Author: hege
Date: Tue Dec 5 14:56:53 2023
New Revision: 1914364
URL: http://svn.apache.org/viewvc?rev=1914364&view=rev
Log:
Fix unnecessary regexp captures from rules
Modified:
spamassassin/trunk/rules/20_head_tests.cf
spamassassin/trunk/rules/20_phrases.cf
spamassassin/trunk/rules/20_ratware.cf
spamassassin/trunk/rules/20_vbounce.cf
spamassassin/trunk/rulesrc/sandbox/billcole/80_test.cf
spamassassin/trunk/rulesrc/sandbox/fanf/30_text.cf
spamassassin/trunk/rulesrc/sandbox/gbechis/20_btc.cf
spamassassin/trunk/rulesrc/sandbox/gbechis/20_misc.cf
spamassassin/trunk/rulesrc/sandbox/gbechis/20_ratware.cf
spamassassin/trunk/rulesrc/sandbox/hege/20_hk.cf
spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf
spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
spamassassin/trunk/rulesrc/sandbox/jhardin/20_tbird_image_spam.cf
spamassassin/trunk/rulesrc/sandbox/jm/20_bug_6000.cf
spamassassin/trunk/rulesrc/sandbox/jm/70_tt_drugs.cf
spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_general.cf
spamassassin/trunk/rulesrc/sandbox/kmcgrail/20_ac_rules_test.cf
spamassassin/trunk/rulesrc/sandbox/kmcgrail/20_needed.cf
spamassassin/trunk/rulesrc/sandbox/pds/10_menaces.cf
spamassassin/trunk/rulesrc/sandbox/pds/20_freshfmb.cf
spamassassin/trunk/rulesrc/sandbox/pds/20_ntld.cf
Modified: spamassassin/trunk/rules/20_head_tests.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rules/20_head_tests.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rules/20_head_tests.cf (original)
+++ spamassassin/trunk/rules/20_head_tests.cf Tue Dec 5 14:56:53 2023
@@ -69,7 +69,7 @@ describe PLING_QUERY Subject has exclam
header MSGID_SPAM_CAPS Message-ID =~ /^\s*<?[A-Z]+\@(?!(?:mailcity|whowhere)\.com)/
describe MSGID_SPAM_CAPS Spam tool Message-Id: (caps variant)
-header MSGID_SPAM_LETTERS Message-Id =~ /<[a-z]{5,}\@(\S+\.)+\S+>/
+header MSGID_SPAM_LETTERS Message-Id =~ /<[a-z]{5,}\@(?:\S+\.)+\S+>/
describe MSGID_SPAM_LETTERS Spam tool Message-Id: (letters variant)
@@ -421,11 +421,11 @@ header BAD_ENC_HEADER ALL:raw =~ /=\?[.^
describe BAD_ENC_HEADER Message has bad MIME encoding in the header
-header __ML1 Precedence =~ m{\b(list|bulk)\b}i
+header __ML1 Precedence =~ m{\b(?:list|bulk)\b}i
meta __ML2 __HAS_LIST_ID
header __ML3 exists:List-Post
header __ML4 exists:Mailing-List
-header __ML5 Return-Path:addr =~ m{^([^\@]+-(request|bounces|admin|owner)|owner-[^\@]+)(\@|\z)}i
+header __ML5 Return-Path:addr =~ m{^(?:[^\@]+-(?:request|bounces|admin|owner)|owner-[^\@]+)(?:\@|\z)}i
meta __VIA_ML __ML1 || __ML2 || __ML3 || __ML4 || __ML5
describe __VIA_ML Mail from a mailing list
Modified: spamassassin/trunk/rules/20_phrases.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rules/20_phrases.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rules/20_phrases.cf (original)
+++ spamassassin/trunk/rules/20_phrases.cf Tue Dec 5 14:56:53 2023
@@ -108,7 +108,7 @@ describe MONEY_BACK Money ba
body FREE_QUOTE_INSTANT /free.{0,12}(?:(?:instant|express|online|no.?obligation).{0,4})+.{0,32}\bquote/i
describe FREE_QUOTE_INSTANT Free express or no-obligation quote
-body BAD_CREDIT /\b((?:bad|poor|eliminate|repair|(?:re)?establish|damag).{0,10} (?:credit|debt)|no credit (?:check|histor|need))/i
+body BAD_CREDIT /\b(?:(?:bad|poor|eliminate|repair|(?:re)?establish|damag).{0,10} (?:credit|debt)|no credit (?:check|histor|need))/i
describe BAD_CREDIT Eliminate Bad Credit
Modified: spamassassin/trunk/rules/20_ratware.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rules/20_ratware.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rules/20_ratware.cf (original)
+++ spamassassin/trunk/rules/20_ratware.cf Tue Dec 5 14:56:53 2023
@@ -270,7 +270,7 @@ describe X_MESSAGE_INFO Bulk email fing
# case-sensitive rule
# only significant rules with no FPs, hit recently, on 2+ corpuses
-header HEADER_SPAM ALL =~ /^(Alternate-Recipient|Antivirus|Approved|Delivery-Notification|Disclose-Recipients|Error-path|Language|Location|Mime-Subversion|Newsletter-ID|PID|Rot|UID|X-BounceTrace|X-CS-IP|X-Company-Address|X-Company-City|X-Company-Country|X-Company-State|X-Company-Zip|X-E(?:[Mm]ail)?|X-Encoding|X-Originating-Company|X-RMD-Text|X-SG4|X-SP-Track-ID|X-Webmail-Time|X-bounce-to):/m
+header HEADER_SPAM ALL =~ /^(?:Alternate-Recipient|Antivirus|Approved|Delivery-Notification|Disclose-Recipients|Error-path|Language|Location|Mime-Subversion|Newsletter-ID|PID|Rot|UID|X-BounceTrace|X-CS-IP|X-Company-Address|X-Company-City|X-Company-Country|X-Company-State|X-Company-Zip|X-E(?:[Mm]ail)?|X-Encoding|X-Originating-Company|X-RMD-Text|X-SG4|X-SP-Track-ID|X-Webmail-Time|X-bounce-to):/m
describe HEADER_SPAM Bulk email fingerprint (header-based) found
header RATWARE_RCVD_PF Received =~ / \(Postfix\) with ESMTP id [^;]+\; \S+ \d+ \S+ \d+ \d+:\d+:\d+ \S+$/s
Modified: spamassassin/trunk/rules/20_vbounce.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rules/20_vbounce.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rules/20_vbounce.cf (original)
+++ spamassassin/trunk/rules/20_vbounce.cf Tue Dec 5 14:56:53 2023
@@ -129,7 +129,7 @@ header __BOUNCE_INTERSCAN From =~ /\bI
body __BOUNCE_NO_RESEND /\bPlease do not resend your original message\./
-header __BOUNCE_AUTO_REPLY Subject =~ /\b(automatic reply|AutoReply)\b/
+header __BOUNCE_AUTO_REPLY Subject =~ /\b(?:automatic reply|AutoReply)\b/
meta BOUNCE_MESSAGE __HAVE_BOUNCE_RELAYS && !OOOBOUNCE_MESSAGE && !__MY_SERVERS_FOUND && !ALL_TRUSTED && !__NONBOUNCE_READ_RECEIPT && (__BOUNCE_FROM_DAEMON || (__BOUNCE_RPATH_NULL && !__BOUNCE_READ_NOTIFICATION) || __BOUNCE_RPATH_MD || __BOUNCE_AUTO_GENERATED || __BOUNCE_Y_AUTOGEN || __BOUNCE_SYMANTEC || __BOUNCE_X_ERR_STAT || __BOUNCE_RETURNED || __BOUNCE_MAILDELFAIL || __BOUNCE_MSGDELFAIL || __BOUNCE_ESMTP || __BOUNCE_NEVER_SEE || __BOUNCE_NONWORKING || __BOUNCE_UNDELIVERABLE || __BOUNCE_UNDELIVERABLE_ML || __BOUNCE_NOTDEL || __BOUNCE_CTYPE || __BOUNCE_DEL_FAIL || __BOUNCE_STAT_FAIL || __BOUNCE_ADDR_ERR || __BOUNCE_NO_VAL || __BOUNCE_DATA_FORMAT || __BOUNCE_COULD_NOT || __BOUNCE_UNDEL_MSG || __BOUNCE_RPATH_ERRMAIL || __BOUNCE_INTERSCAN || __BOUNCE_ETRUST || __BOUNCE_AUTO_RESPONSE || __BOUNCE_AUTO_RESPOND || __BOUNCE_NO_RESEND || __BOUNCE_NOTIF || __BOUNCE_RET_MAIL || __BOUNCE_DEL_FAIL || __BOUNCE_MAIL_DEL_FAIL || __BOUNCE_AUTO_REPLY)
@@ -246,7 +246,7 @@ body __VBOUNCE_MAILSWEEP /MAILsweeper
header __VBOUNCE_SCREENSAVER Subject =~ /\b(?:Re: ?)Wicked screensaver\b/i
header __VBOUNCE_DISALLOWED Subject =~ /^Disallowed attachment type found/
header __VBOUNCE_FROMPT From =~ /Security.?Scan Anti.?Virus/
-header __VBOUNCE_WARNING Subject =~ /^Warning:\s*E-?mail virus(es)? detected/i
+header __VBOUNCE_WARNING Subject =~ /^Warning:\s*E-?mail virus(?:es)? detected/i
header __VBOUNCE_DETECTED Subject =~ /^Virus detected /i
header __VBOUNCE_INTERSCAN Subject =~ /^Failed to clean virus\b/i
header __VBOUNCE_VIOLATION Subject =~ /^Content violation/i
@@ -273,7 +273,7 @@ header __VBOUNCE_RAV Subject =~ /^RAV An
body __VBOUNCE_ATTACHMENT0 /(?:Attachment.{0,40}was Deleted|the infected attachment)/
# Bart says: it appears that _ATTACHMENT0 is an alternate for _NAV -- both match the same messages.
-body __VBOUNCE_AVREPORT0 /(antivirus system report|the antivirus module has|illegal attachment|Unrepairable Virus Detected)/i
+body __VBOUNCE_AVREPORT0 /(?:antivirus system report|the antivirus module has|illegal attachment|Unrepairable Virus Detected)/i
header __VBOUNCE_SENDER Subject =~ /^Virus to sender/
body __VBOUNCE_MAILSWEEP2 /\bblocked by Mailsweeper\b/i
Modified: spamassassin/trunk/rulesrc/sandbox/billcole/80_test.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/billcole/80_test.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/billcole/80_test.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/billcole/80_test.cf Tue Dec 5 14:56:53 2023
@@ -9,11 +9,11 @@ rawbody __HAS_HREF /^[^>].*?<a href=/im
tflags __HAS_HREF multiple maxhits=100
describe __HAS_IMG_SRC_ONECASE Has an img tag on a non-quoted line with consistent case
-rawbody __HAS_IMG_SRC_ONECASE /^[^>].*?<(img src|IMG SRC)=/m
+rawbody __HAS_IMG_SRC_ONECASE /^[^>].*?<(?:img src|IMG SRC)=/m
tflags __HAS_IMG_SRC_ONECASE multiple maxhits=100
describe __HAS_HREF_ONECASE Has an anchor tag with a href attribute in non-quoted line with consistent case
-rawbody __HAS_HREF_ONECASE /^[^>].*?<(a href|A HREF)=/m
+rawbody __HAS_HREF_ONECASE /^[^>].*?<(?:a href|A HREF)=/m
tflags __HAS_HREF_ONECASE multiple maxhits=100
describe __MIXED_IMG_CASE Has img tags with mixed-up cases in non-quoted lines
@@ -46,7 +46,7 @@ header SCC_ODD_MUA X-Mailer =~ /^X-M
describe SCC_SPECIAL_GUID Unique in a similar way
-rawbody SCC_SPECIAL_GUID /^([[:xdigit:]]{8})-([[:xdigit:]]{4})-([[:xdigit:]]{3})-\3-([[:xdigit:]]{12})$/m
+rawbody SCC_SPECIAL_GUID /^[[:xdigit:]]{8}-[[:xdigit:]]{4}-([[:xdigit:]]{3})-\1-[[:xdigit:]]{12}$/m
tflags SCC_SPECIAL_GUID publish multiple maxhits=15
describe __NO_EXTERNALS No external relays
@@ -57,7 +57,7 @@ meta ALL_INTERNAL __NO_EXTERNALS &&
tflags ALL_INTERNAL nice
describe SCC_NEWBIE_HASBEENS Abused gTLDs seen in spam from Google Apps.
