[SAtalk] Bigevil 2.10 posted
It's been about 9 days since the last update. Longest ever. This update was an attempt at having more then one person work on the file. Lets say it was a learning experience :) Some great tweaking was done and awesome bug testing by SARE members. Can't thank them enough. Let me know IMMEDIATELY on any FPs you may encounter. This version runs even faster and is smaller then all previous versions. http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] [RD] spammer reactions to antidrug (humorous)
> -Original Message- > From: Matt Kettler [mailto:[EMAIL PROTECTED] > Sent: Friday, January 30, 2004 10:55 AM > To: [EMAIL PROTECTED] > Subject: [SAtalk] [RD] spammer reactions to antidrug (humorous) > > > Today I got an interesting form of obfuscation, apparently to avoid > antidrug.cf. > > I'm not sure wether to bother with adding rules for this, or > be satisfied > that the obfuscations are so severe that the messages are now > barely legible. > > Since spammers rely on responses from the mentally-deficient, > and most of > those people won't likely be able to read this mail, I doubt this > particular spam will produce any customers whatsoever. > > I think I'm pleased with this trend. It may not stop the spam, but it > appears likely to severely restrict the income and thus > motivations for > doing so :) > -- > > Orxder your Vjiagmra and Skupter Vimagera saifely and > securfely onlijne. > > Esntper Hekre > aHAHAHAHAHAH Thyat ixs a dfunmny qone! :) --Chris --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] A simple tool to extract URL's from mail folders
Yeah, my bigevil thoughts post was sent ages ago! almost 2 weeks before it showed up on the list. I posted a bigevil update and haven't seen it yet! WTF? --Chris > -Original Message- > From: Gary Funck [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 29, 2004 1:08 PM > To: Spamassassin List > Subject: RE: [SAtalk] A simple tool to extract URL's from mail folders > > > > Wow. I sent that e-mail out last *week*, and it is just > dribbling in today. > > Received: from intrepid.intrepid.com ([192.195.190.1] > ident=[1qHbG1J2WyZEN0gY3ydWgHO2WHps6+zg]) > by sc8-sf-mx1.sourceforge.net with esmtp (TLSv1:AES256-SHA:256) > (Exim 4.30) id 1Ak5VT-TZ-H9 > for [EMAIL PROTECTED]; Fri, 23 Jan 2004 > 09:54:11 -0800 > > BTW, I've updated the script to work better/faster, but by now I've > forgotten whether > I posted the updated copy to this list, or not. I plan on > putting all the > various > tools over on the exit0.us, or SA Wiki pages at some point. > > > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Bigevil and thoughts....
I received a report of an FP in bigevil. The domain was playaudiomessage.com. A quick google shows tons of hits in news.admin.net-abuse.sightings. It had been my hope the bigevil would be ZERO fp. However I'm not going to let the fact that a domain may be used 90% by spammers and 10% by legit sway me now. Even going to www.playaudiomessage.com should raise eyebrows! Nice reporting feature they have on the site, huh? So I'm going to go the way easynet did. (No not shutdown!) I'm going to leave them in until they clean up there act. When I see no reports of spam containing there URL for a certain period of time, then I will remove. I've started a small list of these to check on in a few weeks. So if you receive a legit email with this domain hitting bigevil, I'm not sorry. Do a search under "groups" in google. Take those results and feel free to report them to playaudiomessage.com. But by the looks from their website, they don't want to hear from you anyway. They stay. Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] [OT] Working with FPs from the other end.
I had recently received an FP from a *new* invoice confirmation notice from a MAJOR computer equipment supplier. I was bummed at the fact that I would have to try to work around the FP. Then I looked at what it hit, and some were just things they shouldn't do. Like HTML only! So I wrote a nice email to my Account rep. Listing each major rule that hit, how many points, and what they might try to fix it. He forwarded it on to the right people. I talked to him today on a different matter and he informed me that they were EXTREMELY happy with the info I told them. They had no idea they were doing things that were considered spammy. They are working on fixing all the hits they got. Surprising for such a large technical corporation. (Like CDW, but not them.) Anyway, sometimes the best way to fight a bunch of FPs is to educate the legit senders. I thought I would share that success story :-) Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] bigevil_54 smonitor
Doh! *humble appologise* You are correct sir! Removed in next update. Don't ask what is taking so long for the next update. You don't want to know :) --Chris > -Original Message- > From: Kelson Vibber [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 27, 2004 12:02 AM > To: Chris Santerre; '[EMAIL PROTECTED]'; > [EMAIL PROTECTED] > Subject: Re: [SAtalk] bigevil_54 smonitor > > > On Monday 26 January 2004 10:53 am, Chris Santerre wrote: > > There is a '\b' before that. So it is bound. Should not hit > that rule ever. > > Go ahead. Send yourself an email with that in it. Try it if > you don't think > > so. :) > > That's right - a '\b' followed by a 'c' > > Collapse all the alternatives out and you get > /\bc(smonitor)\.(com)\b/ which > would indeed match csmonitor.com > > > -- > Kelson Vibber > SpeedGate Communications, > > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] bigevil_54 smonitor
"Negative Ghostrider, the pattern is full." :) There is a '\b' before that. So it is bound. Should not hit that rule ever. Go ahead. Send yourself an email with that in it. Try it if you don't think so. :) Then again, maybe I should mark them as spammersOh, but that is for another list ;) --Chris > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Friday, January 23, 2004 11:50 AM > To: [EMAIL PROTECTED] > Subject: [SAtalk] bigevil_54 smonitor > > > > > smonitor in bigevil_54 would include csmonitor.com which > is the Christian Science Monitor which I presume was > not meant to be included with nefarious spammers. > > Anthony > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] BigEvil PF
I'm sure this is an FP left over from my pull from initial scripts. I don't remember adding them by hand. They check out as legit. They will be removed from next update. (Which was meant for last Sat. but something came up. --Chris > -Original Message- > From: Paul Barbeau [mailto:[EMAIL PROTECTED] > Sent: Friday, January 23, 2004 3:02 PM > To: Spamassassin List > Subject: [SAtalk] BigEvil PF > > > I am getting a lot of BigEvilList_72 > (http://www.exclaimer.co.uk) FP as one > of my group clients get mail from lawyer that uses this > product. Can someone > provide some feed back on why this is a rule so insted of > just deleting it i > know have an educated answer to my client > > Thank > Paul > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Multi-line matching workarounds?
> -Original Message-
> From: sckot [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, January 21, 2004 3:45 PM
> To: [EMAIL PROTECTED]
> Subject: [SAtalk] Multi-line matching workarounds?
>
>
> Some archive searching has revealed that multi-line
> matching isn't
> available yet. Is there another way to rework this rule that I'm
> missing, using meta rules perhaps? It would single-handedly
> get a lot of
> spam that I get, which is consistantly of the form of three "ambiguous
> product pitch:\nurl\n\n"s. My email address appears in the third URL,
> and the first two are mostly numeric.
>
> rawbody L_3_Part_Pitch_Spam
> /.*:\nhttp:\/\/[a-z]{2}[0-9]\.\w{1,20}\.com\/([0-9]*\/)*[a-z]{1,20}\.
> htm(l)?\n\n.*:\nhttp:\/\/[a-z]{2}[0-9]\.\w{1,20}\.com\/([0-9]*
> \/)*[a-z]
> {1,20}\.htm(l)?\n\n.*:\nhttp:\/\/[a-z]{2}[0-9]\.\w{1,20}\.com\
> /([EMAIL PROTECTED]
> *\/)*\/.htm(l)?/
> describe L_3_Part_Pitch_SpamMail has six lines, three are URLS
>
> Thanks,
> sckot Vokes
>
I tried similar things, but the \n never worked right. I think rawbody
doesn't see them. The only way to do this is with an EVAL function. Not a
bad idea to look at the overall length of email and see what percentage of
it is html link. SA has a rule like this, but might need some tweaking for
smaller emails?
