Author: quinlan
Date: Sun May 8 21:50:39 2005
New Revision: 169234
URL: http://svn.apache.org/viewcvs?rev=169234&view=rev
Log:
various rule promotions and deletions
Modified:
spamassassin/trunk/rules/20_html_tests.cf
spamassassin/trunk/rules/20_uri_tests.cf
spamassassin/trunk/rules/50_scores.cf
spamassassin/trunk/rules/70_testing.cf
Modified: spamassassin/trunk/rules/20_html_tests.cf
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/rules/20_html_tests.cf?rev=169234&r1=169233&r2=169234&view=diff
==============================================================================
--- spamassassin/trunk/rules/20_html_tests.cf (original)
+++ spamassassin/trunk/rules/20_html_tests.cf Sun May 8 21:50:39 2005
@@ -344,3 +344,6 @@
rawbody HTML_EHTML2 m'</html></html>'i
describe HTML_EHTML2 HTML has doubled end HTML tag
+# bug 3070
+rawbody HTML_TINY_FONT /\<.*font\-size\:[ \"]*[01][^0-9]+.*\>/i
+describe HTML_TINY_FONT body contains 1 or 0-point font
Modified: spamassassin/trunk/rules/20_uri_tests.cf
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/rules/20_uri_tests.cf?rev=169234&r1=169233&r2=169234&view=diff
==============================================================================
--- spamassassin/trunk/rules/20_uri_tests.cf (original)
+++ spamassassin/trunk/rules/20_uri_tests.cf Sun May 8 21:50:39 2005
@@ -165,3 +165,7 @@
# bug 678
uri DOMAIN_4U2 /[\@\.]\S{0,20}(?:[^0-9][42](?:yo)?u|for-*you)(?:[.-]\S{1,20})?\.(?:net|com|org|info)\b/
describe DOMAIN_4U2 Domain name containing a "4u" variant
+
+# possible IDN spoofing attack: http://www.shmoo.com/idn/homograph.txt
+# not expecting any hits on this (yet)
+uri HIGH_CODEPAGE_URI /^https?:\/\/[^\/]*\&\#(?:\d{4,}|[3456789]\d\d);/i
Modified: spamassassin/trunk/rules/50_scores.cf
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/rules/50_scores.cf?rev=169234&r1=169233&r2=169234&view=diff
==============================================================================
--- spamassassin/trunk/rules/50_scores.cf (original)
+++ spamassassin/trunk/rules/50_scores.cf Sun May 8 21:50:39 2005
@@ -560,8 +560,9 @@
score GTUBE 1000.000
# we dare you
-score HEAD_LONG 2.5
score FRAGMENTED_MESSAGE 2.5
+score HEAD_LONG 2.5
+score HIGH_CODEPAGE_URI 2.5
score MISSING_HB_SEP 2.5
# HTML control test
Modified: spamassassin/trunk/rules/70_testing.cf
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/rules/70_testing.cf?rev=169234&r1=169233&r2=169234&view=diff
==============================================================================
--- spamassassin/trunk/rules/70_testing.cf (original)
+++ spamassassin/trunk/rules/70_testing.cf Sun May 8 21:50:39 2005
@@ -36,19 +36,9 @@
##########################################################################
-# 1.972 2.4562 0.2249 0.916 0.64 0.01 T_NORMAL_HTTP_TO_IP
-body T_NORMAL_HTTP_TO_IP eval:check_numeric_http()
-
# this doesn't hit a lot, but it's a definite obfuscation technique
uri T_HTTP_BAD_HOST_CHAR m@^https?://[^/]*[\000-\037\200-\377]@i
-# possible IDN spoofing attack: http://www.shmoo.com/idn/homograph.txt
-# not expecting any hits on this (yet)
-uri T_HIGH_CODEPAGE_URI /^https?:\/\/[^\/]*\&\#(?:\d{4,}|[3456789]\d\d);/i
-
-header T_OBSOLETE_WS_FOLDING eval:check_msg_parse_flags('obsolete_folding_whitespace')
-describe T_OBSOLETE_WS_FOLDING Header uses obsolete whitespace folding method
-
########################################################################
# TVD: these should just get turned into obfu/int rules ala above
@@ -299,26 +289,6 @@
header T_HELO_DYNAMIC_HOME_NL X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[a-z]{2}\d+-\S\.\S+\d\.[a-z]{2}\.home\.nl[^]]+ auth= /i
########################################################################
-
-# bug 3661
-body T_HTML_INVIS_SPAN eval:html_test('span_invisible')
-body T_HTML_INVIS_TEXT eval:html_test('invisible_text')
-
-# another
-body T_HTML_DISPLAY_NONE eval:html_test('display_none')
-describe T_HTML_DISPLAY_NONE CSS style contains "display:none"
-
-body T_HTML_IMG_DISPLAY_NONE eval:html_test('img_display_none')
-describe T_HTML_IMG_DISPLAY_NONE image CSS style contains "display:none"
-
-# bug 3070
-# this might have high overlap with other rules, double-check
-# before promoting
-rawbody T_TINY_FONT_1 /\<.*font\-size\:[ \"]*1[^0-9]+.*\>/i
-describe T_TINY_FONT_1 body contains 1-point font
-
-rawbody T_TINY_FONT_0 /\<.*font\-size\:[ \"]*0[^0-9]+.*\>/i
-describe T_TINY_FONT_0 body contains 0-point font
uri T_HEX_ENCODED_HTTP_1 /(?!http)(?:\\x68|h)(?:\\x74|t){2}(?:\\x70|p)/i
rawbody T_HEX_ENCODED_HTTP_2 /(?!http)(?:\\x68|h)(?:\\x74|t){2}(?:\\x70|p)/i