-header SCC_NEWBIE_HASBEENS X-Beenthere =~ /\.(today|online|monster)/
+header SCC_NEWBIE_HASBEENS X-Beenthere =~ /\.(?:today|online|monster)/
describe __SCC_HTML_OBJOBJ Contains an object
rawbody __SCC_HTML_OBJOBJ /< *object +\w{65,80} *>/
@@ -73,7 +73,7 @@ tflags SCC_ISEMM_LID_1A publish
score SCC_ISEMM_LID_1A 3.5
describe SCC_ISEMM_LID_1B Genericized spammer fingerprint
-header SCC_ISEMM_LID_1B X-Mailer-LID =~ /([56][0-9],)+/
+header SCC_ISEMM_LID_1B X-Mailer-LID =~ /(?:[56][0-9],)+/
tflags SCC_ISEMM_LID_1B publish
score SCC_ISEMM_LID_1B 1.5
@@ -167,7 +167,7 @@ tflags SCC_CTMPP publish
endif
describe __SCC_MIME_BOUNDARY2 Idiosyncratic boundary-like string
-rawbody __SCC_MIME_BOUNDARY2 /^ *(----[[:alnum:]]{8};[[:alnum:]]{6}){2}$/m
+rawbody __SCC_MIME_BOUNDARY2 /^ *(?:----[[:alnum:]]{8};[[:alnum:]]{6}){2}$/m
tflags __SCC_MIME_BOUNDARY2 multiple maxhits=7
@@ -175,7 +175,7 @@ describe SCC_MIME_BOUNDARY2 Fake boundar
meta SCC_MIME_BOUNDARY2 __SCC_MIME_BOUNDARY2 > 5
describe HTML_BADATTR Illegal char in HTML attribute name
-rawbody HTML_BADATTR /<[a-z]{1,10}\s[^>]{1,80}\/(src|href)\s*\=/
+rawbody HTML_BADATTR /<[a-z]{1,10}\s[^>]{1,80}\/(?:src|href)\s*\=/
score HTML_BADATTR 1
tflags HTML_BADATTR publish
Modified: spamassassin/trunk/rulesrc/sandbox/fanf/30_text.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/fanf/30_text.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/fanf/30_text.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/fanf/30_text.cf Tue Dec 5 14:56:53 2023
@@ -1,7 +1,7 @@
# bits of text from spam
-body SHORT_TERM_PRICE /short\W+term\W+(target|projected)(\W+price)?/i
-body LONG_TERM_PRICE /long\W+term\W+(target|projected)(\W+price)?/i
+body SHORT_TERM_PRICE /short\W+term\W+(?:target|projected)(?:\W+price)?/i
+body LONG_TERM_PRICE /long\W+term\W+(?:target|projected)(?:\W+price)?/i
meta STOCK_PRICES (SHORT_TERM_PRICE && LONG_TERM_PRICE)
rawbody IMG_ALT_BRACKETS /^<img src="cid:7\.1\.0\.9\.[^"]+\.0" width=\d+ height=\d+ alt="[[][]]">/
Modified: spamassassin/trunk/rulesrc/sandbox/gbechis/20_btc.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/gbechis/20_btc.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/gbechis/20_btc.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/gbechis/20_btc.cf Tue Dec 5 14:56:53 2023
@@ -9,7 +9,7 @@ body __COPY_PASTE_ES /copiarlo
meta __GB_BITCOIN_CP_ES ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_ES )
describe __GB_BITCOIN_CP_ES Spanish Bitcoin scam
-body __COPY_PASTE_FR /le copier (et le|\+) coller/i
+body __COPY_PASTE_FR /le copier (?:et le|\+) coller/i
meta __GB_BITCOIN_CP_FR ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_FR )
describe __GB_BITCOIN_CP_FR French Bitcoin scam
@@ -17,12 +17,12 @@ ifplugin Mail::SpamAssassin::Plugin::Rep
body __COPY_PASTE_EN /<C><O><P><Y> (?:<A><N><D>|\+|\&) <P><A><S><T><E>/i
replace_rules __COPY_PASTE_EN
else
- body __COPY_PASTE_EN /Copy (and|\+|\&) paste/i
+ body __COPY_PASTE_EN /Copy (?:and|\+|\&) paste/i
endif
meta __GB_BITCOIN_CP_EN ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_EN )
describe __GB_BITCOIN_CP_EN English Bitcoin scam
-body __COPY_PASTE_IT /copia(r?)lo (e|\&) incolla(r?)lo/i
+body __COPY_PASTE_IT /copiar?lo (?:e|\&) incollar?lo/i
meta __GB_BITCOIN_CP_IT ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_IT )
describe __GB_BITCOIN_CP_IT Italian Bitcoin scam
@@ -38,7 +38,7 @@ meta GB_BITCOIN_CP ( __GB_BIT
describe GB_BITCOIN_CP Localized Bitcoin scam
score GB_BITCOIN_CP 3.0 # limit
-body __NEVER_HEAR_EN /(never hear me again|destroy all your secrets|not bother you again|leave you alone)/i
+body __NEVER_HEAR_EN /(?:never hear me again|destroy all your secrets|not bother you again|leave you alone)/i
body __NEVER_HEAR_IT /eliminare tutti i tuoi segreti|Ti garantisco che non ti disturbe/i
meta GB_BITCOIN_NH ( __BITCOIN_ID && !__URL_BTC_ID && ( __NEVER_HEAR_EN || __NEVER_HEAR_IT ) )
describe GB_BITCOIN_NH Localized Bitcoin scam
Modified: spamassassin/trunk/rulesrc/sandbox/gbechis/20_misc.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/gbechis/20_misc.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/gbechis/20_misc.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/gbechis/20_misc.cf Tue Dec 5 14:56:53 2023
@@ -2,22 +2,22 @@
# meta GB_MALWARE_DROPBOX_JAR_URI ( __MALWARE_DROPBOX_JAR_URI && (HTML_SHORT_LINK_IMG_1 || HTML_SHORT_LINK_IMG_2 || HTML_SHORT_LINK_IMG_3) )
# describe GB_MALWARE_DROPBOX_JAR_URI Dropbox that forces user to download jar file
-uri GB_GOOGLE_OBFUR /^https:\/\/www\.google\.([a-z]{2,3})\/url\?sa=t\&rct=j\&q=\&esrc=s\&source=web\&cd=([0-9])*\&(cad=rja\&uact=([0-9]+)\&ved=.{1,50}\&)?url=https?:\/\/.{1,50}(&usg=.{1,50})?/
+uri GB_GOOGLE_OBFUR /^https:\/\/www\.google\.[a-z]{2,3}\/url\?sa=t\&rct=j\&q=\&esrc=s\&source=web\&cd=(?:[0-9])*\&(?:cad=rja\&uact=[0-9]+\&ved=.{1,50}\&)?url=https?:\/\/.{1,50}(?:&usg=.{1,50})?/
describe GB_GOOGLE_OBFUR Obfuscate url through Google redirect
score GB_GOOGLE_OBFUR 0.75 # limit
tflags GB_GOOGLE_OBFUR publish
-uri GB_GOOGLE_OBFUS /^https:\/\/www\.google\.([a-z]{2,3})\/search\?ei=.{1,50}\&gs_l=.{1,20}/
+uri GB_GOOGLE_OBFUS /^https:\/\/www\.google\.[a-z]{2,3}\/search\?ei=.{1,50}\&gs_l=.{1,20}/
describe GB_GOOGLE_OBFUS Obfuscate url through Google search
score GB_GOOGLE_OBFUS 0.75 # limit
#tflags GB_GOOGLE_OBFUS publish
-uri GB_GOOGLE_OBFUQ /^https:\/\/www\.google\.([a-z]{2,3})\/url\?q=.{1,50}\&sa=D&Xh=Gd&usg=/
+uri GB_GOOGLE_OBFUQ /^https:\/\/www\.google\.[a-z]{2,3}\/url\?q=.{1,50}\&sa=D&Xh=Gd&usg=/
describe GB_GOOGLE_OBFUQ Obfuscate url through Google search
score GB_GOOGLE_OBFUQ 0.75 # limit
#tflags GB_GOOGLE_OBFUQ publish
-uri GB_GOOGLE_TRANSL /^https?:\/\/.{10,64}\-(ipfs|xn\-)\-.{2,20}\.translate\.goog\/.{4}\//
+uri GB_GOOGLE_TRANSL /^https?:\/\/.{10,64}\-(?:ipfs|xn\-)\-.{2,20}\.translate\.goog\/.{4}\//
describe GB_GOOGLE_TRANSL Obfuscate url through Google Translate
score GB_GOOGLE_TRANSL 0.75 # limit
#tflags GB_GOOGLE_TRANSL publish
@@ -60,7 +60,7 @@ meta GB_PAYPAL_IMG_NOT_RCVD_PAYP
describe GB_PAYPAL_IMG_NOT_RCVD_PAYP Paypal hosted image but message not from Paypal
score GB_PAYPAL_IMG_NOT_RCVD_PAYP 2.500 # limit
-uri __SENDINBLUE_REDIR m~://.{4,5}\.r\.a[a-z]?\.d\.sendibm[0-9]\.com/mk/([a-z]){2}/~
+uri __SENDINBLUE_REDIR m~://.{4,5}\.r\.a[a-z]?\.d\.sendibm[0-9]\.com/mk/(?:[a-z]){2}/~
meta SENDINBLUE_REDIR __SENDINBLUE_REDIR && !MIME_HTML_MOSTLY && !__HAS_ERRORS_TO && !__HAS_X_BEEN_THERE && !__HAS_X_MAILMAN_VERSION
describe SENDINBLUE_REDIR Redirect URI via Sendinblue
score SENDINBLUE_REDIR 2.000 # limit
@@ -72,7 +72,7 @@ describe SENDINBLUE_REDIR_PHISH
score SENDINBLUE_REDIR_PHISH 3.500 # limit
# tflags SENDINBLUE_REDIR_PHISH publish
-header __GB_FAKE_RF Subject =~ /(Fw|Re)\:{1,2}[\W+]/i
+header __GB_FAKE_RF Subject =~ /(?:Fw|Re)\:{1,2}[\W+]/i
meta GB_FAKE_RF ( ! __THREADED && ! MAILING_LIST_MULTI && __GB_FAKE_RF )
describe GB_FAKE_RF Fake reply
score GB_FAKE_RF 1.000 # limit
Modified: spamassassin/trunk/rulesrc/sandbox/gbechis/20_ratware.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/gbechis/20_ratware.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/gbechis/20_ratware.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/gbechis/20_ratware.cf Tue Dec 5 14:56:53 2023
@@ -1,4 +1,4 @@
-header GB_FORGED_MUA_TBIRD User-Agent =~ /^User-Agent\: Mozilla\/(.*) Thunderbird/
+header GB_FORGED_MUA_TBIRD User-Agent =~ /^User-Agent\: Mozilla\/.* Thunderbird/
describe GB_FORGED_MUA_TBIRD Forged Thunderbird Mua
header __FORGED_MUA_POSTFIX0 User-Agent =~ /Postfix/
Modified: spamassassin/trunk/rulesrc/sandbox/hege/20_hk.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/hege/20_hk.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/hege/20_hk.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/hege/20_hk.cf Tue Dec 5 14:56:53 2023
@@ -118,7 +118,7 @@ tflags HK_RANDOM_REPLYTO publish
#header HK_RANDOM_REPLYTO_NAME Reply-To:name =~ /^(?!.*?(?:@|cnnbc|nlpbr)).*?(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
#describe HK_RANDOM_REPLYTO_NAME Reply-To name looks random
-header HK_NAME_DRUGS From:name =~ /(viagra|\bcialis|cialis\b)/mi
+header HK_NAME_DRUGS From:name =~ /(?:viagra|\bcialis|cialis\b)/mi
describe HK_NAME_DRUGS From name contains drugs
score HK_NAME_DRUGS 2
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf Tue Dec 5 14:56:53 2023
@@ -162,7 +162,7 @@ describe MONEY_LOTTERY Lots of money
body __DEAL /\b(?:(?:business|financial|this|the|mutual|die(?:se)?r?|cette|profitable)\s(?:deal|transa[ck]tion|proposal|off[er]{2}|venture|suggestion|partnership)|your\spartnership)/i
body __HUSH_HUSH /\b(?:confiden[tc]i[ae]l(?:\b|ity\b|it(?:=E9|[\xe9]|[\xc3][\xa9]))|private\b|secr[e\xe8](?:te?|cy)\b|sensitive\b|concealed\b|obscured?\b|discre(?:et|tion)\b|very\sdiscrete|top\ssecret|vertraulich(?:en)?\b|geheim\b|priv(?:e|=E9|[\xe9]|[\xc3][\xa9]))/i
-body __IS_LEGAL /\b(?:(?:(this|esta)\s(?:deal|offer|transac[tc]i(?:o|[\xc3][\xb3])n|proposal|exchange|arrangement|work)|it)?\s[ie]s\s(?:(?:guaranteed|completely|absolutely|perfectly|100%|very|fully)\s)?(?:legal|hitch-free|seguro|legitimate)|legitimate\sarrangement|toute?\sl(?:e|=E9|[\xe9]|[\xc3][\xa9])gale)\b/i
+body __IS_LEGAL /\b(?:(?:(?:this|esta)\s(?:deal|offer|transac[tc]i(?:o|[\xc3][\xb3])n|proposal|exchange|arrangement|work)|it)?\s[ie]s\s(?:(?:guaranteed|completely|absolutely|perfectly|100%|very|fully)\s)?(?:legal|hitch-free|seguro|legitimate)|legitimate\sarrangement|toute?\sl(?:e|=E9|[\xe9]|[\xc3][\xa9])gale)\b/i
body __NOT_SCAM /\b(?:not\sa\sscam|(?:not|never)\sscam\syou)\b/i
body __BACK_SCRATCH /\bmutual+y?\s(?:benefi(?:t|cial)|interest)\b/i
body __LUCRATIVE /\b(?:lucrative|profitable|tr[\xe8]s\ssalutaire)\b/i
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Tue Dec 5 14:56:53 2023
@@ -1342,7 +1342,7 @@ body __WEBMAIL_ACCT /\byour
body __MAILBOX_FULL /\b(?:you(?:r (?:mail\s?box|(?:e-?|web ?)mail))? (?:is (?:almost )?full|quota is running low|(?:quota )?ha(?:s|ve) (?:reached|exceeded|passed) (?:the|your|it'?s?) (?:university )?(?:size|storage|set|(?:e-?|web ?)mail|quota|folder|mail ?box)[\/\s](?:limit |quota |account )+)|over your mail\s?box (?:size )?(?:limit|quota)|maximum mail\s?box (?:size )?(?:limit|quota) exceeded|sua (?:conta|caixa) de (?:(?:e-?|web ?)mail|correio) (?:excedeu (?:sua|o) limite|est(?:=E1|[\xe1]|[\xc3][\xa1]) quase cheio))\b/i