--Chris (Already having a day from hell.) Santerre
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Surprise mail from myself
> -Original Message- > From: Brad Hazledine [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 21, 2004 4:44 PM > To: [EMAIL PROTECTED] > Subject: [SAtalk] Surprise mail from myself > > > > Has anyone written a rule that catches mail supposedly sent > by yourself to > yourself? > > Example here... > > Received: from WIN-SYEZX91ADBP ([61.50.222.200]) > by fargo.caledoncard.com (8.12.10/8.12.10) with SMTP id > i0L6pDT5006761 > for <[EMAIL PROTECTED]>; Wed, 21 Jan > 2004 01:51:14 > -0500 > Message-ID: <[EMAIL PROTECTED]> > From: "[EMAIL PROTECTED]" > <[EMAIL PROTECTED]> > To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> > > I whitelist everything from our own domain due to the fact > that reports > were constantly getting marked as spam for one reason or another. > Therefore this triggers the whitelist and the spam gets through. > It is starting to become more frequent. > > I have tried to write a rule that says "if it is from > yourself to yourself > but not received from your server then clobber it". > > However, the rule seems to pick up the "by > fargo.caledoncard.com" in the > header and thinks that all is well. > > If anyone out there has encountered this and found a way > around it then I > would appreciate some input. > > Thanks. > > Brad > header __CS_FROM_ME From =~ /[EMAIL PROTECTED]/i header __CS_TO_ME To =~ /[EMAIL PROTECTED]/i meta CS_SPAM_TRICK __CS_FROM_ME && __CS_TO_ME describe CS_SPAM_TRICK Spammer forged From + To my domain. score CS_SPAM_TRICK 114.11 # Silly, isn't it? Change to your own email addy. Might want to change the score ;) Chris Santerre System Admin "You should never, never doubt what nobody is sure about."- Willy Wonka --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] v+word problem
Very interesting. Notice the attempt to get confuse the url. Not sure if that is attempted at my old bigevil mining scripts. I'll add plus66.com into bigevil for next update. MrWiggly rule is only for that one type V-drug spam. It has had NO false positives to date. So I'm jacking my score up to 5.0 for that rule. --Chris > -Original Message- > From: John Fleming [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 22, 2004 8:53 AM > To: [EMAIL PROTECTED] > Subject: Re: [SAtalk] v+word problem > > > BTW, I AM using BigEvil and Anti_Drug... > > - Original Message - > From: "WA9ALS - John" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, January 22, 2004 7:19 AM > Subject: [SAtalk] v+word problem > > > > I received a dreaded v word spam that got past MRWIGGLY > with a tiny spam > > score (0.1), even with my ultaconservative threashhold of > 2.4, using Bayes > > and networks etc. Trying to put the message here for > analysis bounces > back > > to me. Where can I put it so that someone could look at it > and tell me > what > > I can do to remedy these getting through? > > > > I guess I can put it on a website: http://wa9als.com/spamtest.htm > > > > Thanks for any tips! - John > > > > > > > > > > --- > > The SF.Net email is sponsored by EclipseCon 2004 > > Premiere Conference on Open Tools Development and Integration > > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > > http://www.eclipsecon.org/osdn > > ___ > > Spamassassin-talk mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > > > > > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] UPDATES Tripwire 1.16 and Bigevil 2.06k
Soon there will be one place to go ;) > -Original Message- > From: Frank Pineau [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 20, 2004 8:51 PM > To: Spamassassin-Talk (E-mail) > Subject: Re: [SAtalk] UPDATES Tripwire 1.16 and Bigevil 2.06k > > > > >http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm > > > Thanks for the great ruleset! > > I just have one niggling little request (and this really > applies to anyone who > produces public rulesets): > > PLEASE include the download link (or some other referring > link so we know where > it came from) in the comments of the ruleset itself. It's > really a pain to > track down the link in my e-mail archives whenever I want to > see if there's an > update or whatever. :-) > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] New tax Phish?
I'm just got 2 of these. I'm not sure if the product is legit, but it does look like it is. It was sent from yourdeals47.com. Which screams spam, and is listed in a few RBLs. I'm thinking we will start seeing a lot more spam with "Taxes" in it now. If this product is legit and not a scam, then why oh why on earth would they hire a spammer. Also the products website is no where to be found in the email source. Only thru a redirect. I'm thinking the product website should be larted just for hiring the spammers! mesg attached. Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin - Message-ID: <[EMAIL PROTECTED]> From: GHD TaxAct Info <[EMAIL PROTECTED]> To: Lisa Serrano <[EMAIL PROTECTED]> Subject: *SPAM* Prepare your Taxes Online for Free Date: Wed, 21 Jan 2004 12:18:31 -0500 X-Mailer: Internet Mail Service (5.5.2653.19) <http://bf.mocda2.com/bannerfarm/60230/woman1.gif> <http://tr.yourdeals43.com/go/?rid=4002&aoent=1&uid=4324-2466559-39&srgadv=2 > Fast, Easy, & Affordable! Plan your tax strategy, prepare your return, & file fast?all for just $8.95! <http://tr.yourdeals43.com/go/?rid=4003&aoent=1&uid=4324-2466559-39&srgadv=2 > TaxACT Online Standard is your free tax software solution brought to you by 2nd Story Software, the trusted value leader in tax software. Complete your tax return over the web faster and easier than ever! TaxACT includes commonly used forms and schedules, and reflects all of the latest tax laws. And, best of all, it's FREE! TaxACT prepares & calculates your federal tax return quickly and allows you to print your return for free?all you have to do is mail it to the IRS. Or, to get your refund faster, e-file your return with TaxACT for only $7.95*. Plus, you can complete your state returns with TaxACT State Editions. Get Started Today! Click to register & start your return <http://tr.yourdeals43.com/go/?rid=4004&aoent=1&uid=4324-2466559-39&srgadv=2 > Start Now! <http://bf.mocda2.com/bannerfarm/60230/spacer.gif> <http://bf.mocda2.com/bannerfarm/60230/woman3.jpg> <http://bf.mocda2.com/bannerfarm/60230/spacer.gif> <http://bf.mocda2.com/bannerfarm/60230/woman4.jpg> <http://bf.mocda2.com/bannerfarm/60230/spacer.gif> <http://tr.yourdeals43.com/go/?rid=4005&aoent=1&uid=4324-2466559-39&srgadv=2 > Trusted by Millions ? Over 8 million TaxACT returns filed. ? Developed by expert tax accountants and CPAs. <http://tr.yourdeals43.com/go/?rid=4006&aoent=1&uid=4324-2466559-39&srgadv=2 > Simple to Use ? Convenient online format ? Easy to understand interview questions ? User-friendly interface ? If you can browse the web, you can do your own taxes with TaxACT. <http://bf.mocda2.com/bannerfarm/60230/spacer.gif> <http://bf.mocda2.com/bannerfarm/60230/spacer.gif> <http://tr.yourdeals43.com/opened/?uid=4324-2466559-39> <http://tr.yourdeals43.com/[EMAIL PROTECTED]&uid=4324 -2466559-39&src=11> --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] [OT] - The current state spam.
I agree and disagree :) How many times have you heard this: "I don't understand, I have antivirus software." "When was the last time you updated it?" "Update?" :-) I know tons of people with broadband connections that might be on only a few times a week. Some don't even notice their cpu is slower. I also know some pretty intelligent people that despite what they try, still end up with trojans and viruses from their kid's downloads. I say that your average middle class family will just never fully understand how to handle a computer on the net. They are busy scratching out a living. It needs to be made safer by the people who understand it. I can only effect my immediate family/friends. And despite my best efforts, they still get whacked now and then. Airbags make me safer. But there wasn't anyway in hell I was going to install them myself :) --Chris > -Original Message- > From: Keith Dowell [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 21, 2004 11:43 AM > To: [EMAIL PROTECTED] > Subject: Re: [SAtalk] [OT] - The current state spam. > > > I made this point on a mimedefang list. Some people didn't > really like it. > > Computers are too complicated for people to be responsible some said. > > So I tried equating it to maintaining your car in that, if > your car smokes > and causes pollution - it is NOT the manufacturers > responsibility to come > fix your car. It's your responsibility to take it to the > nearest mechanic. > If it smokes too much the police might just have to remove > you from the road > for other peoples safety. > > What I got in return to that was - Yeah sure, but doesn't relate. Auto > manufacturers don't put out buggy cars like microsoft puts out buggy > software. > > Hmm... good point - but doesn't microsoft put out these things called > patches? Is it not the users responsibility to maintain their software > (vehicle) but obtaining these patches (tune up). > > I don't see how this doesn't equate. It's the same friggin > thing. If you are > going to put yourself on the internet then you should be held > accountable > for what happens to your computer. It isn't microsoft/linux 's > responsibility to educate users. It's their own > responsibility to educate > themselves or suffer the consequences. You have to think of > this in terms of > the dsl/cable connections. Everyone is now "always on" which > in essence > makes them like a little open node on the internet. The > government is NOT > responsible, NOR the ISP, NOR the software manufacturer for > maintaining > safety of these little nodes. I'm sorry, but I will not see > this any other > way. The government doesn't know their head from their ass as > far as the > internet, the ISP should only be responsible for shutting the > nodes down > originating from their own network, and the software > manufacturers should > make patches available when they fix bugs. The USER is/SHOULD BE held > responsible to secure, maintain, upgrade, etc etc their > little node. Too > complicated? Then they don't need to be on the net all the > time (or period > for that matter as far as I'm concerned). Or they need to > hire a mechanic > "PC-TECH". > > All this really becomes is a whole debate of how responsible > should a user > be? > > I agree - the user should have responsibility. No one is/can > or should be > responsible to go out and hold every little users hand, and > assist them with > every little nuance of owning a computer. Maybe that sounds a > bit harsh, but > I still say it's like maintaining your car. All of this > knowledge and info > is freely available (some even in little paper books or cd's called > manuals). > > If you're stupid and don't read the "owners manual" for your > car, never > change the oil, wear your tires bald, never change the > windshield wipers, > and people force you to quit driving the vehicle, it's your OWN fault. > > If you don't RTFM, do a little research, (my god - it is NOT > THAT FRIGGIN > HARD) get the basics of owning a computer, and get your > little node shut > down because your a friggin idiot spewing crap out on the > net, because your > computers infected, because it got hacked, because you had no > protection, > etc etc, yadda, yadda - then it's your OWN fault. > > Think logically here folks. > > - Original Message - > From: "Pedro Sam" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, January 20, 2004 11:44 PM > Subject: Re: [SAtalk] [OT] - The current state spam. > > > > I take an opposite view point. ISP's should disable a > user's account, if > that > > account is found to be launching any malicious attacks, > regardless of > whether > > that account was intentionally malicious or was simply hacked. > > > > It's time people own up to the responsibility of a presence on the > internet. > > > > -- > > In those days he was wiser than he is now -- he used to > frequently take > > my advice. > > -- Winsto
RE: [SAtalk] Another one for BigEvil
aaap :) Just send them to me offlist. However FP reports you might want to copy here. As I remove them from the NEXT update. But people might want to remove them right away. They still trickle in now and then. --Chris (bored today for some reason) > -Original Message- > From: AltGrendel [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 21, 2004 10:20 AM > To: SA-Talk > Subject: Re: [SAtalk] Another one for BigEvil > > > On Wed, 2004-01-21 at 09:33, Rubin Bennett wrote: > > Sneaky bastard... got through with a 4.7 > > Chris: > > Would you prefer that we email you this stuff offlist? I have > a few too, > but I don't want to contribute to the line noise on this list. > > -- > AltGrendel <[EMAIL PROTECTED]> > > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] [OT] - The current state spam.
