summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrew Lewis <nerf@judo.za.org>2016-08-31 10:22:52 +0200
committerAndrew Lewis <nerf@judo.za.org>2016-08-31 10:22:52 +0200
commit28866f60631a43caa580686d11731e51587d2e5a (patch)
tree587be224bc643d859a58c50ef71d87bc259d69eb
parentdacfdb076ba21ef1c3be5c9d7bb87723f74d952b (diff)
downloadrspamd-28866f60631a43caa580686d11731e51587d2e5a.tar.gz
rspamd-28866f60631a43caa580686d11731e51587d2e5a.zip
[Minor] Finish reworking rules
-rw-r--r--conf/metrics.conf108
-rw-r--r--rules/html.lua7
-rw-r--r--rules/misc.lua140
-rw-r--r--rules/regexp/drugs.lua42
-rw-r--r--rules/regexp/fraud.lua15
-rw-r--r--rules/regexp/headers.lua7
-rw-r--r--rules/regexp/lotto.lua7
7 files changed, 148 insertions, 178 deletions
diff --git a/conf/metrics.conf b/conf/metrics.conf
index 1294ca2f1..7ece1c542 100644
--- a/conf/metrics.conf
+++ b/conf/metrics.conf
@@ -37,18 +37,6 @@ metric {
weight = 0.30;
description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)";
}
- symbol "MIME_HTML_ONLY" {
- weight = 0.2;
- description = "Messages that have only HTML part";
- }
- symbol "FM_FAKE_HELO_VERIZON" {
- weight = 2.0;
- description = "Fake helo for verizon provider";
- }
- symbol "MISSING_TO" {
- weight = 2.0;
- description = "To header is missing";
- }
symbol "R_MIXED_CHARSET" {
weight = 5.0;
description = "Mixed characters in a message";
@@ -91,15 +79,6 @@ metric {
group "subject" {
max_score = 6.0;
-
- symbol "LONG_SUBJ" {
- weight = 6.0;
- description = "Subject is too long";
- }
- symbol "SUBJ_ALL_CAPS" {
- weight = 3.0;
- description = "No lower case letters in subject";
- }
}
group "mua" {
@@ -109,70 +88,6 @@ metric {
}
}
- group "body" {
- symbol "R_WHITE_ON_WHITE" {
- weight = 4.0;
- description = "White color on white background in HTML messages";
- }
- symbol "HTML_SHORT_LINK_IMG_1" {
- weight = 3.0;
- description = "Short html part with a link to an image";
- }
- symbol "HTML_SHORT_LINK_IMG_2" {
- weight = 1.0;
- description = "Short html part with a link to an image";
- }
- symbol "HTML_SHORT_LINK_IMG_3" {
- weight = 0.5;
- description = "Short html part with a link to an image";
- }
- symbol "R_PARTS_DIFFER" {
- weight = 1.0;
- description = "Text and HTML parts differ";
- }
-
- symbol "R_EMPTY_IMAGE" {
- weight = 2.0;
- description = "Message contains empty parts and image";
- }
- symbol "DRUGS_MANYKINDS" {
- weight = 2.0;
- description = "Drugs patterns inside message";
- }
- symbol "DRUGS_ANXIETY" {
- weight = 2.0;
- description = "";
- }
- symbol "DRUGS_MUSCLE" {
- weight = 2.0;
- description = "";
- }
- symbol "DRUGS_ANXIETY_EREC" {
- weight = 2.0;
- description = "";
- }
- symbol "DRUGS_DIET" {
- weight = 2.0;
- description = "";
- }
- symbol "DRUGS_ERECTILE" {
- weight = 2.0;
- description = "";
- }
- symbol "ADVANCE_FEE_2" {
- weight = 3.300000;
- description = "2 'advance fee' patterns in a message";
- }
- symbol "ADVANCE_FEE_3" {