body __CLEAN_MAILBOX /\b(?:(?:e-?mail|mail\s?box|violation:|(?-i:CLICK)) (?:quota size|clean(?:-?up))|clean ?up click ?here|(?:please|automatically) reduce (?:your|the) e?-?mail ?box size|reduce (?:your |the )?(?:e?-?mail(?: ?box)? )?size automatically)\b/i
tflags __CLEAN_MAILBOX multiple maxhits=2
-body __VALIDATE_MAILBOX /\b(?:(?:re-?)?(?:valida(?:te|r)|confirm|set)(?:\S?(?:increase|raise))? (?:your|(?:a )?sua) (?:mail\s?box|(?:e-?)?mail quota|caixa)|confirmar (?:que )?a sua conta (?:de e-?mail|ainda est(?:=E1|[\xe1]|[\xc3][\xa1]) ativa)|wprowadz dane konta ponizej|utrzymania aktywnego konta e-?mail|weryfikacji konta|you (?:have )?(?:failed|refused) to (?:verify|validate)|(?:e-?mail|confirm) verification|verify k?now|logs?in below to (\S+\s){0,10}(?:download|release|retrieve) your (?:messages|e?-?mails)|verify [a-z][a-z0-9_]{3,40}@[a-z][a-z0-9]{2,30}\.[a-z]{2,6}|your mailbox [^@\s]{3,30}@\S{3,30} (?:(?:needs to|must) be verified|(?:needs|requires) verification))\b/i
+body __VALIDATE_MAILBOX /\b(?:(?:re-?)?(?:valida(?:te|r)|confirm|set)(?:\S?(?:increase|raise))? (?:your|(?:a )?sua) (?:mail\s?box|(?:e-?)?mail quota|caixa)|confirmar (?:que )?a sua conta (?:de e-?mail|ainda est(?:=E1|[\xe1]|[\xc3][\xa1]) ativa)|wprowadz dane konta ponizej|utrzymania aktywnego konta e-?mail|weryfikacji konta|you (?:have )?(?:failed|refused) to (?:verify|validate)|(?:e-?mail|confirm) verification|verify k?now|logs?in below to (?:\S+\s){0,10}(?:download|release|retrieve) your (?:messages|e?-?mails)|verify [a-z][a-z0-9_]{3,40}@[a-z][a-z0-9]{2,30}\.[a-z]{2,6}|your mailbox [^@\s]{3,30}@\S{3,30} (?:(?:needs to|must) be verified|(?:needs|requires) verification))\b/i
tflags __VALIDATE_MAILBOX multiple maxhits=2
body __UPGR_MAILBOX /\b(?:up(?:g[ra]+d(?:e|ing)|date) (?:(?:[hw]as|and)\s(?:[a-z]+\s){1,5})?(?:o[nf] )?(?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|(?:web ?|e-?)mail Upgrade cuenta|atualiz(?:e|ar) (?:a|sua) caixa de correio|click\S{0,10} (?:here(?:[:\.\s]{0,5}\S{0,10}http\S{10,80})?|below)(?: link)? to (?:(?:complete|finish|increase) )?(?:(?:the|this|your)\s)?(?:up(?:date|grade)|(?:web ?|e-?)?mail(?:\s?box)? (?:size|quota|limit))|utrzymania aktywnego konta|request (?:for )additional storage|you (?:have )?(?:failed|refused) to up(?:date|grade))\b/i
body __LOCK_MAILBOX /\b(?:(?:deactivate|lock(?: up)?|lose ac+ess to|los[se] (?:of )?(?:important )?(?:information|mail|messages) in) (?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|your (?:mail\s?box|(?:(?:web ?|e-?)mail)(?: account)?) (?:(?:will|may) be(?:come)? )?(?:in-?a(?:ctive|cess[ia]ble)|locked|disabled|deleted|removed)\b|ditt konto vara "?deaktiverad"?|begr(?:=E4|\xe4|[\xc3][\xa4])nsad tillg(?:=E5|[\xe5]|[\xc3][\xa5])ng till din brevl(?:=E5|[\xe5]|[\xc3][\xa5])da|contas? de (?:web ?|e-?)mail (?:ser(?:=E1|[\xe1]|[\xc3][\xa1]) (?:desativado|exclu(?:=ED|[\xed]|[\xc3][\xad])do)|(?:=E9|[\xe9]|[\xc3][\xa9]) exclu(?:=ED|[\xed]|[\xc3][\xad])do)|destruir a sua caixa de (?:correio|entrada)|tw(?:=F3|[\xf3])j konto zostalo ograniczone|straci swoje e-?mail na sta[\xc5][\x82]e|konto zostanie automatycznie wy[\xc5][\x82][\xc4][\x85]czona|e-?mail account[^.]{0,30}deactivated (?:in|from) our (?:database|system|server)|you will be deactivated|(?:account|e?-?mail(?: ?box)?) (?:will (?:
be )?)?(?:shut ?down|expire|deactivate)|we have (?:stopped|suspended) (?:processing|accepting) (?:any )?(?:incoming|new|fresh) email)/i
@@ -1869,7 +1869,7 @@ body __PUMPDUMP_04 /\bmake yo
body __PUMPDUMP_05 /\b(?:tripled|quadrupled|quintupled|(?:shares|value|company) (?:go up|increase|has (?:increased|gained)) (?:by|more than) [a-z\s]{0,20}\d+(?: times| percent| ?%)) (?:and that )?in (?:(?:\d|a (?:span of|few)) days|a very short period)\b/i
body __PUMPDUMP_06 /\brecommend(?:ed|s)? (?:a|this) (?:company|stock)\b/i
body __PUMPDUMP_07 /\b(?:buy|grab it) for (?:around |about |less than )?\d+ cents\b/i
-body __PUMPDUMP_08 /\b?(:sto[ck]{2}|sotk) of the year/i
+body __PUMPDUMP_08 /\b(?:sto[ck]{2}|sotk) of the year/i
body __PUMPDUMP_09 /\b(?:buy|get|snap up|grab) as many shares (?:of it )?as (?:you|I) can\b/i
body __PUMPDUMP_10 /\btrading at (?:such )?a (?:bargain|cheap|low)\b/i
meta __PD_CNT_1 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 0
@@ -2252,7 +2252,7 @@ ifplugin Mail::SpamAssassin::Plugin::Rep
replace_rules __YOUR_ONAN
body __YOUR_PERSONAL /(?:^|\s)(?:<Y><O><U><R>\s(?:<P><E><R><S><O><N><A><L>|<P><R><I><V><A><T><E>|<S><O><C><I><A><L>\s<C><O><N><T><A><C><T>|<A><D><D><R><E><S><S>|<F><R><I><E><N><D><S>)\s(?:<I><N><F><O>(?:<R><M><A><T><I><O><N>)?|<D><A><T><A>|<D><E><T><A><I><L><S>|<B><O><O><K>|<S><E><C><R><E><T><S>)|<A><L><L>\s(?:<O><F>\s)?<Y><O><U><R>\s(?:<F><I><L><E><S>|<C><O><N><T><A><C><T><S>|<S><E><C><R><E><T><S>|<C><O><R><R><E><S><P><O><N><D><E><N><C><E>))[\s\.,]/i
replace_rules __YOUR_PERSONAL
- body __HOURS_DEADLINE /(?:^|\s)(?:(?:<G><I><V><E>\s<Y><O><U>|<G><E><B><E>\s<I><H><N><E><N>(?:\s<N><U><R>)?|<Y><O><U>\s(?:<W><I><L><L>\s)?<H><A><V><E>(?:\s<O><N><L><Y>|\s<J><U><S><T>)?|<W><I><T><H><I><N>)(?:(\s<T><H><E>)?\s(?:<L><A><S><T>|<N><E><X><T>))?\s(?:\d+|<O><N><E>|<T><W><O>|<T><H><R><E><E>|<A> <F><E><W>)\s?(?:<H><O><U><R><S>?|<H><R>\s?<S>?|<D><A><Y><S>?|<S><T><U><N><D><E><N>)|(?:<B><Y>|<T><O>|<U><N><T><I><L>|<B><E><F><O><R><E>)\s<T><H><E>\s<E><N><D>\s<O><F>\s<T><H><E>\s(?:<W><O><R><K>(?:<I><N><G>)?\s)?<D><A><Y>|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\s<H><O><U><R><S>?\s<B><E><F><O><R><E>\s(?:<S><E><N><D><I><N><G>|<R><E><L><E><A><S><I><N><G>|<E><X><P><O><S><I><N><G>|<P><U><B><L><I><S><H><I><N><G>)|(?:<T><H><E>|<Y><O><U><R>)\s<D><E><A><D><L><I><N><E>\s(?:<I><S>|<W><I><L><L>\s<B><E>))/i
+ body __HOURS_DEADLINE /(?:^|\s)(?:(?:<G><I><V><E>\s<Y><O><U>|<G><E><B><E>\s<I><H><N><E><N>(?:\s<N><U><R>)?|<Y><O><U>\s(?:<W><I><L><L>\s)?<H><A><V><E>(?:\s<O><N><L><Y>|\s<J><U><S><T>)?|<W><I><T><H><I><N>)(?:(?:\s<T><H><E>)?\s(?:<L><A><S><T>|<N><E><X><T>))?\s(?:\d+|<O><N><E>|<T><W><O>|<T><H><R><E><E>|<A> <F><E><W>)\s?(?:<H><O><U><R><S>?|<H><R>\s?<S>?|<D><A><Y><S>?|<S><T><U><N><D><E><N>)|(?:<B><Y>|<T><O>|<U><N><T><I><L>|<B><E><F><O><R><E>)\s<T><H><E>\s<E><N><D>\s<O><F>\s<T><H><E>\s(?:<W><O><R><K>(?:<I><N><G>)?\s)?<D><A><Y>|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\s<H><O><U><R><S>?\s<B><E><F><O><R><E>\s(?:<S><E><N><D><I><N><G>|<R><E><L><E><A><S><I><N><G>|<E><X><P><O><S><I><N><G>|<P><U><B><L><I><S><H><I><N><G>)|(?:<T><H><E>|<Y><O><U><R>)\s<D><E><A><D><L><I><N><E>\s(?:<I><S>|<W><I><L><L>\s<B><E>))/i
replace_rules __HOURS_DEADLINE
body __EXPLOSIVE_DEVICE /(?:^|\s)(?:<E><X><P><L><O><S><I><V><E>\s<D><E><V><I><C><E>|<B><O><M><B>)\s/i
replace_rules __EXPLOSIVE_DEVICE
@@ -2264,7 +2264,7 @@ else
body __YOUR_WEBCAM /\b(?:from|your|with|and|on)\s(?:(?:screen|desktop|microphone)\sand\s|own\s)?(?:web[-\s]?|front[-\s]?|network\s|your\s)camer+a/i
body __YOUR_ONAN /\b(?:your?|ihrer)\s(?:ma+s+t+[ur]+b+a+t+(?:ion|ing|e)(?:svideo)?|onanism|solitary\ssex|hand\sfucking|Selbstbefriedigung|(?:pleasur(?:e|ing)|satisfy(?:ing)?)\syourself)\b/i
body __YOUR_PERSONAL /\b(?:your\s(?:personal|private|social\scontact|address|friends)\s(?:info(?:rmation)?|data|details|book|secrets)|all\s(?:of\s)?your\s(?:files|contacts|secrets|correspondence))\b/i
- body __HOURS_DEADLINE /\b(?:(?:give\syou|gebe\sihnen(?:\snur)?|you\s(?:will\s)?have(?:\sonly|\sjust)?|within)(?:(\sthe)?\s(?:last|next))?\s(?:\d+|one|two|three|a few)\s?(?:hours?|hr(?:\s?s)?|days?|stunden)|(?:by|to|until|before)\sthe\send\sof\sthe\s(?:work(?:ing)?\s)?day|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\shours?\sbefore\s(?:sending|releasing|exposing|publishing)|(?:the|your)\sdeadline\s(?:is|will\sbe))\b/i
+ body __HOURS_DEADLINE /\b(?:(?:give\syou|gebe\sihnen(?:\snur)?|you\s(?:will\s)?have(?:\sonly|\sjust)?|within)(?:(?:\sthe)?\s(?:last|next))?\s(?:\d+|one|two|three|a few)\s?(?:hours?|hr(?:\s?s)?|days?|stunden)|(?:by|to|until|before)\sthe\send\sof\sthe\s(?:work(?:ing)?\s)?day|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\shours?\sbefore\s(?:sending|releasing|exposing|publishing)|(?:the|your)\sdeadline\s(?:is|will\sbe))\b/i
body __EXPLOSIVE_DEVICE /\b(?:explosive\sdevice|bomb)\b/i
endif
meta __EXTORT_MANY (__MY_MALWARE + __PAY_ME + __MY_VICTIM + __YOUR_WEBCAM + __YOUR_ONAN + __YOUR_PERSONAL + __HOURS_DEADLINE + __YOUR_PASSWORD + LOCALPART_IN_SUBJECT + __DESTROY_ME + __DESTROY_YOU + __EXPLOSIVE_DEVICE + __PAXFUL + __HUSH_HUSH) > 3
@@ -3333,7 +3333,7 @@ describe TAGSTAT_IMG_NOT_RCVD_TGST T
tflags TAGSTAT_IMG_NOT_RCVD_TGST publish
header __HDR_RCVD_FACEBOOK X-Spam-Relays-External =~ /\srdns=\S+\.facebook\.com\s/
-uri __URI_IMG_FACEBOOK m;://([^/.]+\.)+fbcdn\.net/v/.+\.(?:jpe?g|gif|png|webp);i
+uri __URI_IMG_FACEBOOK m;://(?:[^/.]+\.)+fbcdn\.net/v/.+\.(?:jpe?g|gif|png|webp);i
meta __FACEBOOK_IMG_NOT_RCVD_FB __URI_IMG_FACEBOOK && !__HDR_RCVD_FACEBOOK
meta FACEBOOK_IMG_NOT_RCVD_FB __FACEBOOK_IMG_NOT_RCVD_FB && !__VIA_ML && !__ONE_IMG && !__RCD_RDNS_SMTP
@@ -3521,7 +3521,7 @@ body __MAKE_XTRA_DOLLAR /
body __BONUS_LAST_DAY /\b(?:last|final) day of the (?:\$\d+ |\d+ dollars? )?bonus offer(?:ing)?\b/i
body __PASSIVE_INCOME /\bpassive income\b/i
body __WITHOUT_EFFORT /\bwith(?:out(?: a(?:ny)?| the)?| no)(?: great| special| extra)? effort\b/i
-body __TRANSFORM_LIFE /\b(transform|change) your (?:daily )?life(?:style)?\b/i
+body __TRANSFORM_LIFE /\b(?:transform|change) your (?:daily )?life(?:style)?\b/i
body __STAY_HOME /\b(?:going out of|leaving)(?: your)? (?:home|house|residence)\b/i
body __RECEIVE_BONUS /\byou(?:'ll)?(?: also| will)* (?:rec[ei]*ve|get|earn|collect|be (?:awarded|handed|remitted|given|paid|(?:greeted|welcomed|started) with)) (?:an? )?(?:gift|bonus|extra)(?: of|:)? \$[\d,]+/i
@@ -4029,7 +4029,7 @@ tflags URI_LONG_REPEAT p