Yeah, we have had this same conversation on another list a week ago. We are saying by DEFAULT and ISP should block the ports, BUT it should be removed if asked, and FREE of charge. I'm sure the percentage of users who would request it would be like 5%. THen it would be easy to monitor traffic (not data) of those 5%. ISPs used to complain about the costs of hardware vs. traffic. I'd say this would help them in the long run. DON't raise my broadband bill, decrease the spam traffic on your net! --Chris > -Original Message- > From: James [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 21, 2004 10:58 AM > To: [EMAIL PROTECTED] > Subject: RE: [SAtalk] [OT] - The current state spam. > > > Not to flame anyone, but I sure do hope my isp never blocks ports. I > don't pay for obstructed internet access. I do run a small > mail server > from my home dsl connection. I allow family members to use > that to send > to/from. The local cable provider here (Brighthouse) just > about blocks > all inbound ports. This is fine for the normal internet user, but for > those of us who know what we are doing this hurts us. If my > isp were to > block ports, that would hinder on what I am doing. I don't have a > professional dsl line (3x as much as residential) and in > order for me to > get a professional line, I would need to buy a professional phone > service from the phone co (again, 3x the price). A whole lot > of bloat I > don't need nor want. My modem has a very good firewall built in and > uses nat. This is the normal, default setup. The isp doesn't provide > any solutions in overriding it, but is allowed. I use an internal > router with nat instead of the modem's built in. I think > this is a much > better way of blocking ports than isp's blocking ports. If > isp's set up > this feature properly, then allow us advanced users to "unlock" so to > speak, this is more desirable IMHO. This technology obviously > exists and > I think is a much better option. > > Thanks, > James > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Pierre Thomson > Sent: Wednesday, January 21, 2004 10:13 AM > To: Chris Santerre > Cc: Spamassassin-Talk (E-mail) > Subject: RE: [SAtalk] [OT] - The current state spam. > > It's not strictly a spam measurement, but www.senderbase.org has > excellent real-time lists of outbound mail volume by ISP and > IP address. > > Pierre > > > -Original Message- > From: Chris Santerre [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 21, 2004 10:08 AM > To: 'Fred'; AltGrendel; Spamassassin-Talk (E-mail) > Subject: RE: [SAtalk] [OT] - The current state spam. > > ... > I'm trying to find some stats on spam origins. Particularly by ISP. I > see > very little spam coming from cox.net cable modems vs. a buttload from > Comcast. Would be nice to know the biggest ones and start a > movement one > at > a time to get this problem fixed. If I've learned anything from this > list, > its a group has a far better chance of getting things done then 1 > person. > > Consider me with you Fred. > > --Chris > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > > > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] [OT] - The current state spam.
> -Original Message- > From: Fred [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 21, 2004 9:39 AM > To: AltGrendel; Spamassassin-Talk (E-mail) > Subject: Re: [SAtalk] [OT] - The current state spam. > > > AltGrendel wrote: > > On Tue, 2004-01-20 at 18:28, Fred wrote: > >> > >> I can not imagine what it would be like to work for an > abuse dept. at > >> an internet company and receive hundreds or thousands of complaints > >> about customers computers being hijacked or turned into > spam zombies. > >> > > Non-original joke: > > > > I think that job is usually assigned to /Dave/Null. > > > That's what I'm all worked up about. If these large > broadband providers > were more pro-active a lot of things would be different. > Take the following events for example: > Massive DDOS attacks which take down large sites like > yahoo.com and many > others. > Massive Habeas forgery causing mass-confusion on why people > are seeing spam. > (majority cable / dsl zombies) > Preventing those people who choose to use our computers without our > permission and knowledge. > Most people I know have to pay for their cable & DSL > connection and they pay > way too much money for it. > > Maybe a simple solution would to be making the cable / dsl > customers receive > a new IP address every 2 hours? > I am sure this will anger many but would make spam advertised > sites go down > much faster. > > Give all cable / dsl a private IP address and allow real IP > if requested. > Those who are not familiar with the internet tend to get > themselves into > trouble by accident. Protected behind a private IP would > protect them from > many of the issues I'm upset about. That alone would have > helped to prevent > spread of Blaster type worms. Why leave un-knowing people in > front of the > defenses when they don't even know a war is being waged. > > From a litle research I find that cable & dsl are being used > for hosting the > spam content as well as DNS hosting for their domains and > also for sending > the spam messages. If we take out that massive source of zombies the > spammers would be in deep trouble. They would be force to > pay for hosting, > or hack into companies / schools which would make them more > likely to be > caught. Or funnier yet, hack modems for hosting, that'll be the day! > > If I'm going after a website for spamming me I target the following in > order: > Step 1: Whois records, against valid contact information. > Many registrars > say they will suspend a domain for invalid contact records. > Step 2: Next comes DNS servers. Check the domain name on the > dns servers > and attempt step 1. > Step 3: Netblock of website. Most times I find a massive > listing of cable / > dsl zombies used for hosting website. > Step 4: Netblock of DNS provider. Same results of step 3 found. > Step 5: Get mad and give up. Re-think attack and plan new methods. > > > Frederic Tarasevicius > I also try the same. Some ISPs are useless to try to talk to, Above.net. THey will end up blacklisting the complainee! (Is that a word?) :) I'm trying to find some stats on spam origins. Particularly by ISP. I see very little spam coming from cox.net cable modems vs. a buttload from Comcast. Would be nice to know the biggest ones and start a movement one at a time to get this problem fixed. If I've learned anything from this list, its a group has a far better chance of getting things done then 1 person. Consider me with you Fred. --Chris --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] More obfuscation
I'm not sure where the post is, but about 3 weeks ago I think Dallas put a semi-end to the spell-checker debate :) He ran one and the outcome wasn't so good. --Chris > -Original Message- > From: Charles Gregory [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 20, 2004 4:37 PM > To: [EMAIL PROTECTED] > Subject: [SAtalk] More obfuscation > > > > I'm starting to see mail with TEXT obfuscation, such as: >I heard you need viagrPa. > Note the capital P thrown in to our favorite 'v' word. > It is really beginning to look like we need a genuine > spelling checker, or > some sort of 'approximation' technology, if such exists. There is no > 'pattern' I can think of to defeat this mis-spelling spam in any other > way. > > - Charles > > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] how many spam/ham do I have in my bayes db?
> -Original Message- > From: Matt Kettler [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 20, 2004 4:04 PM > To: Adrian Simmons > Cc: [EMAIL PROTECTED] > Subject: Re: [SAtalk] how many spam/ham do I have in my bayes db? > > > At 03:36 PM 1/20/2004, Adrian Simmons wrote: > >Ralf Vitasek wrote: > > > > > in case you have SA 2.6x > > > then just type "sa-learn --dump magic" > >Ah, yes, exactly. And now that I re-read the man page that > seems obvious. > >I put my lack of understanding down to the non-intuitiveness > of the term > >'magic' :) Well, at least for me. > > > The above statement is rather amusing when you re-read your > original question.. > > "one could probably dump the db and go hunting for the magic numbers" > > Apparently you only subconsciously knew what the term "magic" meant :) > > > >Thanks to Ralf and Matt who both suggested this. > > YW. > I agree, "magic" is a little confusing. I suggest the devs change it to "one_ring_to_bind_them_all". That should clear it up for some. :) --Chris(Wishes to take our 1970s 'business' software for a visit to Mr. DevNull!) Santerre --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Bigevil updated again :)
Just posted 2.06M wich contains 1 single additional entry for: oem-expert.biz Why just for one domain? Because they are doing a dictionary attack on a fellow list member resulting in a DOS. Let the larting begin! http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Automated ruleset download
http://sandgnat.com/cmos/rules_du_jour I save WY to many emails :) --Chris -Original Message-From: JRiley [mailto:[EMAIL PROTECTED]Sent: Tuesday, January 20, 2004 1:52 PMTo: [EMAIL PROTECTED]Subject: [SAtalk] Automated ruleset download Just curious, if there is a script (be it perl or otherwise), that anyone has written, that will perform an automated 'download' of the different SARE (or other) SA rulesets? I wouldn't think this would too difficult to do, and have a scheduled restart of the MTA calling SA to implement it. thanks -JR
[SAtalk] Bigevil update 2.06L
Just posted 2.60L. http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] mdpillsource.com using trojaned machines.....