- weight = 2.120000;
- description = "3 'advance fee' patterns in a message";
- }
- symbol "R_LOTTO" {
- weight = 8.0;
- description = "Lotto signatures";
- }
- }
-
group "rbl" {
symbol "DNSWL_BLOCKED" {
weight = 0.0;
@@ -577,22 +492,6 @@ metric {
}
}
- group "date" {
-
- symbol "DATE_IN_FUTURE" {
- weight = 4.0;
- description = "Message date is in future";
- }
- symbol "DATE_IN_PAST" {
- weight = 1.0;
- description = "Message date is in past";
- }
- symbol "MISSING_DATE" {
- weight = 1.0;
- description = "Message date is missing";
- }
- }
-
group "hfilter" {
symbol "HFILTER_HELO_BAREIP" {
weight = 3.00;
@@ -774,13 +673,6 @@ metric {
one_shot = true;
}
}
- group "url" {
- symbol "R_SUSPICIOUS_URL" {
- weight = 6.0;
- description = "Obfusicated or suspicious URL has been found in a message";
- one_shot = true;
- }
- }
.include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/metrics.conf"
.include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/metrics.conf"
diff --git a/rules/html.lua b/rules/html.lua
index e1fdb6b73..f81fc56ef 100644
--- a/rules/html.lua
+++ b/rules/html.lua
@@ -18,7 +18,12 @@ local rspamd_regexp = require "rspamd_regexp"
local rspamd_logger = require "rspamd_logger"
-- Messages that have only HTML part
-reconf['MIME_HTML_ONLY'] = 'has_only_html_part()'
+reconf['MIME_HTML_ONLY'] = {
+ re = 'has_only_html_part()',
+ score = 0.2,
+ description = 'Messages that have only HTML part',
+ group = 'header'
+}
local function check_html_image(task, min, max)
local tp = task:get_text_parts()
diff --git a/rules/misc.lua b/rules/misc.lua
index c0dc201ab..2a14a1493 100644
--- a/rules/misc.lua
+++ b/rules/misc.lua
@@ -77,70 +77,87 @@ rspamd_config.LONG_SUBJ = {
}
-- Different text parts
-rspamd_config.R_PARTS_DIFFER = function(task)
- local distance = task:get_mempool():get_variable('parts_distance', 'double')
-
- if distance then
- local nd = tonumber(distance)
- -- ND is relation of different words to total words
- if nd >= 0.5 then
- local tw = task:get_mempool():get_variable('total_words', 'int')
-
- if tw then
- local score
- if tw > 30 then
- -- We are confident about difference
- score = (nd - 0.5) * 2.0
- else
- -- We are not so confident about difference
- score = (nd - 0.5)
+rspamd_config.R_PARTS_DIFFER = {
+ callback = function(task)
+ local distance = task:get_mempool():get_variable('parts_distance', 'double')
+
+ if distance then
+ local nd = tonumber(distance)
+ -- ND is relation of different words to total words
+ if nd >= 0.5 then
+ local tw = task:get_mempool():get_variable('total_words', 'int')
+
+ if tw then
+ local score
+ if tw > 30 then
+ -- We are confident about difference
+ score = (nd - 0.5) * 2.0
+ else
+ -- We are not so confident about difference
+ score = (nd - 0.5)
+ end
+ task:insert_result('R_PARTS_DIFFER', score,
+ string.format('%.1f%%', tostring(100.0 * nd)))
end
- task:insert_result('R_PARTS_DIFFER', score,
