT2) && __HTML_FONT_LOW_CONTRAST_MINFP
-meta FORM_LOW_CONTRAST __FORM_LOW_CONTRAST && !__BUGGED_IMG && !__HAS_REPLY_TO && !__DKIM_EXISTS && !__DOS_HAS_LIST_UNSUB && !__MSGID_JAVAMAIL
-describe FORM_LOW_CONTRAST Fill in a form with hidden text
-score FORM_LOW_CONTRAST 2.500 # Limit
-tflags FORM_LOW_CONTRAST publish
+#meta __FORM_LOW_CONTRAST (__FILL_THIS_FORM_SHORT1 || __FILL_THIS_FORM_SHORT2) && __HTML_FONT_LOW_CONTRAST_MINFP
+#meta FORM_LOW_CONTRAST __FORM_LOW_CONTRAST && !__BUGGED_IMG && !__HAS_REPLY_TO && !__DKIM_EXISTS && !__DOS_HAS_LIST_UNSUB && !__MSGID_JAVAMAIL
+#describe FORM_LOW_CONTRAST Fill in a form with hidden text
+#score FORM_LOW_CONTRAST 2.500 # Limit
+#tflags FORM_LOW_CONTRAST publish
# try to FP-reduce HTML_FONT_LOW_CONTRAST
@@ -1516,15 +1518,26 @@ meta URI_DOTDOT_LOW_CNTRST HTML_F
describe URI_DOTDOT_LOW_CNTRST Suspicious URI + hidden text
score URI_DOTDOT_LOW_CNTRST 2.500 # limit
-meta STOCK_LOW_CONTRAST (__HTML_FONT_LOW_CONTRAST_MINFP && __FB_S_STOCK) && !__BUGGED_IMG
-describe STOCK_LOW_CONTRAST Stocks + hidden text
-score STOCK_LOW_CONTRAST 2.500 # limit
-tflags STOCK_LOW_CONTRAST publish
+#meta STOCK_LOW_CONTRAST (__HTML_FONT_LOW_CONTRAST_MINFP && __FB_S_STOCK) && !__BUGGED_IMG
+#describe STOCK_LOW_CONTRAST Stocks + hidden text
+#score STOCK_LOW_CONTRAST 2.500 # limit
+#tflags STOCK_LOW_CONTRAST publish
-meta NORDNS_LOW_CONTRAST (__HTML_FONT_LOW_CONTRAST_MINFP && __RDNS_NONE) && !ALL_TRUSTED && !__HAS_CID
+meta __NORDNS_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __RDNS_NONE
+meta NORDNS_LOW_CONTRAST __NORDNS_LOW_CONTRAST && !ALL_TRUSTED && !__HAS_CID
describe NORDNS_LOW_CONTRAST No rDNS + hidden text
score NORDNS_LOW_CONTRAST 2.500 # limit
+meta __DIRECT_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __DOS_DIRECT_TO_MX_UNTRUSTED
+meta DIRECT_LOW_CONTRAST __DIRECT_LOW_CONTRAST && !ALL_TRUSTED
+describe DIRECT_LOW_CONTRAST Direct-to-MX + hidden text
+score DIRECT_LOW_CONTRAST 2.500 # limit
+
+meta __LONGLN_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __LONGLINE
+meta LONGLN_LOW_CONTRAST __LONGLN_LOW_CONTRAST && !ALL_TRUSTED
+describe LONGLN_LOW_CONTRAST Excessively long line + hidden text
+score LONGLN_LOW_CONTRAST 2.500 # limit
+
uri __URI_DOM_DOTDOT m,://[^/]+\.\.,
@@ -2620,9 +2633,9 @@ describe HTML_SINGLET_MANY
score HTML_SINGLET_MANY 2.500 # limit
tflags HTML_SINGLET_MANY publish
-meta SINGLETS_LOW_CONTRAST __HTML_SINGLET_MANY && __HTML_FONT_LOW_CONTRAST_MINFP
-describe SINGLETS_LOW_CONTRAST Single-letter formatted HTML + hidden text
-tflags SINGLETS_LOW_CONTRAST publish
+#meta SINGLETS_LOW_CONTRAST __HTML_SINGLET_MANY && __HTML_FONT_LOW_CONTRAST_MINFP
+#describe SINGLETS_LOW_CONTRAST Single-letter formatted HTML + hidden text
+#tflags SINGLETS_LOW_CONTRAST publish
# per users list, 10-11 2014
uri MALWARE_HACKED_URI m;/(?:dropbox|googlebox|bank\w+|newgdoc)/(?:doc(?:ument)?|invoice|message|index)\.php$;
@@ -3121,7 +3134,7 @@ describe HTML_ENTITY_ASCII O
score HTML_ENTITY_ASCII 3.000 # limit
tflags HTML_ENTITY_ASCII publish
-meta HTML_ENTITY_ASCII_TINY __HTML_ENTITY_ASCII_MINFP && __HTML_FONT_TINY_01
+meta HTML_ENTITY_ASCII_TINY __HTML_ENTITY_ASCII && (__HTML_FONT_TINY_01 || __HTML_FONT_TINY_02 || __AC_TINY_FONT)
describe HTML_ENTITY_ASCII_TINY Obfuscated ASCII + tiny fonts
score HTML_ENTITY_ASCII_TINY 3.000 # limit
tflags HTML_ENTITY_ASCII_TINY publish
@@ -3153,7 +3166,6 @@ describe AC_POST_EXTRAS S
score AC_POST_EXTRAS 2.500 # limit
tflags AC_POST_EXTRAS publish
-rawbody __AC_TINY_FONT /(?:font-size)\s*:\s*[1-3]\s*(?:em|p[tx]|%)?(?:\s*!important)?\s*[";]/i