I've been tagging a lot of mdpillsource.com spam. They don't hit bigevil because there is no URI in the text format. However the spam hits a ton of other rules. One thing I noticed is this spammer must be using trojaned machines. THe last one came in from: dhcp-v53-89.cudenver.edu [132.194.53.89]) and a bunch more from possible open relays. This guy is sending from all over and at a good rate. I suggest a seperate (raw)?body rule for him. body MY_PILLSOURCE /mdpillsource\.com/ describe MY_PILLSOURCE Log on Ventures Dirtbag. score MY_PILLSOURCE 4.0 # Because no one rule should make it spam. More info: Registrant: Log On Ventures Inc. 28 Regent St. Belize City 0 Belize Registered through: International Global Media Domain Name: MDPILLSOURCE.COM Created on: 24-Nov-03 Expires on: 24-Nov-04 Last Updated on: 12-Dec-03 Administrative Contact: Ventures Inc., Log On [EMAIL PROTECTED] 28 Regent St. Belize City 0 Belize 4156341323 Fax -- 4156341323 Technical Contact: Ventures Inc., Log On [EMAIL PROTECTED] 28 Regent St. Belize City 0 Belize 4156341323 Fax -- 4156341323 Domain servers in listed order: NS0O01.GOODWEBRX.COM NS0O01.MYEFUTURE.NET Chris Santerre --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Schools Slapped? FVGT
> -Original Message- > From: Scott Williams , Area4 [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 20, 2004 9:50 AM > To: [EMAIL PROTECTED] > Subject: [SAtalk] Schools Slapped? FVGT > > > I just started using the FVGT rules and got this FP. > Do I understand this right, the rule below penalizes (scores > high) anyone > with a .us domain? > > Many schools across the country use the .k12.ss.us format > where ss is > their state two letter identifier. > > thanks > > SCott > 2.4 FVGT_u_BZ_TLD URI: FVGT - Contains a URL in the > BZ, TC, US or > WS top-level domain > Yup, this is correct. We are going thru all the rules in the SARE and will prbly rescore them all based on RM's formula. This one seems a tad high :) I would lower that to around .45-.65 for my taste. HTH --Chris --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] BigEvil Archive
Bah! What was that quote? Something about real men put there files on the internet and letting the world be their backup? Theo has it. :) --Chris (OH I hate EDI! Standard my #$^!) > -Original Message- > From: Gary Smith [mailto:[EMAIL PROTECTED] > Sent: Monday, January 19, 2004 4:21 PM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: [SAtalk] BigEvil Archive > > > Chris, > > Not to sound real bad but you should also be making your own local > copies. I have scripted the download, compare, copy if different and > then archive. I run it every hour. If there is ever a problem I can > just go to one of my archives and then recover. > > You should probably consider doing something similar. Not to say that > Chris S. would ever give you a bad file but sometimes the > transfer agent > will do this... Plus you can also check for any errors prior > to putting > the file into place (if you didn't get a status 200 then there was a > problem). > > That's just my $0.02. You mileage might vary. > > Gary Smith > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Carl > Chipman > Sent: Monday, January 19, 2004 11:45 AM > To: [EMAIL PROTECTED] > Subject: [SAtalk] BigEvil Archive > > Does anyone have an older copy of BigEvil.cf? I downloaded > todays, and > my > Kerio mail server wouldn't start... > > > Carl Chipman > Nomadics, Inc. > [EMAIL PROTECTED] > http://www.nomadics.com > > > > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] BigEvil Archive
> -Original Message- > From: SpamTalk [mailto:[EMAIL PROTECTED] > Sent: Monday, January 19, 2004 3:32 PM > To: [EMAIL PROTECTED] > Subject: RE: [SAtalk] BigEvil Archive > > > > -Original Message----- > > From: Chris Santerre [mailto:[EMAIL PROTECTED] > > Sent: Monday, January 19, 2004 2:12 PM > > To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] > > Subject: RE: [SAtalk] BigEvil Archive > > > > Huh? That was posted 2 days ago! And I had tested it longer > > then that! IF there was an error, I would have heard about it > > within an hour of posting. > > What kind of errors in the log? ANyone else having a problem > > > > --Chris > > > > > -Original Message- > > > From: Carl Chipman [mailto:[EMAIL PROTECTED] > > > Sent: Monday, January 19, 2004 2:45 PM > > > To: [EMAIL PROTECTED] > > > Subject: [SAtalk] BigEvil Archive > > > > > > > > > Does anyone have an older copy of BigEvil.cf? I > downloaded todays, > > > and my Kerio mail server wouldn't start... > > > > > > > > > Carl Chipman > > > Nomadics, Inc. > > > [EMAIL PROTECTED] > > > http://www.nomadics.com > > How often might partial downloads occur? > Maybe just zip the file, the unzip should yell if it is corrupt. > Shouldn't be hard to modify the rule_du_jure script to > accommodate zipped > .cf files/ > > There is a "#EOF" at the end of the file to make sure it is completely downloaded. Maybe that could be searched for? --Chris --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Three that got through yesterday
> -Original Message- > From: Evan Platt [mailto:[EMAIL PROTECTED] > Sent: Monday, January 19, 2004 12:36 PM > To: SpamAssassin > Subject: Re: [SAtalk] Three that got through yesterday > > > > > --On Monday, January 19, 2004 10:51 AM -0500 "Christopher X. Candreva" > <[EMAIL PROTECTED]> wrote: > > > Example - one had a subject: > > Subject: mail Real brutal other porn with see young girls most > > Yoda has turned to the dark side and started spamming. :) > > Evan > > Ahahahahahahah I can see him at the keyboard now, with a cig hanging from his mouth and a bottle of JD in one hand! OH man.I need to photoshop a pic like that! Thanks for the laugh! I needed it today as well! Sprinkler pipe in building froze and burst over the weekend. 1 CPU gone. *whew* --Chris (Pats by 10 points in Texas!) --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] BigEvil Archive
Huh? That was posted 2 days ago! And I had tested it longer then that! IF there was an error, I would have heard about it within an hour of posting. What kind of errors in the log? ANyone else having a problem --Chris > -Original Message- > From: Carl Chipman [mailto:[EMAIL PROTECTED] > Sent: Monday, January 19, 2004 2:45 PM > To: [EMAIL PROTECTED] > Subject: [SAtalk] BigEvil Archive > > > Does anyone have an older copy of BigEvil.cf? I downloaded > todays, and my > Kerio mail server wouldn't start... > > > Carl Chipman > Nomadics, Inc. > [EMAIL PROTECTED] > http://www.nomadics.com > > > > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] UPDATES Tripwire 1.16 and Bigevil 2.06k
That is a completely different set of rules all together. Not really a set, more like a collection. Soon there will be one cf file with all the heavy hitters from the whole SARE created. Sorted in order of lethality as well. I'm trying to prune the low hanging fruit rules first. So you can go ahead and grab the 90_FVGT.cf rules. --Chris > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Sent: Monday, January 19, 2004 11:22 AM > To: [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: RE: [SAtalk] UPDATES Tripwire 1.16 and Bigevil 2.06k > > > Chris, > > What about > http://www.merchantsoverseas.com/wwwroot/gorilla/90_FVGT.cf file > you submitted? Is that rule set superceded by bigevil and tripwire? > > thanks, > Donald > > -Original Message- > From: Chris Santerre [mailto:[EMAIL PROTECTED] > Sent: Saturday, January 17, 2004 10:18 PM > To: Spamassassin-Talk (E-mail) > Subject: [SAtalk] UPDATES Tripwire 1.16 and Bigevil 2.06k > > > I actually thawed out! And so did my car!! Yup, it actually > FROZE while I > was driving around 80 mph! No damage at all! Oh happy day :) > So everyone in > the cold go out and check your water/antifreeze ratio. And > ALWAYS let your > car warm-up before driving like a mad person ;) > > Anywho, like the subject says, these 2 files are updated. The > Tripwire file > is almost half the size it was before! > > Lots of good changes coming down the pipe for SARE. Clean up > of old stuff > going on now. Go easy on those auto update scripts ;) > > Link in sig, it's late and I'm tired. If you don't know where > to find them > by now, you must be under a rock (Or a Colts Fan!) ;) Go Pats! > > Chris Santerre > System Admin and SA Custom Rules Emporium keeper > http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm > 'It is not the strongest of the species that survives, > not the most intelligent, but the one most responsive to change.' > Charles Darwin > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Re: Resolving and hat-checking spamvertised URLs...