- string.format('%.1f%%', tostring(100.0 * nd)))
end
end
- end
-
- return false
-end
+ return false
+ end,
+ score = 1.0,
+ description = 'Text and HTML parts differ',
+ group = 'body'
+}
-- Date issues
-rspamd_config.MISSING_DATE = function(task)
- if rspamd_config:get_api_version() >= 5 then
- local date = task:get_header_raw('Date')
- if date == nil or date == '' then
- return true
- end
- end
-
- return false
-end
-rspamd_config.DATE_IN_FUTURE = function(task)
- if rspamd_config:get_api_version() >= 5 then
- local dm = task:get_date{format = 'message'}
- local dt = task:get_date{format = 'connect'}
- -- An 2 hour
- if dm > 0 and dm - dt > 7200 then
- return true
- end
- end
-
- return false
-end
-rspamd_config.DATE_IN_PAST = function(task)
- if rspamd_config:get_api_version() >= 5 then
- local dm = task:get_date{format = 'message', gmt = true}
- local dt = task:get_date{format = 'connect', gmt = true}
- -- A day
- if dm > 0 and dt - dm > 86400 then
- return true
- end
- end
-
- return false
-end
+rspamd_config.MISSING_DATE = {
+ callback = function(task)
+ if rspamd_config:get_api_version() >= 5 then
+ local date = task:get_header_raw('Date')
+ if date == nil or date == '' then
+ return true
+ end
+ end
+ return false
+ end,
+ score = 1.0,
+ description = 'Message date is missing',
+ group = 'date'
+}
+rspamd_config.DATE_IN_FUTURE = {
+ callback = function(task)
+ if rspamd_config:get_api_version() >= 5 then
+ local dm = task:get_date{format = 'message'}
+ local dt = task:get_date{format = 'connect'}
+ -- 2 hours
+ if dm > 0 and dm - dt > 7200 then
+ return true
+ end
+ end
+ return false
+ end,
+ score = 4.0,
+ description = 'Message date is in future',
+ group = 'date'
+}
+rspamd_config.DATE_IN_PAST = {
+ callback = function(task)
+ if rspamd_config:get_api_version() >= 5 then
+ local dm = task:get_date{format = 'message', gmt = true}
+ local dt = task:get_date{format = 'connect', gmt = true}
+ -- A day
+ if dm > 0 and dt - dm > 86400 then
+ return true
+ end
+ end
+ return false
+ end,
+ score = 1.0,
+ description = 'Message date is in past',
+ group = 'date'
+}
-rspamd_config.R_SUSPICIOUS_URL = function(task)
+rspamd_config.R_SUSPICIOUS_URL = {
+ callback = function(task)
local urls = task:get_urls()
if urls then
@@ -151,7 +168,12 @@ rspamd_config.R_SUSPICIOUS_URL = function(task)
end
end
return false
-end
+ end,
+ score = 6.0,
+ one_shot = true,
+ description = 'Obfusicated or suspicious URL has been found in a message',
+ group = 'url'
+}
rspamd_config.BROKEN_HEADERS = {
callback = function(task)
diff --git a/rules/regexp/drugs.lua b/rules/regexp/drugs.lua
index 774c326a1..8d7b882f6 100644
--- a/rules/regexp/drugs.lua
+++ b/rules/regexp/drugs.lua
@@ -31,7 +31,12 @@ local drugs_diet7 = '/\\b_{0,3}t[_\\W]?[e3\\xE8-\\xEB][_\\W]?n[_\\W]?u[_\\W]?a[_
local drugs_diet8 = '/\\b_{0,3}d[_\\W]?[i1!|l\\xEC-\\xEF][_\\W]?d[_\\W]?r[_\\W][e3\\xE8-\\xEB[_\\W]?xx?_{0,3}\\b/irP'
