Author: jm
Date: Tue Jan 2 12:14:29 2007
New Revision: 491924
URL: http://svn.apache.org/viewvc?view=rev&rev=491924
Log:
rules; remove TRIAL_COMMUNIGATE from lack of hits, and the ARIAL_3 one from dangerous FPs; add a few new stupid-HELO-tricks rules
Modified:
spamassassin/rules/trunk/sandbox/jm/20_basic.cf
Modified: spamassassin/rules/trunk/sandbox/jm/20_basic.cf
URL: http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_basic.cf?view=diff&rev=491924&r1=491923&r2=491924
==============================================================================
--- spamassassin/rules/trunk/sandbox/jm/20_basic.cf (original)
+++ spamassassin/rules/trunk/sandbox/jm/20_basic.cf Tue Jan 2 12:14:29 2007
@@ -157,6 +157,12 @@
header __NAKED_TO To =~ /^[^\s<>]+\@[^\s<>]+$/
meta JM_TORA_XM (__MAILER_OL_6626 && __MOLE_2962 && __NAKED_TO)
+# HELO as localhost. we should really be rejecting this at MTA, but hey.
+# it seems most of us let these slip through our MTA configs; 3% of spam, no FPs
+header HELO_LOCALHOST X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=localhost /i
+
+full DIV_CENTER_A_HREF /<DIV align=3Dcenter><A href=3D=\n/
+
# ---------------------------------------------------------------------------
# Testing bit
@@ -202,13 +208,12 @@
header __MULTIPART_RELATED Content-Type =~ /multipart\/related/
meta OE_MULTIPART_RELATED (__OE_MUA && __MULTIPART_RELATED)
-# a blast from the past
-full TRIAL_COMMUNIGATE /\*This message was transferred with a trial version of CommuniGate\(tm\) Pro\*/s
-
-# some handy obvious template droppings or obfuscation attempts
-full DIV_FONT_ARIAL_3 /\n<DIV><FONT face=3DArial size=3D3>/
-full DIV_CENTER_A_HREF /<DIV align=3Dcenter><A href=3D=\n/
-
-# wow, I should really be rejecting this at MTA, but hey
-header HELO_LOCALHOST X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=localhost /i
+# more trials of bad HELO strings
+header HELO_LH_LD X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=localhost\.localdomain /i
+header HELO_LH_HOME X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\S+\.(?:home|lan) /i
+header HELO_FRIEND X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=friend /i
+header HELO_PC X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=pc /i
+header HELO_NODOT X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^.]+ /i
+header HELO_ADMIN X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=admin\S* /i
+header HELO_OEM X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=oem\S* /i
Date: Tue Jan 2 12:14:29 2007
New Revision: 491924
URL: http://svn.apache.org/viewvc?view=rev&rev=491924
Log:
rules; remove TRIAL_COMMUNIGATE from lack of hits, and the ARIAL_3 one from dangerous FPs; add a few new stupid-HELO-tricks rules
Modified:
spamassassin/rules/trunk/sandbox/jm/20_basic.cf
Modified: spamassassin/rules/trunk/sandbox/jm/20_basic.cf
URL: http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_basic.cf?view=diff&rev=491924&r1=491923&r2=491924
==============================================================================
--- spamassassin/rules/trunk/sandbox/jm/20_basic.cf (original)
+++ spamassassin/rules/trunk/sandbox/jm/20_basic.cf Tue Jan 2 12:14:29 2007
@@ -157,6 +157,12 @@
header __NAKED_TO To =~ /^[^\s<>]+\@[^\s<>]+$/
meta JM_TORA_XM (__MAILER_OL_6626 && __MOLE_2962 && __NAKED_TO)
+# HELO as localhost. we should really be rejecting this at MTA, but hey.
+# it seems most of us let these slip through our MTA configs; 3% of spam, no FPs
+header HELO_LOCALHOST X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=localhost /i
+
+full DIV_CENTER_A_HREF /<DIV align=3Dcenter><A href=3D=\n/
+
# ---------------------------------------------------------------------------
# Testing bit
@@ -202,13 +208,12 @@
header __MULTIPART_RELATED Content-Type =~ /multipart\/related/
meta OE_MULTIPART_RELATED (__OE_MUA && __MULTIPART_RELATED)
-# a blast from the past
-full TRIAL_COMMUNIGATE /\*This message was transferred with a trial version of CommuniGate\(tm\) Pro\*/s
-
-# some handy obvious template droppings or obfuscation attempts
-full DIV_FONT_ARIAL_3 /\n<DIV><FONT face=3DArial size=3D3>/
-full DIV_CENTER_A_HREF /<DIV align=3Dcenter><A href=3D=\n/
-
-# wow, I should really be rejecting this at MTA, but hey
-header HELO_LOCALHOST X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=localhost /i
+# more trials of bad HELO strings
+header HELO_LH_LD X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=localhost\.localdomain /i
+header HELO_LH_HOME X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\S+\.(?:home|lan) /i
+header HELO_FRIEND X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=friend /i
+header HELO_PC X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=pc /i
+header HELO_NODOT X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^.]+ /i
+header HELO_ADMIN X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=admin\S* /i
+header HELO_OEM X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=oem\S* /i