Rule tuning, new rules for eval
git-svn-id: https://svn.apache.org/repos/asf/spamassassin/trunk@1883759 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/rulesrc/sandbox/jhardin/20_misc_testing.cf b/rulesrc/sandbox/jhardin/20_misc_testing.cf
index 7ac3458..fe4ede4 100644
--- a/rulesrc/sandbox/jhardin/20_misc_testing.cf
+++ b/rulesrc/sandbox/jhardin/20_misc_testing.cf
@@ -3319,10 +3319,18 @@
header __MSMAIL_PRI_LOW X-MSMail-Priority =~ /^(?:low|non-urgent)$/i
meta __MSMAIL_PRI_ABNORMAL __HAS_MSMAIL_PRI && !__MSMAIL_PRI_NORMAL
-meta MSMAIL_PRI_ABNORMAL __MSMAIL_PRI_ABNORMAL && !ALL_TRUSTED && !__ANY_OUTLOOK_MUA && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__MSOE_MID_WRONG_CASE && !__HAS_X_MAILER
+# This is counterintuitive - exclude __MSMAIL_PRI_HIGH ?
+# It seems that 99% of the spam using X-MSMail-Priority other than "normal" is using *invalid values*
+# score "high" separately if justified
+meta MSMAIL_PRI_ABNORMAL __MSMAIL_PRI_ABNORMAL && !ALL_TRUSTED && !__ANY_OUTLOOK_MUA && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__MSOE_MID_WRONG_CASE && !__HAS_X_MAILER && !__HAS_UA && !__MSMAIL_PRI_HIGH
describe MSMAIL_PRI_ABNORMAL Email priority often abused
score MSMAIL_PRI_ABNORMAL 1.500 # limit
+meta MSMAIL_PRI_HIGH __MSMAIL_PRI_HIGH && !ALL_TRUSTED && !__FROM_LOWER && !__RDNS_SHORT
+describe MSMAIL_PRI_HIGH Email priority often abused
+score MSMAIL_PRI_HIGH 1.500 # limit
+
+
# Phishing? 11/2020
full __TO_ADDR_BODY_DOC /^To:\s+(?:"[^"\n]{0,80}"\s*)?<?([^@\s]{1,40})@([^\s>]{1,40})>?\s(?=.{1,2048}\b\1(?:@\2)?\s+(?:sharepoint|document))/ism
@@ -3332,4 +3340,10 @@
header __REPLYTO_NOREPLY Reply-To =~ /\bno-?reply@/i
+body __ORDER_TODAY /\border (?:it|one|yours) (?:today|now)\b/i
+tflags __ORDER_TODAY multiple maxhits=4
+
+
+
+