local drugs_diet9 = '/\\b_{0,3}a[_\\W]?d[_\\W]?[i1!|l\\xEC-\\xEF][_\\W]?p[_\\W]?[e3\\xE8-\\xEB][_\\W]?x_{0,3}\\b/irP'
local drugs_diet10 = '/\\b_{0,3}x?x[_\\W]?[e3\\xE8-\\xEB][_\\W]?n[_\\W]?[i1!|l\\xEC-\\xEF][_\\W]?c[_\\W]?[a4\\xE0-\\xE6@][_\\W]?l_{0,3}\\b/irP'
-reconf['DRUGS_DIET'] = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_diet1, drugs_diet2, drugs_diet3, drugs_diet4, drugs_diet5, drugs_diet6, drugs_diet7, drugs_diet8, drugs_diet9, drugs_diet10)
+reconf['DRUGS_DIET'] = {
+ re = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_diet1, drugs_diet2, drugs_diet3, drugs_diet4, drugs_diet5, drugs_diet6, drugs_diet7, drugs_diet8, drugs_diet9, drugs_diet10),
+ score = 2.0,
+ description = 'Drugs pattern in body',
+ group = 'body'
+}
local drugs_erectile1 = '/(?:\\b|\\s)[_\\W]{0,3}(?:\\\\\\/|V)[_\\W]{0,3}[ij1!|l\\xEC\\xED\\xEE\\xEF][_\\W]{0,3}[a40\\xE0-\\xE6@][_\\W]{0,3}[xyz]?[gj][_\\W]{0,3}r[_\\W]{0,3}[a40\\xE0-\\xE6@][_\\W]{0,3}x?[_\\W]{0,3}(?:\\b|\\s)/irP'
local drugs_erectile2 = '/\\bV(?:agira|igara|iaggra|iaegra)\\b/irP'
local drugs_erectile3 = '/(?:\\A|[\\s\\x00-\\x2f\\x3a-\\x40\\x5b-\\x60\\x7b-\\x7f])[_\\W]{0,3}C[_\\W]{0,3}[ij1!|l\\xEC\\xED\\xEE\\xEF][_\\W]{0,3}[a4\\xE0-\\xE6@][_\\W]{0,3}l?[l!|1][_\\W]{0,3}[i1!|l\\xEC-\\xEF][_\\W]{0,3}s[_\\W]{0,3}(?:\\b|\\s)/irP'
@@ -41,7 +46,12 @@ local drugs_erectile6 = '/\\b_{0,3}L[_\\W]?[e3\\xE8-\\xEB][_\\W]?(?:\\\\\\/|V)[_
local drugs_erectile8 = '/\\b_{0,3}T[_\\W]?[a4\\xE0-\\xE6@][_\\W]?d[_\\W]?[a4\\xE0-\\xE6@][_\\W]?l[_\\W]?[a4\\xE0-\\xE6@][_\\W]?f[_\\W]?[i1!|l\\xEC-\\xEF][_\\W]?l_{0,3}\\b/irP'
local drugs_erectile10 = '/\\b_{0,3}V[_\\W]?(?:i|\\&iuml\\;)[_\\W]?(?:a|\\&agrave|\\&aring)\\;?[_\\W]?g[_\\W]?r[_\\W]?(?:a|\\&agrave|\\&aring)\\b/irP'
local drugs_erectile11 = '/(?:\\b|\\s)_{0,3}[a4\\xE0-\\xE6@][_\\W]{0,3}p[_\\W]{0,3}c[_\\W]{0,3}[a4\\xE0-\\xE6@][_\\W]{0,3}[l!|1][_\\W]{0,3}[i1!|l\\xEC-\\xEF][_\\W]{0,3}s_{0,3}\\b/irP'
-reconf['DRUGS_ERECTILE'] = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_erectile1, drugs_erectile2, drugs_erectile3, drugs_erectile4, drugs_erectile5, drugs_erectile6, drugs_erectile8, drugs_erectile10, drugs_erectile11)
+reconf['DRUGS_ERECTILE'] = {
+ re = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_erectile1, drugs_erectile2, drugs_erectile3, drugs_erectile4, drugs_erectile5, drugs_erectile6, drugs_erectile8, drugs_erectile10, drugs_erectile11),
+ score = 2.0,
+ description = 'Drugs pattern in body',
+ group = 'body'
+}
local drugs_anxiety1 = '/(?:\\b|\\s)[_\\W]{0,3}x?x[_\\W]{0,3}[a4\\xE0-\\xE6@][_\\W]{0,3}n[_\\W]{0,3}[ea4\\xE1\\xE2\\xE3@][_\\W]{0,3}xx?_{0,3}\\b/irP'
local drugs_anxiety2 = '/\\bAlprazolam\\b/irP'
local drugs_anxiety3 = '/(?:\\b|\\s)[_\\W]{0,3}(?:\\\\\\/|V)[_\\W]{0,3}[a4\\xE0-\\xE6@][_\\W]{0,3}[l|][_\\W]{0,3}[i1!|l\\xEC-\\xEF][_\\W]{0,3}[u\\xB5\\xF9-\\xFC][_\\W]{0,3}m\\b/irP'