body READY_TO_SHIP /(?:(?:in our (?:stock|warehouse|store|storage facility)(?: today| now| right away)?[.,:]\s|our (?:\w+,? ){2,8}(?:is |now )+)Ready (?:to (?:be )?|for )+(?:ship|send|deliver)|ready (?:for shipping|to (?:ship|send)) (?:(?:in|from|by) our (?:warehouse|stock|stor(?:e|age))|(?:to|for)(?: global(?:ly)?| worldwide| customers){2})|(?:(?:our|this|a|great|fine|wonderful|cool|popular) new product|we have(?: \w+){1,6} available|ready) in (?:our )?(?:warehouse|stock|stor(?:e|age))|just arrived in our (?:warehouse|stor(?:e|age))|we will (?:contact the (?:warehouse|logistics|store|storage(?: facility)) to )?arrange (?:the )?(?:shipment|delivery)|a new (?:\w+ ){1,3}in our (?:warehouse|storage)|this (?:new )?(?:merchandise|product|item) is (?:now )?(?:ready (?:to ship )?|available )(?:at|in|from) our (?:warehouse|stock|stor(?:e|age)))/i
score READY_TO_SHIP 1.250 # limit
-body WANT_TO_ORDER /you(?:'d)? (?:(?:would )?like|want|(?:are |(?:would )?be )?interested|need|wish)(?: to| in)? (?:plac(?:e|ing) an order|order(?:ing)? (?:for )?(?:this|it|now|today|our \w+)|(?:(?:tak|receiv)(e|ing)|pick up) (?:one (?:o[rt] two )?(?:\w+ ){0,2}|this (?:item|product) |some )(?:today|now|of our))\b/i
+body WANT_TO_ORDER /you(?:'d)? (?:(?:would )?like|want|(?:are |(?:would )?be )?interested|need|wish)(?: to| in)? (?:plac(?:e|ing) an order|order(?:ing)? (?:for )?(?:this|it|now|today|our \w+)|(?:(?:tak|receiv)(?:e|ing)|pick up) (?:one (?:o[rt] two )?(?:\w+ ){0,2}|this (?:item|product) |some )(?:today|now|of our))\b/i
score WANT_TO_ORDER 2.750 # limit
body YOUR_DELIVERY_ADDRESS /(?:(?:respond|reply|answer) (?:to )?(?:our|this) ?e?mail (?:[\w,]+\s){0,10}(?:with|and send(?: us)?)|we need to know|let us know|(?:send|provide|tell|inform)(?: us)?(?: of)?|confirm|indicate)(?: t?he (?:order )?quantity and)? (?:your |the )?(?:detailed |specific |exact )?(?:(?:delivery |shipping |mailing |shipment |receiving )?(?:address|location)(?:\s?[,.;]|(?: and| so)? we| if you)|address (?:for|of) (?:shipping|delivery|shipment))|(?:provide|give) us (?:with |details of )(?:the |your )?address,? (?:and )?we will contact (?:the )?(?:warehouse|logistics|storage(?: facility))|your (?:mailing|shipping) address to (?:arrange|set ?up) (?:shipment|delivery) (?:(?:for|to) you|of th)/i
@@ -4040,7 +4040,7 @@ meta NEW_PRODUCTS _
score NEW_PRODUCTS 1.250 # limit
tflags NEW_PRODUCTS publish
-body DETAILS_OF_PRODUCT /(?:Please|kindly) (?:see|refer to|check(?: out)?) the (?:details of the product|(?:detailed |complete |specific )?product (?:details|information)) (below|following|that follow|in detail)|the following (?:(?:is the )?(?:detailed )?product information|is a brief introduction to (?:\w+\s){0,5}this product)|\bhere (is|are) some basic information about this|you can (?:\w+ )?understand our product|take a look at this product|interested in learning about (?:this|our product)|grasp our (?:product|goods)|details can be checked below|(?:provide|present) you \w+ the product(?:[-\s]specific)? (?:details|information)/i
+body DETAILS_OF_PRODUCT /(?:Please|kindly) (?:see|refer to|check(?: out)?) the (?:details of the product|(?:detailed |complete |specific )?product (?:details|information)) (?:below|following|that follow|in detail)|the following (?:(?:is the )?(?:detailed )?product information|is a brief introduction to (?:\w+\s){0,5}this product)|\bhere (?:is|are) some basic information about this|you can (?:\w+ )?understand our product|take a look at this product|interested in learning about (?:this|our product)|grasp our (?:product|goods)|details can be checked below|(?:provide|present) you \w+ the product(?:[-\s]specific)? (?:details|information)/i
score DETAILS_OF_PRODUCT 1.250 # limit
# Don't joe-job a SA dev's wife
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_tbird_image_spam.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_tbird_image_spam.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_tbird_image_spam.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_tbird_image_spam.cf Tue Dec 5 14:56:53 2023
@@ -8,7 +8,7 @@ ifplugin Mail::SpamAssassin::Plugin::MIM
mimeheader __JPEG_ATTACH Content-Type =~ /image\/jpe?g/i
endif
-header __MUA_TBIRD User-Agent =~ /^Mozilla\/(.*) Thunderbird/
+header __MUA_TBIRD User-Agent =~ /^Mozilla\/.* Thunderbird/
header __MIME_BDRY_0D0D Content-Type =~ /boundary="-{12}(?:0[1-9]){12}/
meta __FORGED_TBIRD_IMG __MUA_TBIRD && __JPEG_ATTACH && __MIME_BDRY_0D0D
Modified: spamassassin/trunk/rulesrc/sandbox/jm/20_bug_6000.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jm/20_bug_6000.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jm/20_bug_6000.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jm/20_bug_6000.cf Tue Dec 5 14:56:53 2023
@@ -1,5 +1,5 @@
-body __KAM_LOTTO1_BUG6000 /(e-?mail[- ](address|ID) (have emerged a winner|attached to (ticket|reference)|was one of the ten winners)|random selection in our computerized email selection system|was selected online)/is
+body __KAM_LOTTO1_BUG6000 /(?:e-?mail[- ](?:address|ID) (?:have emerged a winner|attached to (?:ticket|reference)|was one of the ten winners)|random selection in our computerized email selection system|was selected online)/is
-body __KAM_LOTTO5_BUG6000 /(affiliated office of |freelotto (affiliated|group)|Royal Heritage Lottery|UK National (Online)? Lottery|U\.?K\.? Grand Promotions|Lottery Department UK|Euromillion Loteria|International Lottery)/is
+body __KAM_LOTTO5_BUG6000 /(?:affiliated office of |freelotto (?:affiliated|group)|Royal Heritage Lottery|UK National (?:Online)? Lottery|U\.?K\.? Grand Promotions|Lottery Department UK|Euromillion Loteria|International Lottery)/is
Modified: spamassassin/trunk/rulesrc/sandbox/jm/70_tt_drugs.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jm/70_tt_drugs.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jm/70_tt_drugs.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jm/70_tt_drugs.cf Tue Dec 5 14:56:53 2023
@@ -9,19 +9,19 @@
# obscuring punctuation = [:^."%()*\[\\]
header __TT_VIAGRA Subject =~ /VIAGRA/i
-header __TT_OBSCURED_VIAGRA Subject =~ /(v|V|\\\/)(i|I|1|\xef|\|)(a|A|\(a\)|4|@)(g|G)(r|R)(a|A|\(a\)|4|@)/
+header __TT_OBSCURED_VIAGRA Subject =~ /(?:v|V|\\\/)(?:i|I|1|\xef|\|)(?:a|A|\(a\)|4|@)(?:g|G)(?:r|R)(?:a|A|\(a\)|4|@)/
header __TT_BROKEN_VIAGRA Subject =~ /V[:^."%()*\[\\]?I[:^."%()*\[\\]?A[:^."%()*\[\\]?G[:^."%()*\[\\]?R[:^."%()*\[\\]?A/i
meta TT_OBSCURED_VIAGRA ( __TT_BROKEN_VIAGRA || __TT_OBSCURED_VIAGRA ) && ! __TT_VIAGRA
describe TT_OBSCURED_VIAGRA Scora: obscured "VIAGRA" in subject
header __TT_XANAX Subject =~ /XANAX/i
-header __TT_OBSCURED_XANAX Subject =~ /(x|X|><)(a|A|\(a\)|4|@)(n|N)(a|A|\(a\)|4|@)(x|X|><)/
+header __TT_OBSCURED_XANAX Subject =~ /(?:x|X|><)(?:a|A|\(a\)|4|@)(?:n|N)(?:a|A|\(a\)|4|@)(?:x|X|><)/
header __TT_BROKEN_XANAX Subject =~ /X[:^."%()*\[\\]?A[:^."%()*\[\\]?N[:^."%()*\[\\]?A[:^."%()*\[\\]?X/i
meta TT_OBSCURED_XANAX ( __TT_BROKEN_XANAX || __TT_OBSCURED_XANAX ) && ! __TT_XANAX
describe TT_OBSCURED_XANAX Scora: obscured "XANAX" in subject
header __TT_VALIUM Subject =~ /VALIUM/i
-header __TT_OBSCURED_VALIUM Subject =~ /(v|V|\\\/)(a|A|\(a\)|4|@)(l|L|\|)(i|I|1|\xef|\|)(u|U|\(u\))(m|M)/
+header __TT_OBSCURED_VALIUM Subject =~ /(?:v|V|\\\/)(?:a|A|\(a\)|4|@)(?:l|L|\|)(?:i|I|1|\xef|\|)(?:u|U|\(u\))(?:m|M)/
header __TT_BROKEN_VALIUM Subject =~ /V[:^."%()*\[\\]?A[:^."%()*\[\\]?L[:^."%()*\[\\]?I[:^."%()*\[\\]?U[:^."%()*\[\\]?M/i
meta TT_OBSCURED_VALIUM ( __TT_BROKEN_VALIUM || __TT_OBSCURED_VALIUM ) && ! __TT_VALIUM
describe TT_OBSCURED_VALIUM Scora: obscured "VALIUM" in subject
Modified: spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_general.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_general.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_general.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_general.cf Tue Dec 5 14:56:53 2023
@@ -48,7 +48,7 @@ describe DEAR_NOBODY Message contains De
# 0.0138/0.0084 spam/ham, 0.620 s/o @ 20100424 net. oof, score 1.25->0.001
uri __FORGED_URL_DOM_1 m'https?://[^/?:\#]{0,99}\.(?:com|org|edu|net|gov|com?\.[a-z]{2})\.\w[^/?:\#\s]{4}'i
-rawbody __FORGED_URL_DOM_2 m'(^|\W)https?://[^/?:\#]{0,99}\.(?:com|org|edu|net|gov|com?\.[a-z]{2})\.\w[^/?:\#\s]{5}'i
+rawbody __FORGED_URL_DOM_2 m'(?:^|\W)https?://[^/?:\#]{0,99}\.(?:com|org|edu|net|gov|com?\.[a-z]{2})\.\w[^/?:\#\s]{5}'i
meta FORGED_URL_DOM __FORGED_URL_DOM_1 || __FORGED_URL_DOM_2
describe FORGED_URL_DOM Link domain has a TLD as a subdomain
#score FORGED_URL_DOM 0.1 # 200904
Modified: spamassassin/trunk/rulesrc/sandbox/kmcgrail/20_ac_rules_test.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/kmcgrail/20_ac_rules_test.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/kmcgrail/20_ac_rules_test.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/kmcgrail/20_ac_rules_test.cf Tue Dec 5 14:56:53 2023
@@ -41,7 +41,7 @@ uri __AC_PHPOFFTOP_URI /\/php\/off\/[0-9
# http://courtdays.bolorn.net/php/off/97.25/sub/
uri __AC_PHPOFFSUB_URI /\/php\/off\/[0-9.]+\/sub\//
# http://www.shoosecalehhd.us/3345/174/380/1411/2938.11tt1747757AAF11.php
-uri __AC_NUMS_URI /(?:\/[0-9]+){5}\.[0-9a-zA-Z]+\.(:?php|html)\b/
+uri __AC_NUMS_URI /(?:\/[0-9]+){5}\.[0-9a-zA-Z]+\.(?:php|html)\b/
# http://www.chubbydiet.biz/11VP6856DOBTTT53RYM380F1073AHG1687LCS12K1907471II3470154694.php
uri __AC_LONGSEQ_URI /\/[A-Z0-9]{50,}\.(?:php|html|cgi)\b/
# http://www.losefast.us/1a83066009e4c6a4463ef4bb01/C/
Modified: spamassassin/trunk/rulesrc/sandbox/kmcgrail/20_needed.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/kmcgrail/20_needed.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/kmcgrail/20_needed.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/kmcgrail/20_needed.cf Tue Dec 5 14:56:53 2023
@@ -24,5 +24,5 @@
###########################################################################
#LOTTO CRUD
-body __KAM_LOTTO2 /((ticket|serial|lucky) number|secret pin ?code|batch number|reference number|promotion date)/is
+body __KAM_LOTTO2 /(?:(?:ticket|serial|lucky) number|secret pin ?code|batch number|reference number|promotion date)/is
Modified: spamassassin/trunk/rulesrc/sandbox/pds/10_menaces.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/pds/10_menaces.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/pds/10_menaces.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/pds/10_menaces.cf Tue Dec 5 14:56:53 2023
@@ -17,7 +17,7 @@ meta SPOOF_GMAIL_MID SPOOFED_FREEMAI
score SPOOF_GMAIL_MID 1.5
describe SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...
