mirror of
https://git.proxmox.com/git/proxmox-spamassassin
synced 2025-04-28 12:19:37 +00:00
54c714b2bf
after installing the package with version 4.0.1 Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
170 lines
7.0 KiB
CFEngine3
170 lines
7.0 KiB
CFEngine3
# SpamAssassin rules file: body tests
|
|
#
|
|
# Please don't modify this file as your changes will be overwritten with
|
|
# the next update. Use /etc/mail/spamassassin/local.cf instead.
|
|
# See 'perldoc Mail::SpamAssassin::Conf' for details.
|
|
#
|
|
# Note: body tests are run with long lines, so be sure to limit the
|
|
# size of searches; use /.{0,30}/ instead of /.*/ to avoid huge
|
|
# search times.
|
|
#
|
|
# Note: If you are adding a rule which looks for a phrase in the body
|
|
# (as most of them do), please add it to rules/20_phrases.cf instead.
|
|
#
|
|
# <@LICENSE>
|
|
# Licensed to the Apache Software Foundation (ASF) under one or more
|
|
# contributor license agreements. See the NOTICE file distributed with
|
|
# this work for additional information regarding copyright ownership.
|
|
# The ASF licenses this file to you under the Apache License, Version 2.0
|
|
# (the "License"); you may not use this file except in compliance with
|
|
# the License. You may obtain a copy of the License at:
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
# </@LICENSE>
|
|
#
|
|
###########################################################################
|
|
|
|
require_version 4.000001
|
|
|
|
###########################################################################
|
|
# GTUBE test - the generic test for UBE.
|
|
body GTUBE /XJS\*C4JDBQADN1\.NSBN3\*2IDNEN\*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL\*C\.34X/
|
|
describe GTUBE Generic Test for Unsolicited Bulk Email
|
|
tflags GTUBE userconf noautolearn
|
|
|
|
###########################################################################
|
|
|
|
# this seems to be the new fashion (as of Jul 5 2002). base64-encoded
|
|
# parts need to be stripped before this match
|
|
body TRACKER_ID /^[a-z0-9]{6,24}[-_a-z0-9]{12,36}[a-z0-9]{6,24}\s*\z/is
|
|
describe TRACKER_ID Incorporates a tracking ID number
|
|
|
|
body WEIRD_QUOTING /[\042\223\224\262\263\271]{2}\S{0,16}[\042\223\224\262\263\271]{2}/
|
|
describe WEIRD_QUOTING Weird repeated double-quotation marks
|
|
|
|
###########################################################################
|
|
# multipart/alternative has very good accuracy, other multipart types are
|
|
# similar to MIME_HTML_ONLY so they don't need a separate rule
|
|
header __CTYPE_MULTIPART_ALT Content-Type =~ /multipart\/alternative/i
|
|
meta MIME_HTML_ONLY_MULTI (__CTYPE_MULTIPART_ALT && MIME_HTML_ONLY)
|
|
describe MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts
|
|
|
|
# note: __HIGHBITS is used in rules/20_html_tests.cf, HTML_CHARSET_FARAWAY
|
|
meta MIME_CHARSET_FARAWAY (__MIME_CHARSET_FARAWAY && __HIGHBITS)
|
|
describe MIME_CHARSET_FARAWAY MIME character set indicates foreign language
|
|
tflags MIME_CHARSET_FARAWAY userconf
|
|
|
|
###########################################################################
|
|
|
|
# duncf
|
|
body EMAIL_ROT13 /\b[a-z(\]-]+\^[a-z-]+\([a-z]{2,3}\b/
|
|
describe EMAIL_ROT13 Body contains a ROT13-encoded email address
|
|
test EMAIL_ROT13 ok qhabs^ebtref(pbz
|
|
test EMAIL_ROT13 ok zxrggyre^riv-vap(pbz
|
|
test EMAIL_ROT13 fail duncf-nospam@rogers.com
|
|
|
|
# this could use more work
|
|
body __LONGWORDS_A /\b(?:[a-z]{8,}[\s\.]+){6}/
|
|
body __LONGWORDS_B /\b(?:[a-z]{6,}[\s\.]+){9}/
|
|
body __LONGWORDS_C /\b(?:[a-z]{5,}[\s\.]+){10}/
|
|
meta LONGWORDS (__LONGWORDS_A + __LONGWORDS_B + __LONGWORDS_C > 1)