I was hoping more people would be running this by now. What is the average scan time per msg when using this? Any timeouts? I know this was being worked on for 2.70, but heck you got it here as a patch already! --Chris (Really needs to upgrade but still proving a point.) > -Original Message- > From: Jonas Eckerman [mailto:[EMAIL PROTECTED] > Sent: Sunday, January 18, 2004 9:01 AM > To: [EMAIL PROTECTED] > Subject: [SAtalk] Re: Resolving and hat-checking spamvertised URLs... > > > > My patch against SpamAssassin 2.60 (Debian/unstable: 2.60-2) > > > http://docsnyder.de/nospam/sa_check_blackhat_isps.patch.gz > > > > Just thought I tell you that I've just applied the patch to > SpamAssassin 2.62 > > (plain tar.gz-distro, no rpm/package). > > > > The patch worked fine, SpamAssassin seems to work, and so far > one mail has > > triggered a URIIP test. > > > > I've only been running with the patch for a few minutes, so I > can't know wether > > it crated any problems yet. If I do find any problems, I'll > come back and tell > > you about it. > > > > Regards > > /Jonas > > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Re: [RD] Offered Rules
Inline below
> -Original Message-
> From: Robert Menschel [mailto:[EMAIL PROTECTED]
> Sent: Sunday, January 18, 2004 11:02 PM
> To: [EMAIL PROTECTED]
> Subject: [SAtalk] Re: [RD] Offered Rules
>
>
> Here's my next set of possible rules for submission to the
> SpamAssassin
> distribution set.
>
> URI rules may tend to be more transient than other types of
> rules, since
> it's so easy for spammers to change domain names. I'm
> therefore including
> only those that hit at least 0.15% of my spam. Well, the
> pillsavings rule
> has hit several domains over several months, so that one I'll keep in,
> though it's not quite 0.15%. Ditto the href= rule.
>
> Feedback and/or mass-checks on these before formal submission are
> invited.
>
> Bob Menschel
>
>
*snip URI rules*
This is just my opinion, but I dislike putting temp rules into a distro.
Things like Paris, Hilton, Saddam playing cards, and URIs. I think a distro
could be around much longer then any of this temp things. So many people
would be wasteing CPU cycles and memory.
Some ISPs use 2.4x still. If that had a rule for the OJ simpsons case and
they had a few 1000 users :)
I'm still trying to figure out how I'm going to expire domains in bigevil!
>
> uri RM_up_hrefinuri /href=/i
> describe RM_up_hrefinuri link includes href within code
> score RM_up_hrefinuri 3.000 # 106s/0h of 92209
> corpus (74874s/17335h) 01/17/04
>
> uri RE_uwd_DefaultAsp/\/default\.asp\?id\=/i
> describe RE_uwd_DefaultAspContains a likely spammer
> default.asp link.
> score RE_uwd_DefaultAsp4.500 # type=spamp -
> 1137s/0h of 92209 corpus (74874s/17335h) 01/17/04
>
> uri RM_uwd_defaultN /\/default\d{1,5}\.htm/i
> describe RM_uwd_defaultN text points to
> sequentially numbered "default" page
> score RM_uwd_defaultN 3.000 # 1322s/2h of 92209
> corpus (74874s/17335h) 01/17/04
> # ham: 1999 (1),
> 2003: http://movies.fantasticfactory.com/dagon/default8.htm
> in ToS email.
>
>
> uri RM_uwd_UnsubscribePHP/unsubscribe\.php/i
> describe RM_uwd_UnsubscribePHPtext uri to unsubscribe link
> score RM_uwd_UnsubscribePHP3.000 # 236s/0h of 92209
> corpus (74874s/17335h) 01/17/04
>
These last four rules are SURPRISING! I would never have guessed those
results! Looks good!
--Chris
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] UPDATES Tripwire 1.16 and Bigevil 2.06k
Thanks for the list. Many are already in the latest update. I do look at what people send me. Because I use a bunch of DNSBLs I don't see as many spams as others. I also may have anywhere from 1-5 days lag between when I (We, you, ect,) get the spam and when I update. This is due to testing, having to complete work for my real job, and maybe some time with the family ;) I'll take a look at all of these. I prefer to have an example of each spam that I'm adding to the list. This way if someone asks, I can show them :) --Chris > -Original Message- > From: David A. Carter [mailto:[EMAIL PROTECTED] > Sent: Sunday, January 18, 2004 12:18 PM > To: Chris Santerre > Cc: Spamassassin-Talk (E-mail) > Subject: Re: [SAtalk] UPDATES Tripwire 1.16 and Bigevil 2.06k > > > Quoting Chris Santerre <[EMAIL PROTECTED]>: > > > Anywho, like the subject says, these 2 files are updated. > The Tripwire > > file > > is almost half the size it was before! > > Sorry if this is a FAQ; couldn't see a definitive answer in > the archives. I > have a very small list of domains that I get tons of spam > from which aren't > in bigevil. Should I send you my list of domains, or do you > need more than > that, such as example spam from the domains in question? > > In any case, here's my list. I didn't find any of these in > the latest bigevil: > > uri CarterEvilList_1 > /\b(?:tooshortz\.us|pharmawarehouse\.biz|timezsquarepatry\.com > |countupandlookaway\.com|56x\.com|54000 > 0x\.com|2006hosting\.com|2005hosting\.com|valuepointmeds\.biz| > holdontrywow\.com|pharmacourt\.biz|thatrxstore\.biz|pharmacyco\. > com|ezadvertising\.us)\b/i > describe CarterEvilList_1 Generated CarterEvilList_1 > score CarterEvilList_1 3.0 > > Regards; > > DaC > > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Image-ONLY e-mails not filtered?
> -Original Message-
> From: Fred [mailto:[EMAIL PROTECTED]
> Sent: Saturday, January 17, 2004 3:54 PM
> To: [EMAIL PROTECTED]
> Cc: Spamassassin-Talk (E-mail)
> Subject: Re: [SAtalk] Image-ONLY e-mails not filtered?
>
>
> [EMAIL PROTECTED] wrote:
> > FYI -- I'm noticing SPAMs which contain ONLY an image are not being
> > filtered at all. Specifically, the HTML message only contains simple
> > open/close BODY and HTML tags with just the IMG SRC tag in
> the middle
> > - which in turn loads a spam-related promotion from somewhere... I
> > was assuming this type of e-mail should be a huge red-flag and/or
> > filtered under the existing "this is an HTML message" rules, but it
> > doesn't appear to be.
> >
> >
> > > href="http://www.richdd.com?rid=**somenumber**";> > src="http://www.canzzd.com/v9.gif"; border=0>
> >
> >
> >
>
> Try this out for size, they are a few custom rules I have
> created myself.
>
> # Catch Image ONLY spams!
> rawbody __FVGT_rb_HTML_HAS_AHREF eval:html_tag_exists('a')
> rawbody __FVGT_rb_HTML_HAS_IMG eval:html_tag_exists('img')
> full __FVGT_rb_HTML_LEN_80_375
> /<(?:html|body).{80,375}<\/(?:body|html)>/is
> full __FVGT_rb_A_THEN_IMG / meta FVGT_m_IMAGE_ONLY_SPAM (__FVGT_rb_HTML_LEN_80_375 &&
> __FVGT_rb_HTML_HAS_AHREF && __FVGT_rb_HTML_HAS_IMG &&
> __FVGT_rb_A_THEN_IMG)
> describe FVGT_m_IMAGE_ONLY_SPAM Short HTML message with IMG
> and A HREF
> score FVGT_m_IMAGE_ONLY_SPAM 3.5
>
>
> The size of 80,375 might need to be tweaked but this rule
> does what you are
> looking for!
>
>
Just curious, but is the eval:html_tag_exists('a') rule SA 2.60 or better?
--Chris
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] UPDATES Tripwire 1.16 and Bigevil 2.06k
I actually thawed out! And so did my car!! Yup, it actually FROZE while I was driving around 80 mph! No damage at all! Oh happy day :) So everyone in the cold go out and check your water/antifreeze ratio. And ALWAYS let your car warm-up before driving like a mad person ;) Anywho, like the subject says, these 2 files are updated. The Tripwire file is almost half the size it was before! Lots of good changes coming down the pipe for SARE. Clean up of old stuff going on now. Go easy on those auto update scripts ;) Link in sig, it's late and I'm tired. If you don't know where to find them by now, you must be under a rock (Or a Colts Fan!) ;) Go Pats! Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] (OT) Spam Conference 2004 re-cap?