@@ -51,8 +61,18 @@ local drugs_anxiety6 = '/\\b_{0,3}l[_\\W]?[o0\\xF2-\\xF6][_\\W]?r[_\\W]?[a4\\xE0
local drugs_anxiety7 = '/\\b_{0,3}c[_\\W]?l[_\\W]?[o0\\xF2-\\xF6][_\\W]?n[_\\W]?[a4\\xE0-\\xE6@][_\\W]?z[_\\W]?e[_\\W]?p[_\\W]?[a4\\xE0-\\xE6@][_\\W]?m\\b/irP'
local drugs_anxiety8 = '/\\bklonopin\\b/irP'
local drugs_anxiety9 = '/\\brivotril\\b/irP'
-reconf['DRUGS_ANXIETY'] = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_anxiety1, drugs_anxiety2, drugs_anxiety3, drugs_anxiety4, drugs_anxiety5, drugs_anxiety6, drugs_anxiety7, drugs_anxiety8, drugs_anxiety9)
-reconf['DRUGS_ANXIETY_EREC'] = string.format('(%s) & (%s)', reconf['DRUGS_ERECTILE'], reconf['DRUGS_ANXIETY'])
+reconf['DRUGS_ANXIETY'] = {
+ re = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_anxiety1, drugs_anxiety2, drugs_anxiety3, drugs_anxiety4, drugs_anxiety5, drugs_anxiety6, drugs_anxiety7, drugs_anxiety8, drugs_anxiety9),
+ score = 2.0,
+ description = 'Drugs pattern in body',
+ group = 'body'
+}
+reconf['DRUGS_ANXIETY_EREC'] = {
+ re = string.format('(%s) & (%s)', reconf['DRUGS_ERECTILE']['re'], reconf['DRUGS_ANXIETY']['re']),
+ score = 2.0,
+ description = 'Drugs pattern in body',
+ group = 'body'
+}
local drugs_pain1 = '/\\b_{0,3}h[_\\W]?y[_\\W]?d[_\\W]?r[_\\W]?[o0\\xF2-\\xF6][_\\W]?c[_\\W]?[o0\\xF2-\\xF6][_\\W]?d[_\\W]?[o0\\xF2-\\xF6][_\\W]?n[_\\W]?e_{0,3}\\b/irP'
local drugs_pain2 = '/\\b_{0,3}c[o0\\xF2-\\xF6]deine_{0,3}\\b/irP'
local drugs_pain3 = '/(?:\\b|\\s)[_\\W]{0,3}[u\\xB5\\xF9-\\xFC][_\\W]{0,3}l[_\\W]{0,3}t[_\\W]{0,3}r[_\\W]{0,3}[a4\\xE0-\\xE6@][_\\W]{0,3}m_{0,3}\\b/irP'
@@ -78,6 +98,16 @@ local drugs_muscle2 = '/\\b_{0,3}cycl[o0\\xF2-\\xF6]b[e3\\xE8-\\xEB]nz[a4\\xE0-\
local drugs_muscle3 = '/\\b_{0,3}f[_\\W]?l[_\\W]?[e3\\xE8-\\xEB][_\\W]?x[_\\W]?[e3\\xE8-\\xEB][_\\W]?r[_\\W]?[i1!|l\\xEC-\\xEF]_{0,3}[_\\W]?l_{0,3}\\b/irP'
local drugs_muscle4 = '/\\b_{0,3}z[_\\W]?a[_\\W]?n[_\\W]?a[_\\W]?f[_\\W]?l[_\\W]?e[_\\W]?x_{0,3}\\b/irP'
local drugs_muscle5 = '/\\bskelaxin\\b/irP'
-reconf['DRUGS_MUSCLE'] = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_muscle1, drugs_muscle2, drugs_muscle3, drugs_muscle4, drugs_muscle5)
-reconf['DRUGS_MANYKINDS'] = string.format('((%s) | (%s) | (%s)) & ((%s) + (%s) + (%s) + (%s) + (%s) + (%s) >= 3)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], reconf['DRUGS_ERECTILE'], reconf['DRUGS_DIET'], drugs_pain, drugs_sleep, reconf['DRUGS_MUSCLE'], reconf['DRUGS_ANXIETY'])
+reconf['DRUGS_MUSCLE'] = {
+ re = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_muscle1, drugs_muscle2, drugs_muscle3, drugs_muscle4, drugs_muscle5),
+ score = 2.0,
+ description = 'Drugs pattern in body',
+ group = 'body'
+}
+reconf['DRUGS_MANYKINDS'] = {
+ re = string.format('((%s) | (%s) | (%s)) & ((%s) + (%s) + (%s) + (%s) + (%s) + (%s) >= 3)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], reconf['DRUGS_ERECTILE']['re'], reconf['DRUGS_DIET']['re'], drugs_pain, drugs_sleep, reconf['DRUGS_MUSCLE']['re'], reconf['DRUGS_ANXIETY']['re']),
