## khop-blessed.cf v 2010032819 ## ## Spamassassin rules written by Adam Katz ## http://khopesh.com/Anti-spam ## khopesh on irc://irc.freenode.net/#spamassassin ## ## sa-update --gpgkey E8B493D6 --channel khop-blessed.sa.khopesh.com ## ## These rules are Copyright (C) 2001-2009 by Adam Katz ## Licensed under the Creative Commons Non-Commercial Share-alike License 2.0. ## The author is receptive to relicensing requests. # SVN version; minor tweaks, removed scores and redundant sandbox rules. header __BSD_REPORT Subject =~ /.(?:ail|ecurit|eekl|onthl)y run output$/ meta KHOP_BSD_REPORT __BSD_REPORT && ALL_TRUSTED describe KHOP_BSD_REPORT Regular run output from a BSD system tflags KHOP_BSD_REPORT nice noautolearn nopublish #score KHOP_BSD_REPORT -8 # 20050822 header __LOGWATCH_REPORT Subject =~ /^LogWatch for / meta KHOP_LOGWATCH_REPORT __LOGWATCH_REPORT && ALL_TRUSTED describe KHOP_LOGWATCH_REPORT System report from LogWatch tflags KHOP_LOGWATCH_REPORT nice noautolearn nopublish #score KHOP_LOGWATCH_REPORT -8 # 20050822 ### ENCRYPTION header KHOP_ENCRYPTED_CONTENT Content-Type =~ /^multipart\/(?:x-)?(?:pgp-)?encrypted|application\/(?:x-)?pkcs7-mime/ describe KHOP_ENCRYPTED_CONTENT Message is encrypted tflags KHOP_ENCRYPTED_CONTENT nice noautolearn nopublish #score KHOP_ENCRYPTED_CONTENT -7.5 # 20070227 # Note, encrypted pgp/mime data will trigger EMPTY_MESSAGE # 2007/02/27 - Syntax taken from the OpenPGP standard, RFC 2440 section 6.2 if ! plugin (Mail::SpamAssassin::Plugin::OpenPGP) # moved from rawbody to body 20091021 body __KHOP_PGP_I1 /-----BEGIN PGP (?:SIGNATURE|MESSAGE|PUBLIC|PRIVATE)(?:, PART [0-9]{1,4}\/[0-9]{1,4}| KEY BLOCK)?-----/ tflags __KHOP_PGP_I1 nice body __KHOP_PGP_I2 /-----END PGP/ tflags __KHOP_PGP_I2 nice meta __PGP_INLINE ( __KHOP_PGP_I1 && __KHOP_PGP_I2 ) tflags __PGP_INLINE nice noautolearn meta KHOP_PGP_INLINE __PGP_INLINE describe KHOP_PGP_INLINE BODY: Contains PGP data tflags KHOP_PGP_INLINE nice noautolearn nopublish #score KHOP_PGP_INLINE -2 -2 -3 -3 # 2005/12/14 - worthwhile even though we're not verifying the sig header __PGP_SIGNED Content-Type =~ /multipart\/signed;.*\/pgp-signature/s tflags __PGP_SIGNED nice noautolearn meta KHOP_PGP_SIGNED __PGP_SIGNED describe KHOP_PGP_SIGNED Message seems to contain PGP signature tflags KHOP_PGP_SIGNED nice noautolearn nopublish #score KHOP_PGP_SIGNED -2 -2 -3 -3 endif # 2007/02/27 mimic KHOP_PGP_SIGNED for s/mime header __SMIME_SIGNED Content-Type =~ /multipart\/signed;.*\/x-pkcs7-signatu/s meta KHOP_SMIME_SIGNED __SMIME_SIGNED describe KHOP_SMIME_SIGNED Message seems to contain S/MIME signature tflags KHOP_SMIME_SIGNED nice noautolearn nopublish score KHOP_SMIME_SIGNED -2 -2 -3 -3 # MASSCHECK DETAIL from 20091028-r830464-n # SPAM% HAM% S/O RANK NAME # 97.5085 71.0054 0.579 0.49 __MISSING_THREAD # 99.9395 61.6540 0.618 0.49 __MISSING_REF # 99.7691 59.9134 0.625 0.49 __MISSING_REPLY # 4.0280 8.7871 0.314 0.21 __INR_AND_NO_REF # # 20091016 after much testing, has yet to hit a SINGLE spam (hits ~38% of ham) meta __THREADED (!__MISSING_REPLY && !__NO_INR_YES_REF) || (__MISSING_REPLY && !__MISSING_REF) tflags __THREADED nice meta KHOP_THREADED __THREADED # Note that this does NOT verify legitimacy of referenced MSGIDs. describe KHOP_THREADED Message references or replies to another message tflags KHOP_THREADED nice nopublish #score KHOP_THREADED -0.5 -0.5 -1.5 -1.5 # EASILY abused -- keep minimal