> -Original Message- > From: Gary Funck [mailto:[EMAIL PROTECTED] > Sent: Saturday, January 17, 2004 9:39 PM > To: [EMAIL PROTECTED] > Subject: [SAtalk] (OT) Spam Conference 2004 re-cap? > > > > > > > There was an excellent presentation by John Graham-Cumming at the > > 2004 Spam Conference about this and how your experience is what most > > people find. The issue being that spammers don't know what > tokens are > > considered hammy in your Bayes DB, so random dictionary > words tend to fail > > very easily and other "bayes poison" doesn't usually get > that far either. > > > > Any one have a pointer to a web-blog, or "trip report" > somewhere summarizing > what went on > at the Spam Conference 2004? > > OK, I'm going to give it a try. But anyone can see the whole archived webcast at www.spamconference.com under webcast. LOTS of stuff to digest. Some was just analysis on spam and such. One presenter doesn't even use any antispam software!? I'll try to cover some stuff that will help the SA community. 1) Over the years spam actually HAS NOT changed that much. Meaning people were able to find at least 10 things common with spam trhu the last 3 years. I think that was the jist of the 1st presenter anyway. 2) Bayes Chains. This was something obvious that I thought was already used. I don't use bayes so I haven't fully dived into reading on it. But apparently it will use word tokens. Well to me that is like a word rule! So guess what a bayes Chain is? Yup, more like a token for a phrase. And, SURPRISE, it is more accurate!:) Good news. 3) ANYONE who uses Bayes should view the last presentation! 1st time I've had to use my calculas since college :) But you don't need to know that stuff. But it helps show what is going on with your bayes DB. Shifting and such. Very good info. His big deal was to remove "Carrier words" from the Bayes DB. Which were words that had very low percentages, or were found in both spam/ham. Thus removing some overlap causing FPs. He doesn't go into detail as it isn't open source...I think. ALSO a GREAT idea for businesses was to feed OUTGOING ham into the DB! Builds up a custom Dictionary quick. 4) Many filters will get to 99% accuracy. The problem after that is simply users disagreeing on the email. 5) The only filter discussion was on filtering URLs! Hurray for Bigevil! (No it wasn't mentioned. Darn brightmail!) :) Unless I forgot one. A lot of discussion about the study of spam and the findings. One good thing was that a HUGE %, almost all, of spam was in english. I expected maybe some talk on linquistical analysis, but none. (Fred and Dallas are on the right track with this stuff.)And if you don't do any email with china or russia, yeah blocking would be good ;) 6) Non, sa stuff. Stopping the email at the SMTP level was discussed a lot. Some really god ideas. One was SPF (I think, sorry there was a lot!) It adds DNS records to domains. The records show all IP addresses involves with sending email for that domain. So when someone gets an email they can query the DNS record to see if the IP matchs. This caused quite the discussion of the audience ;) I like the idea. 7) non SA. One guy from Hawaii had a pretty cool idea. He uses a more inteligent Disposable email system. However it really isn't disposable It can do things like allow only the next 3 domains to use this email. Or 'lock' the address so that people who have already used can email, but no new. And of course, challenge response. 8) Non SA. Challenge response systems. were discussed.Many different kinds. Some that pay you! Lots of possible problems with these systems. The biggest being virus machines harvesting emails. I mean the ideas as far as Challenge response goes were good. But stil flawed in my eyes. They even had plans for slowly bringing the system into action. So the whole internet didn't have to change. 9) Innoculation. Nice idea. Kind of like spamcop. Community reports, and helps others. But more like a P2p setup. There was a LOT of stuff. Sorry if I missed some key points. One thing I have to say is that SA is right there with everyone else. I see about 99% caught spam WITHOUT bayes and an OLD version! Yeah it has been tweaked and custom rules up the wazoo, but still! SA was mentioned a few times of course. :) There is some other small things I still want to digest and talk to the rule writers about. Talk about becoming less reactive got me thinking on some stuff. I urge anyone with the time to view the webcasts. I understood a HELL of a lot more then last year ;) Hopefuly I'll make it next year! Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the strongest of the
RE: [SAtalk] Image-ONLY e-mails not filtered?
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Sent: Friday, January 16, 2004 8:08 PM
> To: [EMAIL PROTECTED]
> Subject: [SAtalk] Image-ONLY e-mails not filtered?
>
>
> FYI -- I'm noticing SPAMs which contain ONLY an image are not
> being filtered
> at all. Specifically, the HTML message only contains simple
> open/close BODY
> and HTML tags with just the IMG SRC tag in the middle - which
> in turn loads
> a spam-related promotion from somewhere... I was assuming this type of
> e-mail should be a huge red-flag and/or filtered under the
> existing "this is
> an HTML message" rules, but it doesn't appear to be.
>
> Sorry I don't know the product version as I didn't install
> this, but it's
> one of the more recent releases. Also, here's a copy of the
> message code
> that seems to be getting through every time:
>
>
> href="http://www.richdd.com?rid=**somenumber**";> src="http://www.canzzd.com/v9.gif"; border=0>
>
>
I posted a rule earlier to catch these. The second one is in TESTING, but
this first one works perfect. Watch out for line wraps when reading this in
email.
rawbody __VDRUG1 /^\\/
rawbody __VDRUG2 /^\\<\!\-\-.{10,15}\-\-\>\\<\/a\>\<\/center\>/
rawbody __VDRUG4 /^\<\/?body\>\<\/html\>/
meta MRWIGGLY (__VDRUG1 && __VDRUG2 && __VDRUG3 && __VDRUG4)
describe MRWIGGLY Mr. Wiggly enhance drug spam.
score MRWIGGLY 1.0
rawbody __VDRUG1B /^$/
rawbody __VDRUG2B /^pic is loading/
rawbody __VDRUG3B /\/(?:[a-zA-Z]|\d)\.gif\" border\=0\>\<\/a\>$/
rawbody __VDRUG4B />0pt out<\/a>$/
meta MRWIGGLY3 (__VDRUG1B && __VDRUG2B && __VDRUG3B && __VDRUG4B)
score MRWIGGLY3 1.0
ENjoy
--Chris
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Tripwire breaking exim/spamd setup
This is some pretty good info. Can you trow something up on either wiki about exim users/lots of rules/long headers/and default buffer size? I'm sure others might start having this problem. good find! --Chris > -Original Message- > From: Zarjazz [mailto:[EMAIL PROTECTED] > Sent: Friday, January 16, 2004 8:35 AM > To: [EMAIL PROTECTED] > Subject: [SAtalk] Tripwire breaking exim/spamd setup > > > Well it had to happen, I've been recieving some spam that > triggered LOTS > of tripwire rules and overflowing the smtp daemon header buffer. > Extracts from exim panic log below. > > 2004-01-16 13:17:08 1AhTqL-0001gb-Ax string_sprintf expansion > was longer > than 8192 > 2004-01-16 13:17:18 1AhTqa-0001jS-IR string_sprintf expansion > was longer > than 8192 > 2004-01-16 13:17:22 1AhTqj-0001lg-3q string_sprintf expansion > was longer > than 8192 > > Now I could fix this by recompiling exim with increased > buffer sizes but > AFAIK 8192 is the default in all distributions but a quick pipe of the > .cf file through sed s/FVGT_TRIPWIRE/TRIP/g seems to do the trick just > as well :) > > > Z. > > > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Another BigEvil FP
This was a very nice email that I got about this domain. Sorry I haven't replied yet. I'm still looking into it. I see both ham and spam when it comes to them. I think I'm going to move it into a new sham rule "W" and watch it VERY closely. They better have changed there UBE/UCE policy, or I will put them back in. --Chris (cold, so very cold) Santerre > -Original Message- > From: JRiley [mailto:[EMAIL PROTECTED] > Sent: Friday, January 16, 2004 10:16 AM > To: Overdijk, Harrie; 'Chris Santerre' > Cc: 'Spamassassin-Talk (E-mail)' > Subject: Re: [SAtalk] Another BigEvil FP > > > They also hire marketing firms (or do it themselves) to send > UCE promoting > their wares. > I, myself have LART'd them 2 or three times. > > > > > It would be nice if this site would be removed from > BigEvilList_130 or > moved > > to BigEvilList_X/Y/Z or whatever. > > I can then remove pandasoftware.com from my whitelist and > yes, on my site > > the client virus-scanner is Panda. ;-) > > > > Yours sincerely, > > Harrie Overdijk > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] [OT] Spam conference, I'm 0 for 2!