-header __PDS_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*(mta|mail|mx|smtp)\b\S* /i
+header __PDS_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*(?:mta|mail|mx|smtp)\b\S* /i
meta PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC && !__PDS_RDNS_MTA
score PDS_RDNS_DYNAMIC_FP 0.01
@@ -79,7 +79,7 @@ describe FROM_2_EMAILS_SHORT Short body
score FROM_2_EMAILS_SHORT 3.0 # limit
reuse FROM_2_EMAILS_SHORT
-body __PDS_BODY_QUOTE / [\w\s,\.]+ - ([A-Z][a-z'\.]+ ?){1,4}/
+body __PDS_BODY_QUOTE / [\w\s,\.]+ - (?:[A-Z][a-z'\.]+ ?){1,4}/
header __PDS_SUBJECT_QUOTE Subject =~ /\bquotes?\b/i
meta SHORT_BODY_QUOTE __PDS_SUBJECT_QUOTE && __PDS_BODY_QUOTE && __KAM_BODY_LENGTH_LT_256
Modified: spamassassin/trunk/rulesrc/sandbox/pds/20_freshfmb.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/pds/20_freshfmb.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/pds/20_freshfmb.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/pds/20_freshfmb.cf Tue Dec 5 14:56:53 2023
@@ -1,6 +1,6 @@
-header __NUMBERONLY_TLD From:addr =~ /\@[0-9]{4,}(\.[a-z]{2,4})?\.[a-z]+$/i
+header __NUMBERONLY_TLD From:addr =~ /\@[0-9]{4,}(?:\.[a-z]{2,4})?\.[a-z]+$/i
-header __NUMBEREND_TLD From:addr =~ /\@[a-z]{2,}[0-9]{4,}(\.[a-z]{2,4})?\.[a-z]+$/i
+header __NUMBEREND_TLD From:addr =~ /\@[a-z]{2,}[0-9]{4,}(?:\.[a-z]{2,4})?\.[a-z]+$/i
meta NUMBEREND_LINKBAIT __NUMBEREND_TLD && __LCL__KAM_BODY_LENGTH_LT_1024 && __BODY_URI_ONLY
describe NUMBEREND_LINKBAIT Domain ends in a large number and very short body with link
Modified: spamassassin/trunk/rulesrc/sandbox/pds/20_ntld.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/pds/20_ntld.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/pds/20_ntld.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/pds/20_ntld.cf Tue Dec 5 14:56:53 2023
@@ -122,7 +122,7 @@ describe VPS_NO_NTLD vps[0-9] domain at
score VPS_NO_NTLD 1.0 # limit
reuse VPS_NO_NTLD
-body __PDS_OFFER_ONLY_AMERICA /This offer (?:is )?(?:only )?for (United States|USA)/i
+body __PDS_OFFER_ONLY_AMERICA /This offer (?:is )?(?:only )?for (?:United States|USA)/i
meta OFFER_ONLY_AMERICA __FROM_ADDRLIST_SUSPNTLD && __PDS_OFFER_ONLY_AMERICA
describe OFFER_ONLY_AMERICA Offer only available to US
@@ -134,7 +134,7 @@ meta SENT_TO_EMAIL_ADDR __FROM_ADDRL
describe SENT_TO_EMAIL_ADDR Email was sent to email address
score SENT_TO_EMAIL_ADDR 2.0 # limit
-body __PDS_EXPIRATION_NOTICE /\bexpiration (notice|alert|date)\b/i
+body __PDS_EXPIRATION_NOTICE /\bexpiration (?:notice|alert|date)\b/i
meta SUSPNTLD_EXPIRATION_EXTORT LOTS_OF_MONEY && __PDS_EXPIRATION_NOTICE && __FROM_ADDRLIST_SUSPNTLD
describe SUSPNTLD_EXPIRATION_EXTORT Susp NTLD with an expiration notice and lotsa money
Date: Tue Dec 5 14:56:53 2023
New Revision: 1914364
URL: http://svn.apache.org/viewvc?rev=1914364&view=rev
Log:
Fix unnecessary regexp captures from rules
Modified:
spamassassin/trunk/rules/20_head_tests.cf
spamassassin/trunk/rules/20_phrases.cf
spamassassin/trunk/rules/20_ratware.cf
spamassassin/trunk/rules/20_vbounce.cf
spamassassin/trunk/rulesrc/sandbox/billcole/80_test.cf
spamassassin/trunk/rulesrc/sandbox/fanf/30_text.cf
spamassassin/trunk/rulesrc/sandbox/gbechis/20_btc.cf
spamassassin/trunk/rulesrc/sandbox/gbechis/20_misc.cf
spamassassin/trunk/rulesrc/sandbox/gbechis/20_ratware.cf
spamassassin/trunk/rulesrc/sandbox/hege/20_hk.cf
spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf
spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
spamassassin/trunk/rulesrc/sandbox/jhardin/20_tbird_image_spam.cf
spamassassin/trunk/rulesrc/sandbox/jm/20_bug_6000.cf
spamassassin/trunk/rulesrc/sandbox/jm/70_tt_drugs.cf
spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_general.cf
spamassassin/trunk/rulesrc/sandbox/kmcgrail/20_ac_rules_test.cf
spamassassin/trunk/rulesrc/sandbox/kmcgrail/20_needed.cf
spamassassin/trunk/rulesrc/sandbox/pds/10_menaces.cf
spamassassin/trunk/rulesrc/sandbox/pds/20_freshfmb.cf
spamassassin/trunk/rulesrc/sandbox/pds/20_ntld.cf
Modified: spamassassin/trunk/rules/20_head_tests.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rules/20_head_tests.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rules/20_head_tests.cf (original)
+++ spamassassin/trunk/rules/20_head_tests.cf Tue Dec 5 14:56:53 2023
@@ -69,7 +69,7 @@ describe PLING_QUERY Subject has exclam
header MSGID_SPAM_CAPS Message-ID =~ /^\s*<?[A-Z]+\@(?!(?:mailcity|whowhere)\.com)/
describe MSGID_SPAM_CAPS Spam tool Message-Id: (caps variant)
-header MSGID_SPAM_LETTERS Message-Id =~ /<[a-z]{5,}\@(\S+\.)+\S+>/
+header MSGID_SPAM_LETTERS Message-Id =~ /<[a-z]{5,}\@(?:\S+\.)+\S+>/
describe MSGID_SPAM_LETTERS Spam tool Message-Id: (letters variant)
@@ -421,11 +421,11 @@ header BAD_ENC_HEADER ALL:raw =~ /=\?[.^
describe BAD_ENC_HEADER Message has bad MIME encoding in the header
-header __ML1 Precedence =~ m{\b(list|bulk)\b}i
+header __ML1 Precedence =~ m{\b(?:list|bulk)\b}i
meta __ML2 __HAS_LIST_ID
header __ML3 exists:List-Post
header __ML4 exists:Mailing-List
-header __ML5 Return-Path:addr =~ m{^([^\@]+-(request|bounces|admin|owner)|owner-[^\@]+)(\@|\z)}i
+header __ML5 Return-Path:addr =~ m{^(?:[^\@]+-(?:request|bounces|admin|owner)|owner-[^\@]+)(?:\@|\z)}i
meta __VIA_ML __ML1 || __ML2 || __ML3 || __ML4 || __ML5
describe __VIA_ML Mail from a mailing list
Modified: spamassassin/trunk/rules/20_phrases.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rules/20_phrases.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rules/20_phrases.cf (original)
+++ spamassassin/trunk/rules/20_phrases.cf Tue Dec 5 14:56:53 2023
@@ -108,7 +108,7 @@ describe MONEY_BACK Money ba
body FREE_QUOTE_INSTANT /free.{0,12}(?:(?:instant|express|online|no.?obligation).{0,4})+.{0,32}\bquote/i
describe FREE_QUOTE_INSTANT Free express or no-obligation quote
-body BAD_CREDIT /\b((?:bad|poor|eliminate|repair|(?:re)?establish|damag).{0,10} (?:credit|debt)|no credit (?:check|histor|need))/i
+body BAD_CREDIT /\b(?:(?:bad|poor|eliminate|repair|(?:re)?establish|damag).{0,10} (?:credit|debt)|no credit (?:check|histor|need))/i
describe BAD_CREDIT Eliminate Bad Credit
Modified: spamassassin/trunk/rules/20_ratware.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rules/20_ratware.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rules/20_ratware.cf (original)
+++ spamassassin/trunk/rules/20_ratware.cf Tue Dec 5 14:56:53 2023
@@ -270,7 +270,7 @@ describe X_MESSAGE_INFO Bulk email fing
# case-sensitive rule
# only significant rules with no FPs, hit recently, on 2+ corpuses
-header HEADER_SPAM ALL =~ /^(Alternate-Recipient|Antivirus|Approved|Delivery-Notification|Disclose-Recipients|Error-path|Language|Location|Mime-Subversion|Newsletter-ID|PID|Rot|UID|X-BounceTrace|X-CS-IP|X-Company-Address|X-Company-City|X-Company-Country|X-Company-State|X-Company-Zip|X-E(?:[Mm]ail)?|X-Encoding|X-Originating-Company|X-RMD-Text|X-SG4|X-SP-Track-ID|X-Webmail-Time|X-bounce-to):/m
+header HEADER_SPAM ALL =~ /^(?:Alternate-Recipient|Antivirus|Approved|Delivery-Notification|Disclose-Recipients|Error-path|Language|Location|Mime-Subversion|Newsletter-ID|PID|Rot|UID|X-BounceTrace|X-CS-IP|X-Company-Address|X-Company-City|X-Company-Country|X-Company-State|X-Company-Zip|X-E(?:[Mm]ail)?|X-Encoding|X-Originating-Company|X-RMD-Text|X-SG4|X-SP-Track-ID|X-Webmail-Time|X-bounce-to):/m
describe HEADER_SPAM Bulk email fingerprint (header-based) found
header RATWARE_RCVD_PF Received =~ / \(Postfix\) with ESMTP id [^;]+\; \S+ \d+ \S+ \d+ \d+:\d+:\d+ \S+$/s
Modified: spamassassin/trunk/rules/20_vbounce.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rules/20_vbounce.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rules/20_vbounce.cf (original)
+++ spamassassin/trunk/rules/20_vbounce.cf Tue Dec 5 14:56:53 2023
@@ -129,7 +129,7 @@ header __BOUNCE_INTERSCAN From =~ /\bI
body __BOUNCE_NO_RESEND /\bPlease do not resend your original message\./
-header __BOUNCE_AUTO_REPLY Subject =~ /\b(automatic reply|AutoReply)\b/
+header __BOUNCE_AUTO_REPLY Subject =~ /\b(?:automatic reply|AutoReply)\b/
meta BOUNCE_MESSAGE __HAVE_BOUNCE_RELAYS && !OOOBOUNCE_MESSAGE && !__MY_SERVERS_FOUND && !ALL_TRUSTED && !__NONBOUNCE_READ_RECEIPT && (__BOUNCE_FROM_DAEMON || (__BOUNCE_RPATH_NULL && !__BOUNCE_READ_NOTIFICATION) || __BOUNCE_RPATH_MD || __BOUNCE_AUTO_GENERATED || __BOUNCE_Y_AUTOGEN || __BOUNCE_SYMANTEC || __BOUNCE_X_ERR_STAT || __BOUNCE_RETURNED || __BOUNCE_MAILDELFAIL || __BOUNCE_MSGDELFAIL || __BOUNCE_ESMTP || __BOUNCE_NEVER_SEE || __BOUNCE_NONWORKING || __BOUNCE_UNDELIVERABLE || __BOUNCE_UNDELIVERABLE_ML || __BOUNCE_NOTDEL || __BOUNCE_CTYPE || __BOUNCE_DEL_FAIL || __BOUNCE_STAT_FAIL || __BOUNCE_ADDR_ERR || __BOUNCE_NO_VAL || __BOUNCE_DATA_FORMAT || __BOUNCE_COULD_NOT || __BOUNCE_UNDEL_MSG || __BOUNCE_RPATH_ERRMAIL || __BOUNCE_INTERSCAN || __BOUNCE_ETRUST || __BOUNCE_AUTO_RESPONSE || __BOUNCE_AUTO_RESPOND || __BOUNCE_NO_RESEND || __BOUNCE_NOTIF || __BOUNCE_RET_MAIL || __BOUNCE_DEL_FAIL || __BOUNCE_MAIL_DEL_FAIL || __BOUNCE_AUTO_REPLY)
@@ -246,7 +246,7 @@ body __VBOUNCE_MAILSWEEP /MAILsweeper
header __VBOUNCE_SCREENSAVER Subject =~ /\b(?:Re: ?)Wicked screensaver\b/i
header __VBOUNCE_DISALLOWED Subject =~ /^Disallowed attachment type found/
header __VBOUNCE_FROMPT From =~ /Security.?Scan Anti.?Virus/
-header __VBOUNCE_WARNING Subject =~ /^Warning:\s*E-?mail virus(es)? detected/i
+header __VBOUNCE_WARNING Subject =~ /^Warning:\s*E-?mail virus(?:es)? detected/i
header __VBOUNCE_DETECTED Subject =~ /^Virus detected /i
header __VBOUNCE_INTERSCAN Subject =~ /^Failed to clean virus\b/i
header __VBOUNCE_VIOLATION Subject =~ /^Content violation/i
@@ -273,7 +273,7 @@ header __VBOUNCE_RAV Subject =~ /^RAV An
body __VBOUNCE_ATTACHMENT0 /(?:Attachment.{0,40}was Deleted|the infected attachment)/
# Bart says: it appears that _ATTACHMENT0 is an alternate for _NAV -- both match the same messages.
-body __VBOUNCE_AVREPORT0 /(antivirus system report|the antivirus module has|illegal attachment|Unrepairable Virus Detected)/i
+body __VBOUNCE_AVREPORT0 /(?:antivirus system report|the antivirus module has|illegal attachment|Unrepairable Virus Detected)/i
header __VBOUNCE_SENDER Subject =~ /^Virus to sender/
body __VBOUNCE_MAILSWEEP2 /\bblocked by Mailsweeper\b/i
Modified: spamassassin/trunk/rulesrc/sandbox/billcole/80_test.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/billcole/80_test.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/billcole/80_test.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/billcole/80_test.cf Tue Dec 5 14:56:53 2023
@@ -9,11 +9,11 @@ rawbody __HAS_HREF /^[^>].*?<a href=/im
tflags __HAS_HREF multiple maxhits=100
describe __HAS_IMG_SRC_ONECASE Has an img tag on a non-quoted line with consistent case
-rawbody __HAS_IMG_SRC_ONECASE /^[^>].*?<(img src|IMG SRC)=/m
+rawbody __HAS_IMG_SRC_ONECASE /^[^>].*?<(?:img src|IMG SRC)=/m
tflags __HAS_IMG_SRC_ONECASE multiple maxhits=100
describe __HAS_HREF_ONECASE Has an anchor tag with a href attribute in non-quoted line with consistent case
-rawbody __HAS_HREF_ONECASE /^[^>].*?<(a href|A HREF)=/m
+rawbody __HAS_HREF_ONECASE /^[^>].*?<(?:a href|A HREF)=/m
tflags __HAS_HREF_ONECASE multiple maxhits=100
describe __MIXED_IMG_CASE Has img tags with mixed-up cases in non-quoted lines
@@ -46,7 +46,7 @@ header SCC_ODD_MUA X-Mailer =~ /^X-M
describe SCC_SPECIAL_GUID Unique in a similar way
-rawbody SCC_SPECIAL_GUID /^([[:xdigit:]]{8})-([[:xdigit:]]{4})-([[:xdigit:]]{3})-\3-([[:xdigit:]]{12})$/m
+rawbody SCC_SPECIAL_GUID /^[[:xdigit:]]{8}-[[:xdigit:]]{4}-([[:xdigit:]]{3})-\1-[[:xdigit:]]{12}$/m
tflags SCC_SPECIAL_GUID publish multiple maxhits=15
describe __NO_EXTERNALS No external relays
@@ -57,7 +57,7 @@ meta ALL_INTERNAL __NO_EXTERNALS &&
tflags ALL_INTERNAL nice
describe SCC_NEWBIE_HASBEENS Abused gTLDs seen in spam from Google Apps.