|
|
describe LONGWORDS Long string of long words
|
|
|
|
|
|
###########################################################################
|
|
|
|
ifplugin Mail::SpamAssassin::Plugin::BodyEval
|
|
|
|
|
|
# This rule uses a simple algorithm to determine if the text and html
|
|
# parts of an multipart/alternative message are different.
|
|
body MPART_ALT_DIFF eval:multipart_alternative_difference('99', '100')
|
|
describe MPART_ALT_DIFF HTML and text parts are different
|
|
|
|
body MPART_ALT_DIFF_COUNT eval:multipart_alternative_difference_count('3', '1')
|
|
describe MPART_ALT_DIFF_COUNT HTML and text parts are different
|
|
|
|
body BLANK_LINES_80_90 eval:check_blank_line_ratio('80','90','4')
|
|
describe BLANK_LINES_80_90 Message body has 80-90% blank lines
|
|
|
|
# it's the ratio of spaces to non-spaces in each paragraph. apparently
|
|
# messages where generally there are lots of spaces mean the message is spam.
|
|
# 8.532 10.6051 0.1897 0.982 0.75 0.01 T_VERTICAL_WORDS_TVD_1
|
|
# bug 6149: avoid common .jp false positives
|
|
header __SUBJECT_UTF8_B_ENCODED Subject:raw =~ /=\?UTF-?8\?B\?/i
|
|
body __TVD_SPACE_RATIO eval:tvd_vertical_words('0','10')
|
|
meta TVD_SPACE_RATIO (__TVD_SPACE_RATIO && !__ISO_2022_JP_DELIM && !__SUBJECT_UTF8_B_ENCODED && !__HIGHBITS)
|
|
|
|
endif
|
|
|
|
###########################################################################
|
|
|
|
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
|
|
|
|
# 0.767 0.9097 0.0000 1.000 0.84 1.00 MULTIPART_ALT_NON_TEXT
|
|
body MULTIPART_ALT_NON_TEXT eval:check_ma_non_text()
|
|
|
|
body CHARSET_FARAWAY eval:check_for_faraway_charset()
|
|
describe CHARSET_FARAWAY Character set indicates a foreign language
|
|
tflags CHARSET_FARAWAY userconf
|
|
|
|
# these tests doesn't actually use rawbody since rawbody isn't raw enough;
|
|
# they must be written very carefully to avoid modifying the original content
|
|
|
|
# MIME Content-Transfer-Encoding control rules
|
|
rawbody __MIME_BASE64 eval:check_for_mime('mime_base64_count')
|
|
describe __MIME_BASE64 Includes a base64 attachment
|
|
|
|
rawbody __MIME_QP eval:check_for_mime('mime_qp_count')
|
|
describe __MIME_QP Includes a quoted-printable attachment
|
|
|
|
# No longer used in MIMEEval
|
|
#rawbody MIME_BASE64_BLANKS eval:check_for_mime('mime_base64_blanks')
|
|
#describe MIME_BASE64_BLANKS Extra blank lines in base64 encoding
|
|
|
|
|
|
rawbody MIME_BASE64_TEXT eval:check_for_mime('mime_base64_encoded_text')
|
|
describe MIME_BASE64_TEXT Message text disguised using base64 encoding
|
|
|
|
|
|
body MISSING_MIME_HB_SEP eval:check_msg_parse_flags('missing_mime_head_body_separator')
|
|
describe MISSING_MIME_HB_SEP Missing blank line between MIME header and body
|
|
|
|
body MIME_HTML_MOSTLY eval:check_mime_multipart_ratio('0.00','0.01')
|
|
describe MIME_HTML_MOSTLY Multipart message mostly text/html MIME
|
|
|
|
# Steve Linford via Charlie Watts: good test!
|
|
body MIME_HTML_ONLY eval:check_for_mime_html_only()
|
|
describe MIME_HTML_ONLY Message only has text/html MIME parts
|
|
|
|
rawbody MIME_QP_LONG_LINE eval:check_for_mime('mime_qp_long_line')
|
|
describe MIME_QP_LONG_LINE Quoted-printable line longer than 76 chars
|
|
|
|
rawbody __MIME_CHARSET_FARAWAY eval:check_for_mime('mime_faraway_charset')
|
|
|
|
body MIME_BAD_ISO_CHARSET eval:check_for_mime('mime_bad_iso_charset')
|
|
describe MIME_BAD_ISO_CHARSET MIME character set is an unknown ISO charset
|
|
|
|
body MIMEPART_LIMIT_EXCEEDED eval:check_for_mime('mimepart_limit_exceeded')
|
|
describe MIMEPART_LIMIT_EXCEEDED Message has too many MIME parts
|
|
|
|
endif
|
|
|
|
###########################################################################
|
|
|
|
ifplugin Mail::SpamAssassin::Plugin::URIEval
|
|
|
|
body HTTPS_IP_MISMATCH eval:check_https_ip_mismatch()
|
|
describe HTTPS_IP_MISMATCH IP to HTTPS link found in HTML
|
|
|
|
body URI_TRUNCATED eval:check_uri_truncated()
|
|
describe URI_TRUNCATED Message contained a URI which was truncated
|
|
|
|
endif
|