As you can see, I'm in my office now. I was halfway there! Its really a thrilling tail that starts with arctic temperatures, a faulty water pump or thermostat. Me in the cold with no heat for over an hour. My precious sports car on a flat bed with possible valve damage, and a HUGE tow bill because the only place that has a clue how to work on my car is 40+ miles away! So for those people I was to meet, I'm sorry I missed you! Looks like its webcast for me again. Next year I won't drive my preeeciiooouusss. :( I'm now getting hot choco intravenously. Chris (So sad to see his baby on a flatbed) Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Problems running begevil and tripwire together
Wow that is weird! I think I'm running Tripwire 1.13 because they came so fast and furious I didn't get a chance to upgrade my own server today. Is there some limit to mimedefang? I haven't seen these errors but don't use mimedefang. But I run more rules then almost anyone. I only have 64 megs! SA is taking only 20 megs with all those rules loaded. Take each one out seperetly and see if they each run. I'll try to check in tomorrow. --Chris (Under 35 degrees, New Englanders just call it cold!) > -Original Message- > From: Scott Harris [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 15, 2004 5:05 PM > To: [EMAIL PROTECTED] > Subject: [SAtalk] Problems running begevil and tripwire together > > > I think I've narrowed it down to this by trying different combos. > The only change I've made in the past week was to update bigevil > to 2.06i and add in the tripwire stuff (currently at 1.15). The > error is below, and I'm somewhat inclined to believe it is a memory > problem even though memory is not specifically mentioned. I've got > 512 right now, and running (what I think is) a little lean at 71 free. > I've got plenty of swap however, 1GB with only 4764k used of that. > > I'm running sendmail 8.12.10, mimedefang 2.39, and Spamassassin 2.61. > I realize that the errors are from mimedefang below, but I still > posted here because the errors didn't occur until SA started in > with the new bigevil. > > Thanks for any help. > > Scott > > > > [EMAIL PROTECTED]:/var/log# Jan 15 09:04:27 linux1 sm-mta[17033]: > i0FH4Qnm017033: > from=<[EMAIL PROTECTED]>, size=3232, class=0, nrcpts=1, > msgid=<[EMAIL PROTECTED]>, proto=ESMTP, > daemon=MTA, relay=mail1.domain.com > Jan 15 09:04:27 linux1 mimedefang.pl[16967]: > MDLOG,i0FH4Qnm017033,mail_in,,167.112.160.33,<[EMAIL PROTECTED]> > ,<[EMAIL PROTECTED] > m>,OK > Jan 15 09:04:27 linux1 mimedefang-multiplexor: Slave 0 died > prematurely -- > check your filter rules > Jan 15 09:04:27 linux1 mimedefang-multiplexor: Reap: Idle slave 0 (pid > 16967) exited due to signal 11 (SLAVE DIED UNEXPECTEDLY) > Jan 15 09:04:27 linux1 mimedefang-multiplexor: Slave 0 resource usage: > req=4, scans=4, user=2.848, sys=0.283, nswap=0, majflt=555, > minflt=9966, > maxrss=0, bi=0, bo=0 > Jan 15 09:04:27 linux1 mimedefang[17034]: Error from > multiplexor: ERR No > response from slave > Jan 15 09:04:27 linux1 sm-mta[17033]: i0FH4Qnm017033: Milter: data, > reject=451 4.7.1 Please try again later > Jan 15 09:04:27 linux1 sm-mta[17033]: i0FH4Qnm017033: > to=<[EMAIL PROTECTED]>, > delay=00:00:00, pri=33232, stat=Please try again later > > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] RE: BigEvil FP
WOW how did that one get this far!That even got past the great Bob M corpa run! :) Removed and 2.06j posted. Thanks. And feel free to email me any more. I still can't believe that one was still in there! Figures too, I had started tweaking from the beginging and I last stopped at rule 36! lol. --Chris > -Original Message- > From: Daniel Kleinsinger [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 15, 2004 10:10 PM > To: Chris Santerre > Subject: BigEvil FP > > > BigEvilList_37 hits on biz.yahoo.com which gave me an FP on an email > from the American Constitution Society, acslaw.org. I don't > know if I > should email you personally or the SAtalk list regarding > BigEvil FPs > > Thanks, > Daniel > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] most rules hit (so far)
LOL, oh my! I though you were reporting an FP! That scored legit!! Ahahahah nice! I'm pretty sure in the coming months we will see this method go bye bye. $RND_CHAR stuff just isn't going to work anymore. Which is why bayes poison is our next thing to tackle. Another spam tactic ends up being a spam tag. :) --Chris > -Original Message- > From: Steve Thomas [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 15, 2004 4:30 PM > To: [EMAIL PROTECTED] > Subject: Re: [SAtalk] most rules hit (so far) > > > > You asked for it! > > http://sthomas.net/spam.txt > > > On Thu, Jan 15, 2004 at 02:10:24PM -0500, Chris Santerre is > rumored to have said: > > > > This thread is useless without pics! > > > > Oh wait, sorry. > > > > This post is useless without the spam! :) > > > > Try the new version of Tripwire (1.14) posted today. It's > been beechwood > > aged for twice the flavor! > > > > --Chris > > > > > -Original Message- > > > From: Steve Thomas [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, January 15, 2004 12:29 PM > > > To: [EMAIL PROTECTED] > > > Subject: [SAtalk] most rules hit (so far) > > > > > > > > > Using the Tripwire set (obviously): > > > > > > X-Spam-Status: Yes, hits=30.2 required=5.0 > > > tests=BAYES_60,BIZ_TLD, > > > > > *big snip* > > > > > version=2.70-cvs > > > > > > -- > "There are two ways of constructing a software design; one > way is to make it so simple that there are obviously no > deficiencies, and the other way is to make it so complicated > that there are no obvious deficiencies. The first method is > far more difficult." > - C. A. R. Hoare > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] FP on MY_HTTP_ODD_PORT
We are working on a way to manage the custom rules A LOT better. Also we
will have some of the older ones for people not running the latest versions.
We will have them archived as older.
I'm not sure what Matt Y. was thinking scoring that at 2.0 :) But I suggest
lowering all custom rules that you don't fully understand to under .50 (Well
except for Bigevil!)
So the answer to your questions is.soon. We are woking on cleaning up
what we have now.
Chris Santerre
System Admin and SA Custom Rules Emporium keeper
http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm
'It is not the strongest of the species that survives,
not the most intelligent, but the one most responsive to change.'
Charles Darwin
> -Original Message-
> From: Alan Munday [mailto:[EMAIL PROTECTED]
> Sent: Thursday, January 15, 2004 4:17 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [SAtalk] FP on MY_HTTP_ODD_PORT
>
>
> Matt/Theo
>
> Yes it did come from the "other" wiki.
>
> This raises the question of how can we learners tell what is
> no longer valid
> from the custom rule sets?
>
> Also are there any established processes for managing them?
>
> Thanks
>
> Alan
>
> > -Original Message-
> > From: Matt Kettler [mailto:[EMAIL PROTECTED]
> > Sent: 15 January 2004 21:13
> > To: Alan Munday; [EMAIL PROTECTED]
> > Subject: Re: [SAtalk] FP on MY_HTTP_ODD_PORT
> >
> >
> > At 03:41 PM 1/15/2004, Alan Munday wrote:
> > >Just had the mail below trigger on:
> > >
> > > 2.0 MY_HTTP_ODD_PORT URI: Link to a server on
> > nonstandard port
> > >
> > >Why Vailresorts would want to go to the effort of declaring
> > port 80 in their
> > >link is a mystery.
> > >
> > >However it is clearly not a non-standard port.
> >
> > Note: when referencing add-on rules, be sure to mention where
> > they came from...
> >
> http://www.exit0.us/index.php/SaUriCustomRules?version=10
>
> That said, it looks like MY_HTTP_ODD_PORT is 100% redundant anyway..
>
> 2.6x ships with the rule WEIRD_PORT, which is better written... The
> standard weird_port rule ignores ports 80, 443 and 8080. and
> it doesn't
> score as high as 2.0.
>
> I'd suggest regarding MY_HTTP_ODD_PORT as both broken and
> obsoleted by the
> standard built-in ruleset.
>
>
> 20_uri_tests.cf:uri
> WEIRD_PORT
> m{https?://[^/\s]+?:\d+(? 50_scores.cf:score WEIRD_PORT 1.345 1.944 0.554 1.407
>
>
>
> ---
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> http://www.eclipsecon.org/osdn
> ___
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
>
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] I got him! The G.bush vdrug spammer is mine! ahahahahahha
Success! You know that spam with the ever changing domains? The one with the
George Bush look alike doctor that is selling 6 kinds of Mr. Wiggly
enhancing drugs? Well I finally got it right and tested!
Watch out for line wraps in your mail client. (should be 7 lines)
rawbody __VDRUG1 /^\\/
rawbody __VDRUG2 /^\\<\!\-\-.{10,15}\-\-\>\\<\/a\>\<\/center\>/
rawbody __VDRUG4 /^\<\/?body\>\<\/html\>/
meta MRWIGGLY (__VDRUG1 && __VDRUG2 && __VDRUG3 && __VDRUG4)
describe MRWIGGLY Mr. Wiggly enhance drug spam.
score MRWIGGLY 1.0
Yes I know I escaped some things that didn't need to be. I have a cleaner
version, but not tested yet. You guys have turned me into a testing wuss :)
I've seen no FPs. If someone has a better way of writing this one, I'm all
for it! I'm thinking lines 1,3,and 4 might be better if they end with $/
What do you think?
And I've looked at the numbers. The spam traffic is still increasing since
the begining of the year, but my MTA level denials have also increased. The
guys at the DNSRBLs are really doing a bang up job. So the amount of spams
that gets caught for me to play with have gone down.
Man this feels good!
Chris Santerre
System Admin and SA Custom Rules Emporium keeper
http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm
'It is not the strongest of the species that survives,
not the most intelligent, but the one most responsive to change.'