-header SCC_NEWBIE_HASBEENS X-Beenthere =~ /\.(today|online|monster)/
+header SCC_NEWBIE_HASBEENS X-Beenthere =~ /\.(?:today|online|monster)/
describe __SCC_HTML_OBJOBJ Contains an object
rawbody __SCC_HTML_OBJOBJ /< *object +\w{65,80} *>/
@@ -73,7 +73,7 @@ tflags SCC_ISEMM_LID_1A publish
score SCC_ISEMM_LID_1A 3.5
describe SCC_ISEMM_LID_1B Genericized spammer fingerprint
-header SCC_ISEMM_LID_1B X-Mailer-LID =~ /([56][0-9],)+/
+header SCC_ISEMM_LID_1B X-Mailer-LID =~ /(?:[56][0-9],)+/
tflags SCC_ISEMM_LID_1B publish
score SCC_ISEMM_LID_1B 1.5
@@ -167,7 +167,7 @@ tflags SCC_CTMPP publish
endif
describe __SCC_MIME_BOUNDARY2 Idiosyncratic boundary-like string
-rawbody __SCC_MIME_BOUNDARY2 /^ *(----[[:alnum:]]{8};[[:alnum:]]{6}){2}$/m
+rawbody __SCC_MIME_BOUNDARY2 /^ *(?:----[[:alnum:]]{8};[[:alnum:]]{6}){2}$/m
tflags __SCC_MIME_BOUNDARY2 multiple maxhits=7
@@ -175,7 +175,7 @@ describe SCC_MIME_BOUNDARY2 Fake boundar
meta SCC_MIME_BOUNDARY2 __SCC_MIME_BOUNDARY2 > 5
describe HTML_BADATTR Illegal char in HTML attribute name
-rawbody HTML_BADATTR /<[a-z]{1,10}\s[^>]{1,80}\/(src|href)\s*\=/
+rawbody HTML_BADATTR /<[a-z]{1,10}\s[^>]{1,80}\/(?:src|href)\s*\=/
score HTML_BADATTR 1
tflags HTML_BADATTR publish
Modified: spamassassin/trunk/rulesrc/sandbox/fanf/30_text.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/fanf/30_text.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/fanf/30_text.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/fanf/30_text.cf Tue Dec 5 14:56:53 2023
@@ -1,7 +1,7 @@
# bits of text from spam
-body SHORT_TERM_PRICE /short\W+term\W+(target|projected)(\W+price)?/i
-body LONG_TERM_PRICE /long\W+term\W+(target|projected)(\W+price)?/i
+body SHORT_TERM_PRICE /short\W+term\W+(?:target|projected)(?:\W+price)?/i
+body LONG_TERM_PRICE /long\W+term\W+(?:target|projected)(?:\W+price)?/i
meta STOCK_PRICES (SHORT_TERM_PRICE && LONG_TERM_PRICE)
rawbody IMG_ALT_BRACKETS /^<img src="cid:7\.1\.0\.9\.[^"]+\.0" width=\d+ height=\d+ alt="[[][]]">/
Modified: spamassassin/trunk/rulesrc/sandbox/gbechis/20_btc.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/gbechis/20_btc.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/gbechis/20_btc.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/gbechis/20_btc.cf Tue Dec 5 14:56:53 2023
@@ -9,7 +9,7 @@ body __COPY_PASTE_ES /copiarlo
meta __GB_BITCOIN_CP_ES ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_ES )
describe __GB_BITCOIN_CP_ES Spanish Bitcoin scam
-body __COPY_PASTE_FR /le copier (et le|\+) coller/i
+body __COPY_PASTE_FR /le copier (?:et le|\+) coller/i
meta __GB_BITCOIN_CP_FR ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_FR )
describe __GB_BITCOIN_CP_FR French Bitcoin scam
@@ -17,12 +17,12 @@ ifplugin Mail::SpamAssassin::Plugin::Rep
body __COPY_PASTE_EN /<C><O><P><Y> (?:<A><N><D>|\+|\&) <P><A><S><T><E>/i
replace_rules __COPY_PASTE_EN
else
- body __COPY_PASTE_EN /Copy (and|\+|\&) paste/i
+ body __COPY_PASTE_EN /Copy (?:and|\+|\&) paste/i
endif
meta __GB_BITCOIN_CP_EN ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_EN )
describe __GB_BITCOIN_CP_EN English Bitcoin scam
-body __COPY_PASTE_IT /copia(r?)lo (e|\&) incolla(r?)lo/i
+body __COPY_PASTE_IT /copiar?lo (?:e|\&) incollar?lo/i
meta __GB_BITCOIN_CP_IT ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_IT )
describe __GB_BITCOIN_CP_IT Italian Bitcoin scam
@@ -38,7 +38,7 @@ meta GB_BITCOIN_CP ( __GB_BIT
describe GB_BITCOIN_CP Localized Bitcoin scam
score GB_BITCOIN_CP 3.0 # limit
-body __NEVER_HEAR_EN /(never hear me again|destroy all your secrets|not bother you again|leave you alone)/i
+body __NEVER_HEAR_EN /(?:never hear me again|destroy all your secrets|not bother you again|leave you alone)/i
body __NEVER_HEAR_IT /eliminare tutti i tuoi segreti|Ti garantisco che non ti disturbe/i
meta GB_BITCOIN_NH ( __BITCOIN_ID && !__URL_BTC_ID && ( __NEVER_HEAR_EN || __NEVER_HEAR_IT ) )
describe GB_BITCOIN_NH Localized Bitcoin scam
Modified: spamassassin/trunk/rulesrc/sandbox/gbechis/20_misc.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/gbechis/20_misc.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/gbechis/20_misc.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/gbechis/20_misc.cf Tue Dec 5 14:56:53 2023
@@ -2,22 +2,22 @@
# meta GB_MALWARE_DROPBOX_JAR_URI ( __MALWARE_DROPBOX_JAR_URI && (HTML_SHORT_LINK_IMG_1 || HTML_SHORT_LINK_IMG_2 || HTML_SHORT_LINK_IMG_3) )
# describe GB_MALWARE_DROPBOX_JAR_URI Dropbox that forces user to download jar file
-uri GB_GOOGLE_OBFUR /^https:\/\/www\.google\.([a-z]{2,3})\/url\?sa=t\&rct=j\&q=\&esrc=s\&source=web\&cd=([0-9])*\&(cad=rja\&uact=([0-9]+)\&ved=.{1,50}\&)?url=https?:\/\/.{1,50}(&usg=.{1,50})?/
+uri GB_GOOGLE_OBFUR /^https:\/\/www\.google\.[a-z]{2,3}\/url\?sa=t\&rct=j\&q=\&esrc=s\&source=web\&cd=(?:[0-9])*\&(?:cad=rja\&uact=[0-9]+\&ved=.{1,50}\&)?url=https?:\/\/.{1,50}(?:&usg=.{1,50})?/
describe GB_GOOGLE_OBFUR Obfuscate url through Google redirect
score GB_GOOGLE_OBFUR 0.75 # limit
tflags GB_GOOGLE_OBFUR publish
-uri GB_GOOGLE_OBFUS /^https:\/\/www\.google\.([a-z]{2,3})\/search\?ei=.{1,50}\&gs_l=.{1,20}/
+uri GB_GOOGLE_OBFUS /^https:\/\/www\.google\.[a-z]{2,3}\/search\?ei=.{1,50}\&gs_l=.{1,20}/
describe GB_GOOGLE_OBFUS Obfuscate url through Google search
score GB_GOOGLE_OBFUS 0.75 # limit
#tflags GB_GOOGLE_OBFUS publish
-uri GB_GOOGLE_OBFUQ /^https:\/\/www\.google\.([a-z]{2,3})\/url\?q=.{1,50}\&sa=D&Xh=Gd&usg=/
+uri GB_GOOGLE_OBFUQ /^https:\/\/www\.google\.[a-z]{2,3}\/url\?q=.{1,50}\&sa=D&Xh=Gd&usg=/
describe GB_GOOGLE_OBFUQ Obfuscate url through Google search
score GB_GOOGLE_OBFUQ 0.75 # limit
#tflags GB_GOOGLE_OBFUQ publish
-uri GB_GOOGLE_TRANSL /^https?:\/\/.{10,64}\-(ipfs|xn\-)\-.{2,20}\.translate\.goog\/.{4}\//
+uri GB_GOOGLE_TRANSL /^https?:\/\/.{10,64}\-(?:ipfs|xn\-)\-.{2,20}\.translate\.goog\/.{4}\//
describe GB_GOOGLE_TRANSL Obfuscate url through Google Translate
score GB_GOOGLE_TRANSL 0.75 # limit
#tflags GB_GOOGLE_TRANSL publish
@@ -60,7 +60,7 @@ meta GB_PAYPAL_IMG_NOT_RCVD_PAYP
describe GB_PAYPAL_IMG_NOT_RCVD_PAYP Paypal hosted image but message not from Paypal
score GB_PAYPAL_IMG_NOT_RCVD_PAYP 2.500 # limit
-uri __SENDINBLUE_REDIR m~://.{4,5}\.r\.a[a-z]?\.d\.sendibm[0-9]\.com/mk/([a-z]){2}/~
+uri __SENDINBLUE_REDIR m~://.{4,5}\.r\.a[a-z]?\.d\.sendibm[0-9]\.com/mk/(?:[a-z]){2}/~
meta SENDINBLUE_REDIR __SENDINBLUE_REDIR && !MIME_HTML_MOSTLY && !__HAS_ERRORS_TO && !__HAS_X_BEEN_THERE && !__HAS_X_MAILMAN_VERSION
describe SENDINBLUE_REDIR Redirect URI via Sendinblue
score SENDINBLUE_REDIR 2.000 # limit
@@ -72,7 +72,7 @@ describe SENDINBLUE_REDIR_PHISH
score SENDINBLUE_REDIR_PHISH 3.500 # limit
# tflags SENDINBLUE_REDIR_PHISH publish
-header __GB_FAKE_RF Subject =~ /(Fw|Re)\:{1,2}[\W+]/i
+header __GB_FAKE_RF Subject =~ /(?:Fw|Re)\:{1,2}[\W+]/i
meta GB_FAKE_RF ( ! __THREADED && ! MAILING_LIST_MULTI && __GB_FAKE_RF )
describe GB_FAKE_RF Fake reply
score GB_FAKE_RF 1.000 # limit
Modified: spamassassin/trunk/rulesrc/sandbox/gbechis/20_ratware.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/gbechis/20_ratware.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/gbechis/20_ratware.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/gbechis/20_ratware.cf Tue Dec 5 14:56:53 2023
@@ -1,4 +1,4 @@
-header GB_FORGED_MUA_TBIRD User-Agent =~ /^User-Agent\: Mozilla\/(.*) Thunderbird/
+header GB_FORGED_MUA_TBIRD User-Agent =~ /^User-Agent\: Mozilla\/.* Thunderbird/
describe GB_FORGED_MUA_TBIRD Forged Thunderbird Mua
header __FORGED_MUA_POSTFIX0 User-Agent =~ /Postfix/
Modified: spamassassin/trunk/rulesrc/sandbox/hege/20_hk.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/hege/20_hk.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/hege/20_hk.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/hege/20_hk.cf Tue Dec 5 14:56:53 2023
@@ -118,7 +118,7 @@ tflags HK_RANDOM_REPLYTO publish
#header HK_RANDOM_REPLYTO_NAME Reply-To:name =~ /^(?!.*?(?:@|cnnbc|nlpbr)).*?(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
#describe HK_RANDOM_REPLYTO_NAME Reply-To name looks random
-header HK_NAME_DRUGS From:name =~ /(viagra|\bcialis|cialis\b)/mi
+header HK_NAME_DRUGS From:name =~ /(?:viagra|\bcialis|cialis\b)/mi
describe HK_NAME_DRUGS From name contains drugs
score HK_NAME_DRUGS 2
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_lotsa_money.cf Tue Dec 5 14:56:53 2023
@@ -162,7 +162,7 @@ describe MONEY_LOTTERY Lots of money
body __DEAL /\b(?:(?:business|financial|this|the|mutual|die(?:se)?r?|cette|profitable)\s(?:deal|transa[ck]tion|proposal|off[er]{2}|venture|suggestion|partnership)|your\spartnership)/i
body __HUSH_HUSH /\b(?:confiden[tc]i[ae]l(?:\b|ity\b|it(?:=E9|[\xe9]|[\xc3][\xa9]))|private\b|secr[e\xe8](?:te?|cy)\b|sensitive\b|concealed\b|obscured?\b|discre(?:et|tion)\b|very\sdiscrete|top\ssecret|vertraulich(?:en)?\b|geheim\b|priv(?:e|=E9|[\xe9]|[\xc3][\xa9]))/i
-body __IS_LEGAL /\b(?:(?:(this|esta)\s(?:deal|offer|transac[tc]i(?:o|[\xc3][\xb3])n|proposal|exchange|arrangement|work)|it)?\s[ie]s\s(?:(?:guaranteed|completely|absolutely|perfectly|100%|very|fully)\s)?(?:legal|hitch-free|seguro|legitimate)|legitimate\sarrangement|toute?\sl(?:e|=E9|[\xe9]|[\xc3][\xa9])gale)\b/i
+body __IS_LEGAL /\b(?:(?:(?:this|esta)\s(?:deal|offer|transac[tc]i(?:o|[\xc3][\xb3])n|proposal|exchange|arrangement|work)|it)?\s[ie]s\s(?:(?:guaranteed|completely|absolutely|perfectly|100%|very|fully)\s)?(?:legal|hitch-free|seguro|legitimate)|legitimate\sarrangement|toute?\sl(?:e|=E9|[\xe9]|[\xc3][\xa9])gale)\b/i
body __NOT_SCAM /\b(?:not\sa\sscam|(?:not|never)\sscam\syou)\b/i
body __BACK_SCRATCH /\bmutual+y?\s(?:benefi(?:t|cial)|interest)\b/i
body __LUCRATIVE /\b(?:lucrative|profitable|tr[\xe8]s\ssalutaire)\b/i
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Tue Dec 5 14:56:53 2023
@@ -1342,7 +1342,7 @@ body __WEBMAIL_ACCT /\byour
body __MAILBOX_FULL /\b(?:you(?:r (?:mail\s?box|(?:e-?|web ?)mail))? (?:is (?:almost )?full|quota is running low|(?:quota )?ha(?:s|ve) (?:reached|exceeded|passed) (?:the|your|it'?s?) (?:university )?(?:size|storage|set|(?:e-?|web ?)mail|quota|folder|mail ?box)[\/\s](?:limit |quota |account )+)|over your mail\s?box (?:size )?(?:limit|quota)|maximum mail\s?box (?:size )?(?:limit|quota) exceeded|sua (?:conta|caixa) de (?:(?:e-?|web ?)mail|correio) (?:excedeu (?:sua|o) limite|est(?:=E1|[\xe1]|[\xc3][\xa1]) quase cheio))\b/i
body __CLEAN_MAILBOX /\b(?:(?:e-?mail|mail\s?box|violation:|(?-i:CLICK)) (?:quota size|clean(?:-?up))|clean ?up click ?here|(?:please|automatically) reduce (?:your|the) e?-?mail ?box size|reduce (?:your |the )?(?:e?-?mail(?: ?box)? )?size automatically)\b/i
tflags __CLEAN_MAILBOX multiple maxhits=2
-body __VALIDATE_MAILBOX /\b(?:(?:re-?)?(?:valida(?:te|r)|confirm|set)(?:\S?(?:increase|raise))? (?:your|(?:a )?sua) (?:mail\s?box|(?:e-?)?mail quota|caixa)|confirmar (?:que )?a sua conta (?:de e-?mail|ainda est(?:=E1|[\xe1]|[\xc3][\xa1]) ativa)|wprowadz dane konta ponizej|utrzymania aktywnego konta e-?mail|weryfikacji konta|you (?:have )?(?:failed|refused) to (?:verify|validate)|(?:e-?mail|confirm) verification|verify k?now|logs?in below to (\S+\s){0,10}(?:download|release|retrieve) your (?:messages|e?-?mails)|verify [a-z][a-z0-9_]{3,40}@[a-z][a-z0-9]{2,30}\.[a-z]{2,6}|your mailbox [^@\s]{3,30}@\S{3,30} (?:(?:needs to|must) be verified|(?:needs|requires) verification))\b/i