+ score = 2.0,
+ description = 'Drugs pattern in body',
+ group = 'body'
+}
diff --git a/rules/regexp/fraud.lua b/rules/regexp/fraud.lua
index 441aca5de..59e6ad03f 100644
--- a/rules/regexp/fraud.lua
+++ b/rules/regexp/fraud.lua
@@ -70,5 +70,16 @@ local fraud_yqv = '/nigerian? (?:national|government)/irP'
local fraud_yja = '/over-invoice/irP'
local fraud_ypo = '/the total sum/irP'
local fraud_uoq = '/vital documents/irP'
-reconf['ADVANCE_FEE_2'] = string.format('((%s) | (%s) | (%s)) & ((%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) >= 2)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], fraud_kjv, fraud_irj, fraud_neb, fraud_xjr, fraud_ezy, fraud_zfj, fraud_kdt, fraud_bgp, fraud_fbi, fraud_jbu, fraud_jyg, fraud_xvw, fraud_snt, fraud_ltx, fraud_mcq, fraud_pvn, fraud_fvu, fraud_ckf, fraud_fcw, fraud_mqo, fraud_tcc, fraud_gbw, fraud_nrg, fraud_rlx, fraud_axf, fraud_thj, fraud_yqv, fraud_yja, fraud_ypo, fraud_uoq, fraud_dbi, fraud_bep, fraud_dpr, fraud_qxx, fraud_qfy, fraud_pts, fraud_tdp, fraud_gan, fraud_ipk, fraud_aon, fraud_wny, fraud_aum, fraud_wfc, fraud_yww, fraud_ulk, fraud_iou, fraud_jnb, fraud_irt, fraud_etx, fraud_wdr, fraud_uuy, fraud_mly)
-reconf['ADVANCE_FEE_3'] = string.format('((%s) | (%s) | (%s)) & ((%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) >= 3)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], fraud_kjv, fraud_irj, fraud_neb, fraud_xjr, fraud_ezy, fraud_zfj, fraud_kdt, fraud_bgp, fraud_fbi, fraud_jbu, fraud_jyg, fraud_xvw, fraud_snt, fraud_ltx, fraud_mcq, fraud_pvn, fraud_fvu, fraud_ckf, fraud_fcw, fraud_mqo, fraud_tcc, fraud_gbw, fraud_nrg, fraud_rlx, fraud_axf, fraud_thj, fraud_yqv, fraud_yja, fraud_ypo, fraud_uoq, fraud_dbi, fraud_bep, fraud_dpr, fraud_qxx, fraud_qfy, fraud_pts, fraud_tdp, fraud_gan, fraud_ipk, fraud_aon, fraud_wny, fraud_aum, fraud_wfc, fraud_yww, fraud_ulk, fraud_iou, fraud_jnb, fraud_irt, fraud_etx, fraud_wdr, fraud_uuy, fraud_mly)
+reconf['ADVANCE_FEE_2'] = {
+ re = string.format('((%s) | (%s) | (%s)) & ((%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) >= 2)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], fraud_kjv, fraud_irj, fraud_neb, fraud_xjr, fraud_ezy, fraud_zfj, fraud_kdt, fraud_bgp, fraud_fbi, fraud_jbu, fraud_jyg, fraud_xvw, fraud_snt, fraud_ltx, fraud_mcq, fraud_pvn, fraud_fvu, fraud_ckf, fraud_fcw, fraud_mqo, fraud_tcc, fraud_gbw, fraud_nrg, fraud_rlx, fraud_axf, fraud_thj, fraud_yqv, fraud_yja, fraud_ypo, fraud_uoq, fraud_dbi, fraud_bep, fraud_dpr, fraud_qxx, fraud_qfy, fraud_pts, fraud_tdp, fraud_gan, fraud_ipk, fraud_aon, fraud_wny, fraud_aum, fraud_wfc, fraud_yww, fraud_ulk, fraud_iou, fraud_jnb, fraud_irt, fraud_etx, fraud_wdr, fraud_uuy, fraud_mly),
+ score = 3.3,
+ description = "2 'advance fee' patterns in a message",
+ group = 'body'
+}
+reconf['ADVANCE_FEE_3'] = {