Date: Sun May 8 21:50:39 2005
New Revision: 169234
URL: http://svn.apache.org/viewcvs?rev=169234&view=rev
Log:
various rule promotions and deletions
Modified:
spamassassin/trunk/rules/20_html_tests.cf
spamassassin/trunk/rules/20_uri_tests.cf
spamassassin/trunk/rules/50_scores.cf
spamassassin/trunk/rules/70_testing.cf
Modified: spamassassin/trunk/rules/20_html_tests.cf
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/rules/20_html_tests.cf?rev=169234&r1=169233&r2=169234&view=diff
==============================================================================
--- spamassassin/trunk/rules/20_html_tests.cf (original)
+++ spamassassin/trunk/rules/20_html_tests.cf Sun May 8 21:50:39 2005
@@ -344,3 +344,6 @@
rawbody HTML_EHTML2 m'</html></html>'i
describe HTML_EHTML2 HTML has doubled end HTML tag
+# bug 3070
+rawbody HTML_TINY_FONT /\<.*font\-size\:[ \"]*[01][^0-9]+.*\>/i
+describe HTML_TINY_FONT body contains 1 or 0-point font
Modified: spamassassin/trunk/rules/20_uri_tests.cf
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/rules/20_uri_tests.cf?rev=169234&r1=169233&r2=169234&view=diff
==============================================================================
--- spamassassin/trunk/rules/20_uri_tests.cf (original)
+++ spamassassin/trunk/rules/20_uri_tests.cf Sun May 8 21:50:39 2005
@@ -165,3 +165,7 @@
# bug 678
uri DOMAIN_4U2 /[\@\.]\S{0,20}(?:[^0-9][42](?:yo)?u|for-*you)(?:[.-]\S{1,20})?\.(?:net|com|org|info)\b/
describe DOMAIN_4U2 Domain name containing a "4u" variant
+
+# possible IDN spoofing attack: http://www.shmoo.com/idn/homograph.txt
+# not expecting any hits on this (yet)
+uri HIGH_CODEPAGE_URI /^https?:\/\/[^\/]*\&\#(?:\d{4,}|[3456789]\d\d);/i
Modified: spamassassin/trunk/rules/50_scores.cf
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/rules/50_scores.cf?rev=169234&r1=169233&r2=169234&view=diff
==============================================================================
--- spamassassin/trunk/rules/50_scores.cf (original)
+++ spamassassin/trunk/rules/50_scores.cf Sun May 8 21:50:39 2005
@@ -560,8 +560,9 @@
score GTUBE 1000.000
# we dare you
-score HEAD_LONG 2.5
score FRAGMENTED_MESSAGE 2.5
+score HEAD_LONG 2.5
+score HIGH_CODEPAGE_URI 2.5
score MISSING_HB_SEP 2.5
# HTML control test
Modified: spamassassin/trunk/rules/70_testing.cf
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/rules/70_testing.cf?rev=169234&r1=169233&r2=169234&view=diff
==============================================================================
--- spamassassin/trunk/rules/70_testing.cf (original)
+++ spamassassin/trunk/rules/70_testing.cf Sun May 8 21:50:39 2005
@@ -36,19 +36,9 @@
##########################################################################
-# 1.972 2.4562 0.2249 0.916 0.64 0.01 T_NORMAL_HTTP_TO_IP
-body T_NORMAL_HTTP_TO_IP eval:check_numeric_http()
-
# this doesn't hit a lot, but it's a definite obfuscation technique
uri T_HTTP_BAD_HOST_CHAR m@^https?://[^/]*[\000-\037\200-\377]@i
-# possible IDN spoofing attack: http://www.shmoo.com/idn/homograph.txt
-# not expecting any hits on this (yet)
-uri T_HIGH_CODEPAGE_URI /^https?:\/\/[^\/]*\&\#(?:\d{4,}|[3456789]\d\d);/i
-
-header T_OBSOLETE_WS_FOLDING eval:check_msg_parse_flags('obsolete_folding_whitespace')
-describe T_OBSOLETE_WS_FOLDING Header uses obsolete whitespace folding method
-
########################################################################
# TVD: these should just get turned into obfu/int rules ala above
@@ -299,26 +289,6 @@
header T_HELO_DYNAMIC_HOME_NL X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[a-z]{2}\d+-\S\.\S+\d\.[a-z]{2}\.home\.nl[^]]+ auth= /i
########################################################################
-
-# bug 3661
-body T_HTML_INVIS_SPAN eval:html_test('span_invisible')
-body T_HTML_INVIS_TEXT eval:html_test('invisible_text')
-
-# another
-body T_HTML_DISPLAY_NONE eval:html_test('display_none')
-describe T_HTML_DISPLAY_NONE CSS style contains "display:none"
-
-body T_HTML_IMG_DISPLAY_NONE eval:html_test('img_display_none')
-describe T_HTML_IMG_DISPLAY_NONE image CSS style contains "display:none"
-
-# bug 3070
-# this might have high overlap with other rules, double-check
-# before promoting
-rawbody T_TINY_FONT_1 /\<.*font\-size\:[ \"]*1[^0-9]+.*\>/i
-describe T_TINY_FONT_1 body contains 1-point font
-
-rawbody T_TINY_FONT_0 /\<.*font\-size\:[ \"]*0[^0-9]+.*\>/i
-describe T_TINY_FONT_0 body contains 0-point font
uri T_HEX_ENCODED_HTTP_1 /(?!http)(?:\\x68|h)(?:\\x74|t){2}(?:\\x70|p)/i
rawbody T_HEX_ENCODED_HTTP_2 /(?!http)(?:\\x68|h)(?:\\x74|t){2}(?:\\x70|p)/i