+body __VALIDATE_MAILBOX /\b(?:(?:re-?)?(?:valida(?:te|r)|confirm|set)(?:\S?(?:increase|raise))? (?:your|(?:a )?sua) (?:mail\s?box|(?:e-?)?mail quota|caixa)|confirmar (?:que )?a sua conta (?:de e-?mail|ainda est(?:=E1|[\xe1]|[\xc3][\xa1]) ativa)|wprowadz dane konta ponizej|utrzymania aktywnego konta e-?mail|weryfikacji konta|you (?:have )?(?:failed|refused) to (?:verify|validate)|(?:e-?mail|confirm) verification|verify k?now|logs?in below to (?:\S+\s){0,10}(?:download|release|retrieve) your (?:messages|e?-?mails)|verify [a-z][a-z0-9_]{3,40}@[a-z][a-z0-9]{2,30}\.[a-z]{2,6}|your mailbox [^@\s]{3,30}@\S{3,30} (?:(?:needs to|must) be verified|(?:needs|requires) verification))\b/i
tflags __VALIDATE_MAILBOX multiple maxhits=2
body __UPGR_MAILBOX /\b(?:up(?:g[ra]+d(?:e|ing)|date) (?:(?:[hw]as|and)\s(?:[a-z]+\s){1,5})?(?:o[nf] )?(?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|(?:web ?|e-?)mail Upgrade cuenta|atualiz(?:e|ar) (?:a|sua) caixa de correio|click\S{0,10} (?:here(?:[:\.\s]{0,5}\S{0,10}http\S{10,80})?|below)(?: link)? to (?:(?:complete|finish|increase) )?(?:(?:the|this|your)\s)?(?:up(?:date|grade)|(?:web ?|e-?)?mail(?:\s?box)? (?:size|quota|limit))|utrzymania aktywnego konta|request (?:for )additional storage|you (?:have )?(?:failed|refused) to up(?:date|grade))\b/i
body __LOCK_MAILBOX /\b(?:(?:deactivate|lock(?: up)?|lose ac+ess to|los[se] (?:of )?(?:important )?(?:information|mail|messages) in) (?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|your (?:mail\s?box|(?:(?:web ?|e-?)mail)(?: account)?) (?:(?:will|may) be(?:come)? )?(?:in-?a(?:ctive|cess[ia]ble)|locked|disabled|deleted|removed)\b|ditt konto vara "?deaktiverad"?|begr(?:=E4|\xe4|[\xc3][\xa4])nsad tillg(?:=E5|[\xe5]|[\xc3][\xa5])ng till din brevl(?:=E5|[\xe5]|[\xc3][\xa5])da|contas? de (?:web ?|e-?)mail (?:ser(?:=E1|[\xe1]|[\xc3][\xa1]) (?:desativado|exclu(?:=ED|[\xed]|[\xc3][\xad])do)|(?:=E9|[\xe9]|[\xc3][\xa9]) exclu(?:=ED|[\xed]|[\xc3][\xad])do)|destruir a sua caixa de (?:correio|entrada)|tw(?:=F3|[\xf3])j konto zostalo ograniczone|straci swoje e-?mail na sta[\xc5][\x82]e|konto zostanie automatycznie wy[\xc5][\x82][\xc4][\x85]czona|e-?mail account[^.]{0,30}deactivated (?:in|from) our (?:database|system|server)|you will be deactivated|(?:account|e?-?mail(?: ?box)?) (?:will (?:
be )?)?(?:shut ?down|expire|deactivate)|we have (?:stopped|suspended) (?:processing|accepting) (?:any )?(?:incoming|new|fresh) email)/i
@@ -1869,7 +1869,7 @@ body __PUMPDUMP_04 /\bmake yo
body __PUMPDUMP_05 /\b(?:tripled|quadrupled|quintupled|(?:shares|value|company) (?:go up|increase|has (?:increased|gained)) (?:by|more than) [a-z\s]{0,20}\d+(?: times| percent| ?%)) (?:and that )?in (?:(?:\d|a (?:span of|few)) days|a very short period)\b/i
body __PUMPDUMP_06 /\brecommend(?:ed|s)? (?:a|this) (?:company|stock)\b/i
body __PUMPDUMP_07 /\b(?:buy|grab it) for (?:around |about |less than )?\d+ cents\b/i
-body __PUMPDUMP_08 /\b?(:sto[ck]{2}|sotk) of the year/i
+body __PUMPDUMP_08 /\b(?:sto[ck]{2}|sotk) of the year/i
body __PUMPDUMP_09 /\b(?:buy|get|snap up|grab) as many shares (?:of it )?as (?:you|I) can\b/i
body __PUMPDUMP_10 /\btrading at (?:such )?a (?:bargain|cheap|low)\b/i
meta __PD_CNT_1 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 0
@@ -2252,7 +2252,7 @@ ifplugin Mail::SpamAssassin::Plugin::Rep
replace_rules __YOUR_ONAN
body __YOUR_PERSONAL /(?:^|\s)(?:<Y><O><U><R>\s(?:<P><E><R><S><O><N><A><L>|<P><R><I><V><A><T><E>|<S><O><C><I><A><L>\s<C><O><N><T><A><C><T>|<A><D><D><R><E><S><S>|<F><R><I><E><N><D><S>)\s(?:<I><N><F><O>(?:<R><M><A><T><I><O><N>)?|<D><A><T><A>|<D><E><T><A><I><L><S>|<B><O><O><K>|<S><E><C><R><E><T><S>)|<A><L><L>\s(?:<O><F>\s)?<Y><O><U><R>\s(?:<F><I><L><E><S>|<C><O><N><T><A><C><T><S>|<S><E><C><R><E><T><S>|<C><O><R><R><E><S><P><O><N><D><E><N><C><E>))[\s\.,]/i
replace_rules __YOUR_PERSONAL
- body __HOURS_DEADLINE /(?:^|\s)(?:(?:<G><I><V><E>\s<Y><O><U>|<G><E><B><E>\s<I><H><N><E><N>(?:\s<N><U><R>)?|<Y><O><U>\s(?:<W><I><L><L>\s)?<H><A><V><E>(?:\s<O><N><L><Y>|\s<J><U><S><T>)?|<W><I><T><H><I><N>)(?:(\s<T><H><E>)?\s(?:<L><A><S><T>|<N><E><X><T>))?\s(?:\d+|<O><N><E>|<T><W><O>|<T><H><R><E><E>|<A> <F><E><W>)\s?(?:<H><O><U><R><S>?|<H><R>\s?<S>?|<D><A><Y><S>?|<S><T><U><N><D><E><N>)|(?:<B><Y>|<T><O>|<U><N><T><I><L>|<B><E><F><O><R><E>)\s<T><H><E>\s<E><N><D>\s<O><F>\s<T><H><E>\s(?:<W><O><R><K>(?:<I><N><G>)?\s)?<D><A><Y>|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\s<H><O><U><R><S>?\s<B><E><F><O><R><E>\s(?:<S><E><N><D><I><N><G>|<R><E><L><E><A><S><I><N><G>|<E><X><P><O><S><I><N><G>|<P><U><B><L><I><S><H><I><N><G>)|(?:<T><H><E>|<Y><O><U><R>)\s<D><E><A><D><L><I><N><E>\s(?:<I><S>|<W><I><L><L>\s<B><E>))/i
+ body __HOURS_DEADLINE /(?:^|\s)(?:(?:<G><I><V><E>\s<Y><O><U>|<G><E><B><E>\s<I><H><N><E><N>(?:\s<N><U><R>)?|<Y><O><U>\s(?:<W><I><L><L>\s)?<H><A><V><E>(?:\s<O><N><L><Y>|\s<J><U><S><T>)?|<W><I><T><H><I><N>)(?:(?:\s<T><H><E>)?\s(?:<L><A><S><T>|<N><E><X><T>))?\s(?:\d+|<O><N><E>|<T><W><O>|<T><H><R><E><E>|<A> <F><E><W>)\s?(?:<H><O><U><R><S>?|<H><R>\s?<S>?|<D><A><Y><S>?|<S><T><U><N><D><E><N>)|(?:<B><Y>|<T><O>|<U><N><T><I><L>|<B><E><F><O><R><E>)\s<T><H><E>\s<E><N><D>\s<O><F>\s<T><H><E>\s(?:<W><O><R><K>(?:<I><N><G>)?\s)?<D><A><Y>|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\s<H><O><U><R><S>?\s<B><E><F><O><R><E>\s(?:<S><E><N><D><I><N><G>|<R><E><L><E><A><S><I><N><G>|<E><X><P><O><S><I><N><G>|<P><U><B><L><I><S><H><I><N><G>)|(?:<T><H><E>|<Y><O><U><R>)\s<D><E><A><D><L><I><N><E>\s(?:<I><S>|<W><I><L><L>\s<B><E>))/i
replace_rules __HOURS_DEADLINE
body __EXPLOSIVE_DEVICE /(?:^|\s)(?:<E><X><P><L><O><S><I><V><E>\s<D><E><V><I><C><E>|<B><O><M><B>)\s/i
replace_rules __EXPLOSIVE_DEVICE
@@ -2264,7 +2264,7 @@ else
body __YOUR_WEBCAM /\b(?:from|your|with|and|on)\s(?:(?:screen|desktop|microphone)\sand\s|own\s)?(?:web[-\s]?|front[-\s]?|network\s|your\s)camer+a/i
body __YOUR_ONAN /\b(?:your?|ihrer)\s(?:ma+s+t+[ur]+b+a+t+(?:ion|ing|e)(?:svideo)?|onanism|solitary\ssex|hand\sfucking|Selbstbefriedigung|(?:pleasur(?:e|ing)|satisfy(?:ing)?)\syourself)\b/i
body __YOUR_PERSONAL /\b(?:your\s(?:personal|private|social\scontact|address|friends)\s(?:info(?:rmation)?|data|details|book|secrets)|all\s(?:of\s)?your\s(?:files|contacts|secrets|correspondence))\b/i
- body __HOURS_DEADLINE /\b(?:(?:give\syou|gebe\sihnen(?:\snur)?|you\s(?:will\s)?have(?:\sonly|\sjust)?|within)(?:(\sthe)?\s(?:last|next))?\s(?:\d+|one|two|three|a few)\s?(?:hours?|hr(?:\s?s)?|days?|stunden)|(?:by|to|until|before)\sthe\send\sof\sthe\s(?:work(?:ing)?\s)?day|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\shours?\sbefore\s(?:sending|releasing|exposing|publishing)|(?:the|your)\sdeadline\s(?:is|will\sbe))\b/i
+ body __HOURS_DEADLINE /\b(?:(?:give\syou|gebe\sihnen(?:\snur)?|you\s(?:will\s)?have(?:\sonly|\sjust)?|within)(?:(?:\sthe)?\s(?:last|next))?\s(?:\d+|one|two|three|a few)\s?(?:hours?|hr(?:\s?s)?|days?|stunden)|(?:by|to|until|before)\sthe\send\sof\sthe\s(?:work(?:ing)?\s)?day|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\shours?\sbefore\s(?:sending|releasing|exposing|publishing)|(?:the|your)\sdeadline\s(?:is|will\sbe))\b/i
body __EXPLOSIVE_DEVICE /\b(?:explosive\sdevice|bomb)\b/i
endif
meta __EXTORT_MANY (__MY_MALWARE + __PAY_ME + __MY_VICTIM + __YOUR_WEBCAM + __YOUR_ONAN + __YOUR_PERSONAL + __HOURS_DEADLINE + __YOUR_PASSWORD + LOCALPART_IN_SUBJECT + __DESTROY_ME + __DESTROY_YOU + __EXPLOSIVE_DEVICE + __PAXFUL + __HUSH_HUSH) > 3
@@ -3333,7 +3333,7 @@ describe TAGSTAT_IMG_NOT_RCVD_TGST T
tflags TAGSTAT_IMG_NOT_RCVD_TGST publish
header __HDR_RCVD_FACEBOOK X-Spam-Relays-External =~ /\srdns=\S+\.facebook\.com\s/
-uri __URI_IMG_FACEBOOK m;://([^/.]+\.)+fbcdn\.net/v/.+\.(?:jpe?g|gif|png|webp);i
+uri __URI_IMG_FACEBOOK m;://(?:[^/.]+\.)+fbcdn\.net/v/.+\.(?:jpe?g|gif|png|webp);i
meta __FACEBOOK_IMG_NOT_RCVD_FB __URI_IMG_FACEBOOK && !__HDR_RCVD_FACEBOOK
meta FACEBOOK_IMG_NOT_RCVD_FB __FACEBOOK_IMG_NOT_RCVD_FB && !__VIA_ML && !__ONE_IMG && !__RCD_RDNS_SMTP
@@ -3521,7 +3521,7 @@ body __MAKE_XTRA_DOLLAR /
body __BONUS_LAST_DAY /\b(?:last|final) day of the (?:\$\d+ |\d+ dollars? )?bonus offer(?:ing)?\b/i
body __PASSIVE_INCOME /\bpassive income\b/i
body __WITHOUT_EFFORT /\bwith(?:out(?: a(?:ny)?| the)?| no)(?: great| special| extra)? effort\b/i
-body __TRANSFORM_LIFE /\b(transform|change) your (?:daily )?life(?:style)?\b/i
+body __TRANSFORM_LIFE /\b(?:transform|change) your (?:daily )?life(?:style)?\b/i
body __STAY_HOME /\b(?:going out of|leaving)(?: your)? (?:home|house|residence)\b/i
body __RECEIVE_BONUS /\byou(?:'ll)?(?: also| will)* (?:rec[ei]*ve|get|earn|collect|be (?:awarded|handed|remitted|given|paid|(?:greeted|welcomed|started) with)) (?:an? )?(?:gift|bonus|extra)(?: of|:)? \$[\d,]+/i
@@ -4029,7 +4029,7 @@ tflags URI_LONG_REPEAT p
body READY_TO_SHIP /(?:(?:in our (?:stock|warehouse|store|storage facility)(?: today| now| right away)?[.,:]\s|our (?:\w+,? ){2,8}(?:is |now )+)Ready (?:to (?:be )?|for )+(?:ship|send|deliver)|ready (?:for shipping|to (?:ship|send)) (?:(?:in|from|by) our (?:warehouse|stock|stor(?:e|age))|(?:to|for)(?: global(?:ly)?| worldwide| customers){2})|(?:(?:our|this|a|great|fine|wonderful|cool|popular) new product|we have(?: \w+){1,6} available|ready) in (?:our )?(?:warehouse|stock|stor(?:e|age))|just arrived in our (?:warehouse|stor(?:e|age))|we will (?:contact the (?:warehouse|logistics|store|storage(?: facility)) to )?arrange (?:the )?(?:shipment|delivery)|a new (?:\w+ ){1,3}in our (?:warehouse|storage)|this (?:new )?(?:merchandise|product|item) is (?:now )?(?:ready (?:to ship )?|available )(?:at|in|from) our (?:warehouse|stock|stor(?:e|age)))/i
score READY_TO_SHIP 1.250 # limit
-body WANT_TO_ORDER /you(?:'d)? (?:(?:would )?like|want|(?:are |(?:would )?be )?interested|need|wish)(?: to| in)? (?:plac(?:e|ing) an order|order(?:ing)? (?:for )?(?:this|it|now|today|our \w+)|(?:(?:tak|receiv)(e|ing)|pick up) (?:one (?:o[rt] two )?(?:\w+ ){0,2}|this (?:item|product) |some )(?:today|now|of our))\b/i
+body WANT_TO_ORDER /you(?:'d)? (?:(?:would )?like|want|(?:are |(?:would )?be )?interested|need|wish)(?: to| in)? (?:plac(?:e|ing) an order|order(?:ing)? (?:for )?(?:this|it|now|today|our \w+)|(?:(?:tak|receiv)(?:e|ing)|pick up) (?:one (?:o[rt] two )?(?:\w+ ){0,2}|this (?:item|product) |some )(?:today|now|of our))\b/i
score WANT_TO_ORDER 2.750 # limit
body YOUR_DELIVERY_ADDRESS /(?:(?:respond|reply|answer) (?:to )?(?:our|this) ?e?mail (?:[\w,]+\s){0,10}(?:with|and send(?: us)?)|we need to know|let us know|(?:send|provide|tell|inform)(?: us)?(?: of)?|confirm|indicate)(?: t?he (?:order )?quantity and)? (?:your |the )?(?:detailed |specific |exact )?(?:(?:delivery |shipping |mailing |shipment |receiving )?(?:address|location)(?:\s?[,.;]|(?: and| so)? we| if you)|address (?:for|of) (?:shipping|delivery|shipment))|(?:provide|give) us (?:with |details of )(?:the |your )?address,? (?:and )?we will contact (?:the )?(?:warehouse|logistics|storage(?: facility))|your (?:mailing|shipping) address to (?:arrange|set ?up) (?:shipment|delivery) (?:(?:for|to) you|of th)/i