+ re = string.format('((%s) | (%s) | (%s)) & ((%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) >= 3)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], fraud_kjv, fraud_irj, fraud_neb, fraud_xjr, fraud_ezy, fraud_zfj, fraud_kdt, fraud_bgp, fraud_fbi, fraud_jbu, fraud_jyg, fraud_xvw, fraud_snt, fraud_ltx, fraud_mcq, fraud_pvn, fraud_fvu, fraud_ckf, fraud_fcw, fraud_mqo, fraud_tcc, fraud_gbw, fraud_nrg, fraud_rlx, fraud_axf, fraud_thj, fraud_yqv, fraud_yja, fraud_ypo, fraud_uoq, fraud_dbi, fraud_bep, fraud_dpr, fraud_qxx, fraud_qfy, fraud_pts, fraud_tdp, fraud_gan, fraud_ipk, fraud_aon, fraud_wny, fraud_aum, fraud_wfc, fraud_yww, fraud_ulk, fraud_iou, fraud_jnb, fraud_irt, fraud_etx, fraud_wdr, fraud_uuy, fraud_mly),
+ score = 2.12,
+ description = "3 'advance fee' patterns in a message",
+ group = 'body'
+}
+
diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua
index b13274055..4aa89e46e 100644
--- a/rules/regexp/headers.lua
+++ b/rules/regexp/headers.lua
@@ -520,7 +520,12 @@ reconf['STOX_REPLY_TYPE'] = {
-- Fake Verizon headers
local fhelo_verizon = 'X-Spam-Relays-Untrusted=/^[^\\]]+ helo=[^ ]+verizon\\.net /iH'
local fhost_verizon = 'X-Spam-Relays-Untrusted=/^[^\\]]+ rdns=[^ ]+verizon\\.net /iH'
-reconf['FM_FAKE_HELO_VERIZON'] = string.format('(%s) & !(%s)', fhelo_verizon, fhost_verizon)
+reconf['FM_FAKE_HELO_VERIZON'] = {
+ re = string.format('(%s) & !(%s)', fhelo_verizon, fhost_verizon),
+ score = 2.0,
+ description = 'Fake helo for verizon provider',
+ group = 'header'
+}
-- Forged yahoo msgid
local at_yahoo_msgid = 'Message-Id=/\\@yahoo\\.com\\b/iH'
diff --git a/rules/regexp/lotto.lua b/rules/regexp/lotto.lua
index df0f2577a..03ebdb4ab 100644
--- a/rules/regexp/lotto.lua
+++ b/rules/regexp/lotto.lua
@@ -28,4 +28,9 @@ local kam_lotto3 = '/(won|claim|cash prize|pounds? sterling)/isrP'
local kam_lotto4 = '/(claims (officer|agent)|lottery coordinator|fiduciary (officer|agent)|fiduaciary claims)/isrP'
local kam_lotto5 = '/(freelotto group|Royal Heritage Lottery|UK National (Online)? Lottery|U\\.?K\\.? Grand Promotions|Lottery Department UK|Euromillion Loteria|Luckyday International Lottery|International Lottery)/isrP'
local kam_lotto6 = '/(Dear Lucky Winner|Winning Notification|Attention:Winner|Dear Winner)/isrP'
-reconf['R_LOTTO'] = string.format('((%s) | (%s) | (%s)) & (((%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s)) >= 3)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], r_lotto_from, r_lotto_subject, r_lotto_body, kam_lotto1, kam_lotto2, kam_lotto3, kam_lotto4, kam_lotto5, kam_lotto6)
+reconf['R_LOTTO'] = {
+ re = string.format('((%s) | (%s) | (%s)) & (((%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s)) >= 3)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], r_lotto_from, r_lotto_subject, r_lotto_body, kam_lotto1, kam_lotto2, kam_lotto3, kam_lotto4, kam_lotto5, kam_lotto6),
+ score = 8.0,
+ description = 'Lotto signatures',
+ group = 'body'
+}