@@ -4040,7 +4040,7 @@ meta NEW_PRODUCTS _
score NEW_PRODUCTS 1.250 # limit
tflags NEW_PRODUCTS publish
-body DETAILS_OF_PRODUCT /(?:Please|kindly) (?:see|refer to|check(?: out)?) the (?:details of the product|(?:detailed |complete |specific )?product (?:details|information)) (below|following|that follow|in detail)|the following (?:(?:is the )?(?:detailed )?product information|is a brief introduction to (?:\w+\s){0,5}this product)|\bhere (is|are) some basic information about this|you can (?:\w+ )?understand our product|take a look at this product|interested in learning about (?:this|our product)|grasp our (?:product|goods)|details can be checked below|(?:provide|present) you \w+ the product(?:[-\s]specific)? (?:details|information)/i
+body DETAILS_OF_PRODUCT /(?:Please|kindly) (?:see|refer to|check(?: out)?) the (?:details of the product|(?:detailed |complete |specific )?product (?:details|information)) (?:below|following|that follow|in detail)|the following (?:(?:is the )?(?:detailed )?product information|is a brief introduction to (?:\w+\s){0,5}this product)|\bhere (?:is|are) some basic information about this|you can (?:\w+ )?understand our product|take a look at this product|interested in learning about (?:this|our product)|grasp our (?:product|goods)|details can be checked below|(?:provide|present) you \w+ the product(?:[-\s]specific)? (?:details|information)/i
score DETAILS_OF_PRODUCT 1.250 # limit
# Don't joe-job a SA dev's wife
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_tbird_image_spam.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_tbird_image_spam.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_tbird_image_spam.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_tbird_image_spam.cf Tue Dec 5 14:56:53 2023
@@ -8,7 +8,7 @@ ifplugin Mail::SpamAssassin::Plugin::MIM
mimeheader __JPEG_ATTACH Content-Type =~ /image\/jpe?g/i
endif
-header __MUA_TBIRD User-Agent =~ /^Mozilla\/(.*) Thunderbird/
+header __MUA_TBIRD User-Agent =~ /^Mozilla\/.* Thunderbird/
header __MIME_BDRY_0D0D Content-Type =~ /boundary="-{12}(?:0[1-9]){12}/
meta __FORGED_TBIRD_IMG __MUA_TBIRD && __JPEG_ATTACH && __MIME_BDRY_0D0D
Modified: spamassassin/trunk/rulesrc/sandbox/jm/20_bug_6000.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jm/20_bug_6000.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jm/20_bug_6000.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jm/20_bug_6000.cf Tue Dec 5 14:56:53 2023
@@ -1,5 +1,5 @@
-body __KAM_LOTTO1_BUG6000 /(e-?mail[- ](address|ID) (have emerged a winner|attached to (ticket|reference)|was one of the ten winners)|random selection in our computerized email selection system|was selected online)/is
+body __KAM_LOTTO1_BUG6000 /(?:e-?mail[- ](?:address|ID) (?:have emerged a winner|attached to (?:ticket|reference)|was one of the ten winners)|random selection in our computerized email selection system|was selected online)/is
-body __KAM_LOTTO5_BUG6000 /(affiliated office of |freelotto (affiliated|group)|Royal Heritage Lottery|UK National (Online)? Lottery|U\.?K\.? Grand Promotions|Lottery Department UK|Euromillion Loteria|International Lottery)/is
+body __KAM_LOTTO5_BUG6000 /(?:affiliated office of |freelotto (?:affiliated|group)|Royal Heritage Lottery|UK National (?:Online)? Lottery|U\.?K\.? Grand Promotions|Lottery Department UK|Euromillion Loteria|International Lottery)/is
Modified: spamassassin/trunk/rulesrc/sandbox/jm/70_tt_drugs.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jm/70_tt_drugs.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jm/70_tt_drugs.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jm/70_tt_drugs.cf Tue Dec 5 14:56:53 2023
@@ -9,19 +9,19 @@
# obscuring punctuation = [:^."%()*\[\\]
header __TT_VIAGRA Subject =~ /VIAGRA/i
-header __TT_OBSCURED_VIAGRA Subject =~ /(v|V|\\\/)(i|I|1|\xef|\|)(a|A|\(a\)|4|@)(g|G)(r|R)(a|A|\(a\)|4|@)/
+header __TT_OBSCURED_VIAGRA Subject =~ /(?:v|V|\\\/)(?:i|I|1|\xef|\|)(?:a|A|\(a\)|4|@)(?:g|G)(?:r|R)(?:a|A|\(a\)|4|@)/
header __TT_BROKEN_VIAGRA Subject =~ /V[:^."%()*\[\\]?I[:^."%()*\[\\]?A[:^."%()*\[\\]?G[:^."%()*\[\\]?R[:^."%()*\[\\]?A/i
meta TT_OBSCURED_VIAGRA ( __TT_BROKEN_VIAGRA || __TT_OBSCURED_VIAGRA ) && ! __TT_VIAGRA
describe TT_OBSCURED_VIAGRA Scora: obscured "VIAGRA" in subject
header __TT_XANAX Subject =~ /XANAX/i
-header __TT_OBSCURED_XANAX Subject =~ /(x|X|><)(a|A|\(a\)|4|@)(n|N)(a|A|\(a\)|4|@)(x|X|><)/
+header __TT_OBSCURED_XANAX Subject =~ /(?:x|X|><)(?:a|A|\(a\)|4|@)(?:n|N)(?:a|A|\(a\)|4|@)(?:x|X|><)/
header __TT_BROKEN_XANAX Subject =~ /X[:^."%()*\[\\]?A[:^."%()*\[\\]?N[:^."%()*\[\\]?A[:^."%()*\[\\]?X/i
meta TT_OBSCURED_XANAX ( __TT_BROKEN_XANAX || __TT_OBSCURED_XANAX ) && ! __TT_XANAX
describe TT_OBSCURED_XANAX Scora: obscured "XANAX" in subject
header __TT_VALIUM Subject =~ /VALIUM/i
-header __TT_OBSCURED_VALIUM Subject =~ /(v|V|\\\/)(a|A|\(a\)|4|@)(l|L|\|)(i|I|1|\xef|\|)(u|U|\(u\))(m|M)/
+header __TT_OBSCURED_VALIUM Subject =~ /(?:v|V|\\\/)(?:a|A|\(a\)|4|@)(?:l|L|\|)(?:i|I|1|\xef|\|)(?:u|U|\(u\))(?:m|M)/
header __TT_BROKEN_VALIUM Subject =~ /V[:^."%()*\[\\]?A[:^."%()*\[\\]?L[:^."%()*\[\\]?I[:^."%()*\[\\]?U[:^."%()*\[\\]?M/i
meta TT_OBSCURED_VALIUM ( __TT_BROKEN_VALIUM || __TT_OBSCURED_VALIUM ) && ! __TT_VALIUM
describe TT_OBSCURED_VALIUM Scora: obscured "VALIUM" in subject
Modified: spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_general.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_general.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_general.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_general.cf Tue Dec 5 14:56:53 2023
@@ -48,7 +48,7 @@ describe DEAR_NOBODY Message contains De
# 0.0138/0.0084 spam/ham, 0.620 s/o @ 20100424 net. oof, score 1.25->0.001
uri __FORGED_URL_DOM_1 m'https?://[^/?:\#]{0,99}\.(?:com|org|edu|net|gov|com?\.[a-z]{2})\.\w[^/?:\#\s]{4}'i
-rawbody __FORGED_URL_DOM_2 m'(^|\W)https?://[^/?:\#]{0,99}\.(?:com|org|edu|net|gov|com?\.[a-z]{2})\.\w[^/?:\#\s]{5}'i
+rawbody __FORGED_URL_DOM_2 m'(?:^|\W)https?://[^/?:\#]{0,99}\.(?:com|org|edu|net|gov|com?\.[a-z]{2})\.\w[^/?:\#\s]{5}'i
meta FORGED_URL_DOM __FORGED_URL_DOM_1 || __FORGED_URL_DOM_2
describe FORGED_URL_DOM Link domain has a TLD as a subdomain
#score FORGED_URL_DOM 0.1 # 200904
Modified: spamassassin/trunk/rulesrc/sandbox/kmcgrail/20_ac_rules_test.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/kmcgrail/20_ac_rules_test.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/kmcgrail/20_ac_rules_test.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/kmcgrail/20_ac_rules_test.cf Tue Dec 5 14:56:53 2023
@@ -41,7 +41,7 @@ uri __AC_PHPOFFTOP_URI /\/php\/off\/[0-9
# http://courtdays.bolorn.net/php/off/97.25/sub/
uri __AC_PHPOFFSUB_URI /\/php\/off\/[0-9.]+\/sub\//
# http://www.shoosecalehhd.us/3345/174/380/1411/2938.11tt1747757AAF11.php
-uri __AC_NUMS_URI /(?:\/[0-9]+){5}\.[0-9a-zA-Z]+\.(:?php|html)\b/
+uri __AC_NUMS_URI /(?:\/[0-9]+){5}\.[0-9a-zA-Z]+\.(?:php|html)\b/
# http://www.chubbydiet.biz/11VP6856DOBTTT53RYM380F1073AHG1687LCS12K1907471II3470154694.php
uri __AC_LONGSEQ_URI /\/[A-Z0-9]{50,}\.(?:php|html|cgi)\b/
# http://www.losefast.us/1a83066009e4c6a4463ef4bb01/C/
Modified: spamassassin/trunk/rulesrc/sandbox/kmcgrail/20_needed.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/kmcgrail/20_needed.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/kmcgrail/20_needed.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/kmcgrail/20_needed.cf Tue Dec 5 14:56:53 2023
@@ -24,5 +24,5 @@
###########################################################################
#LOTTO CRUD
-body __KAM_LOTTO2 /((ticket|serial|lucky) number|secret pin ?code|batch number|reference number|promotion date)/is
+body __KAM_LOTTO2 /(?:(?:ticket|serial|lucky) number|secret pin ?code|batch number|reference number|promotion date)/is
Modified: spamassassin/trunk/rulesrc/sandbox/pds/10_menaces.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/pds/10_menaces.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/pds/10_menaces.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/pds/10_menaces.cf Tue Dec 5 14:56:53 2023
@@ -17,7 +17,7 @@ meta SPOOF_GMAIL_MID SPOOFED_FREEMAI
score SPOOF_GMAIL_MID 1.5
describe SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...
-header __PDS_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*(mta|mail|mx|smtp)\b\S* /i
+header __PDS_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*(?:mta|mail|mx|smtp)\b\S* /i
meta PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC && !__PDS_RDNS_MTA
score PDS_RDNS_DYNAMIC_FP 0.01
@@ -79,7 +79,7 @@ describe FROM_2_EMAILS_SHORT Short body
score FROM_2_EMAILS_SHORT 3.0 # limit
reuse FROM_2_EMAILS_SHORT
-body __PDS_BODY_QUOTE / [\w\s,\.]+ - ([A-Z][a-z'\.]+ ?){1,4}/
+body __PDS_BODY_QUOTE / [\w\s,\.]+ - (?:[A-Z][a-z'\.]+ ?){1,4}/
header __PDS_SUBJECT_QUOTE Subject =~ /\bquotes?\b/i
meta SHORT_BODY_QUOTE __PDS_SUBJECT_QUOTE && __PDS_BODY_QUOTE && __KAM_BODY_LENGTH_LT_256
Modified: spamassassin/trunk/rulesrc/sandbox/pds/20_freshfmb.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/pds/20_freshfmb.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/pds/20_freshfmb.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/pds/20_freshfmb.cf Tue Dec 5 14:56:53 2023
@@ -1,6 +1,6 @@
-header __NUMBERONLY_TLD From:addr =~ /\@[0-9]{4,}(\.[a-z]{2,4})?\.[a-z]+$/i
+header __NUMBERONLY_TLD From:addr =~ /\@[0-9]{4,}(?:\.[a-z]{2,4})?\.[a-z]+$/i
-header __NUMBEREND_TLD From:addr =~ /\@[a-z]{2,}[0-9]{4,}(\.[a-z]{2,4})?\.[a-z]+$/i
+header __NUMBEREND_TLD From:addr =~ /\@[a-z]{2,}[0-9]{4,}(?:\.[a-z]{2,4})?\.[a-z]+$/i
meta NUMBEREND_LINKBAIT __NUMBEREND_TLD && __LCL__KAM_BODY_LENGTH_LT_1024 && __BODY_URI_ONLY
describe NUMBEREND_LINKBAIT Domain ends in a large number and very short body with link
Modified: spamassassin/trunk/rulesrc/sandbox/pds/20_ntld.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/pds/20_ntld.cf?rev=1914364&r1=1914363&r2=1914364&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/pds/20_ntld.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/pds/20_ntld.cf Tue Dec 5 14:56:53 2023
@@ -122,7 +122,7 @@ describe VPS_NO_NTLD vps[0-9] domain at
score VPS_NO_NTLD 1.0 # limit
reuse VPS_NO_NTLD
-body __PDS_OFFER_ONLY_AMERICA /This offer (?:is )?(?:only )?for (United States|USA)/i
+body __PDS_OFFER_ONLY_AMERICA /This offer (?:is )?(?:only )?for (?:United States|USA)/i
meta OFFER_ONLY_AMERICA __FROM_ADDRLIST_SUSPNTLD && __PDS_OFFER_ONLY_AMERICA
describe OFFER_ONLY_AMERICA Offer only available to US
@@ -134,7 +134,7 @@ meta SENT_TO_EMAIL_ADDR __FROM_ADDRL
describe SENT_TO_EMAIL_ADDR Email was sent to email address
score SENT_TO_EMAIL_ADDR 2.0 # limit
-body __PDS_EXPIRATION_NOTICE /\bexpiration (notice|alert|date)\b/i
+body __PDS_EXPIRATION_NOTICE /\bexpiration (?:notice|alert|date)\b/i
meta SUSPNTLD_EXPIRATION_EXTORT LOTS_OF_MONEY && __PDS_EXPIRATION_NOTICE && __FROM_ADDRLIST_SUSPNTLD
describe SUSPNTLD_EXPIRATION_EXTORT Susp NTLD with an expiration notice and lotsa money