Charles Darwin
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Tripwire update 1.15
Fred thawd out. Added the PGP stuff that was requested. Update posted to my site. Link in sig. Who says opensource doesn't respond quickly? Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] most rules hit (so far)
This thread is useless without pics! Oh wait, sorry. This post is useless without the spam! :) Try the new version of Tripwire (1.14) posted today. It's been beechwood aged for twice the flavor! --Chris > -Original Message- > From: Steve Thomas [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 15, 2004 12:29 PM > To: [EMAIL PROTECTED] > Subject: [SAtalk] most rules hit (so far) > > > Using the Tripwire set (obviously): > > X-Spam-Status: Yes, hits=30.2 required=5.0 > tests=BAYES_60,BIZ_TLD, > *big snip* > version=2.70-cvs > > > > -- > "Happiness is good health and a bad memory." > - Ingrid Bergman (1917-1982) > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Spamwriter
Not that I don't like this discussion, but this really is getting way off topic for Spamassassin. Can it be taken offlist now? --Chris > -Original Message- > From: Brian May [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 15, 2004 12:30 PM > To: Greg Cirino - Cirelle Enterprises; Bart Schaefer; > [EMAIL PROTECTED] > Subject: Re: [SAtalk] Spamwriter > > > Greg, please don't think that you know everything... > > SBC DSL FAQ states: > > Question: > Can I run dedicated servers with DSL Internet access service? > > Answer: Answer last updated: 05-02-02 > Yes, as long as you have a static IP address. The best part of DSL > Internet access service is that the larger bandwidth enables > you to have an > always on connection to the Internet. This means that you can run mail > servers, web servers or FTP sites from your home or office. > > here is the URL for you.. http://ask.sbc.com/pcbdsl/FAQ_21_155.shtm > > > - Original Message - > From: "Greg Cirino - Cirelle Enterprises" <[EMAIL PROTECTED]> > To: "Bart Schaefer" <[EMAIL PROTECTED]>; > <[EMAIL PROTECTED]> > Sent: Wednesday, January 14, 2004 6:05 PM > Subject: Re: [SAtalk] Spamwriter > > > | Making a direct outbound connection on port 25 is not > "running an email > | server", any more than making a direct outbound connection > on port 80 is > | "running an HTTP server." > > Running any type of "Server" is a violation of every consumer > high speed > access connection TOS. > > Call it what you want, but if it serves, it's a Server > > No can do > > Unless I misunderstand what a server is, I think anything that > provides content, (web, ftp, email, telnet, ssh, etc...) is classified > as a server. > > Again, No can do > > This is not saying "you are not able to do so", that would be > rediculous, but undrestand, a consumer connection to the Internet > is just that... consumption, not delivering > > consumers receive, servers serve. > > cable subscribers, residential subscribers are consumers > Not Servers > > IMHO all consumer IP blocks should be uni directional and only > allowed input traffic. > > Unfortunately, the TC/IP protocol makes this difficult, but > not impossible > to control. > > Frankly, there is no email that needs to be delivered immediatly and > the only overloaded ISP email servers are those freebee email services > which usually get blown out by spam filters anyway. > > The Rule of Thumb: > > Just because you have cable or dsl does not mean you're an ISP or > gonna make a fortune on the internet. > > If you want into the business, build the plan, see the bank, > take the risk. > > Otherwise, you are no better than the spammer that is trying to make > a quick buck no a cable connection. > > I think that was about a half a bucks worth > > Best Regards > > Greg > > > > > > - Original Message - > From: "Bart Schaefer" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, January 14, 2004 8:25 PM > Subject: Re: [SAtalk] Spamwriter > > > | On Wed, 14 Jan 2004, Greg Cirino - Cirelle Enterprises wrote: > | > | > 40 bucks a month does not make you an ISP. > | > > | > No Hosting Servers > | > No Email Servers > | > No FTP Servers > | > > | > Just consuming. > | > | Making a direct outbound connection on port 25 is not > "running an email > | server", any more than making a direct outbound connection > on port 80 is > | "running an HTTP server." > | > | I have no objection to an ISP blocking port 25 coming *in* > to my DSL. > | > | > | > | --- > | This SF.net email is sponsored by: Perforce Software. > | Perforce is the Fast Software Configuration Management > System offering > | advanced branching capabilities and atomic changes on 50+ platforms. > | Free Eval! http://www.perforce.com/perforce/loadprog.html > | ___ > | Spamassassin-talk mailing list > | [EMAIL PROTECTED] > | https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > > > --- > This SF.net email is sponsored by: Perforce Software. > Perforce is the Fast Software Configuration Management System offering > advanced branching capabilities and atomic changes on 50+ platforms. > Free Eval! http://www.perforce.com/perforce/loadprog.html > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Tripwire Update
Sorry it took so long, I was waiting to hear back from Fred. He is trapped in the North :) Veriosn 1.14 has been posted to web with Bart Schaefer's changes! Nice work Bart! http://www.merchantsoverseas.com/wwwroot/gorilla/99_FVGT_Tripwire.cf Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Misc: Bigevil Updates, WAS RE: [SAtalk] what can we do with those spam mails
"holdontrynow.com" is actually in my list to add. I'm sorry to say that at my fastest, additions to Bigevil will take at least 2 days. With sooo many people using, and a promise of ZERO FPs, I need to test overnight. Sometimes I like to test more if the update was signifigant. I search for all sorts of typos and such every update, then run on my own system, then finally I post it. I've got some projects at work that are cutting into my spare time. Also, I'm simply not getting much spam that isn't already hitting bigevil! I'm stunned at this. In the last 3 days spam coming into my spamtrap is incredibly LOW! I have to check against my maillog for 553 denials to see if the traffic is the same. Maybe they are taking my domain off their lists :( I'm only using company email, I have no spamtrap emails out there. For the last 3 days I have only 20 domains to add! This includes those sent to me by list members!!! Something is wrong with me because that makes me sad! Don't go crazy sending me new domains to add just yet! I have some ideas ;) On another note: Is anyone still getting the G.Bush look alike V-drug spam??? I think I finally got a rule to nail that sucker and now I'm not getting any :( --Chris (Where is my spam?) Santerre > -Original Message- > From: Ralf Guenthner [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 15, 2004 7:22 AM > To: Sönke Ruempler > Cc: [EMAIL PROTECTED] > Subject: Re: [SAtalk] what can we do with those spam mails > > > Hi > > How about a URI rule testing for the holdontrynow.com link?? > > Cheers > Ralf G. > > > Sönke Ruempler wrote: > > > hi list, > > > > I wonder if i can to something against these spam messages: > > > > Return-Path: <[EMAIL PROTECTED]> > > Delivered-To: [EMAIL PROTECTED] > > Received: from 62.116.172.149 (68.116.240.99:4887) > > by mail.city-map.de (62.116.172.149:25) with [XMail 1.17 > (Linux/Ix86) ESMTP > > Server] > > id for <[EMAIL PROTECTED]> from > <[EMAIL PROTECTED]>; > > Thu, 15 Jan 2004 04:46:01 +0100 > > Received: from [101.183.240.64] by 68.116.240.99 with HTTP; > > Wed, 14 Jan 2004 20:51:19 -0700 > > From: "Sherman Rosa" <[EMAIL PROTECTED]> > > To: [EMAIL PROTECTED] > > Subject: confiscate cosponsor gnat > > Mime-Version: 1.0 > > X-Mailer: huh > > Date: Thu, 15 Jan 2004 06:58:19 +0300 > > Reply-To: "Sherman Rosa" <[EMAIL PROTECTED]> > > Content-Type: multipart/alternative; > > boundary="3285634181104916874" > > Message-Id: <[EMAIL PROTECTED]> > > X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on > > blah.topconcepts.net > > X-Spam-Status: No, hits=0.0 required=4.0 tests=HTML_MESSAGE > autolearn=no > > version=2.60 > > > > --3285634181104916874 > > Content-Type: text/plain; charset=us-ascii > > Content-Transfer-Encoding: 8bit > > > > neumann epiphany acs attenuate padlock extensible > > mistress indigo nowise sinclair mousy rich cosec athens > bludgeon amber > > kieffer arraign coinage agee curium alienate cavalier > dispersible dick > > > > --3285634181104916874 > > Content-Type: text/html; charset=us-ascii > > Content-Transfer-Encoding: 8bit > > > > > > > > > > Message > > > > > > > > face=Arial size=2> > > http://www.holdontrywow.com/m2/index.php?AFF_ID=m4";> > > Hello, > > > > I finally was able to lose the weight I have > > been struggling to lose for years! > > > > And I couldn't believe how simple it was! > > Amazing patch makes you shed the pounds! > > It's Guaranteed to work or your money back! > > > > > > > > > > > > > > > > > > > > > > > > > > http://www.holdontrywow.com/homepage/";>Not > > intreseted > > fiberboard discomfit ambrosial alaska fatuous lineprinter > bock narrow > > integrand orphanage filth handmaiden auctioneer > > elsewhere accompany parakeet agglutinate finance > multinomial edgy felicitous > > dowling cottonwood melodic detonate blanket marinate cheesy > breeches junior > > borderland lumbar maraud lucille inroad chub scornful cute > > music paradigmatic guam meantime charlemagne correct > muriatic propitiate > > brevity hal beehive commiserate cadaverous fatal gillette > salutary oriole > > prefatory prohibitive commit fullback loretta cancer > admiralty boatswain > > porpoise imagen chopin crumble insouciant followeth paschal > > grendel amateurish odessa coefficient denture centrifugal > browne inshore > > chrysler housefly citizenry arena ridge pickle hyman > roseland avarice carbon > > sarcoma fact bella fourteenth hanson > > dicotyledon missouri austere bausch nut orbital homeland > prima accumulate > > bushmaster intelligent chick inaction panicked commando > foundling appraisal > > habitat abe cloister extoller malawi horatio moldboard > puckish butyrate > > downright guaranty residuum gecko > > eat argo checksumming barrage hasn't moonlight receptive > centerline holland > > pompon conferee characteristic keaton hagstrom expense > cartesian farmland > > arcsine haiti parliamentary chocolate anat
RE: [SAtalk] RE: New Ruleset Available!!! TRIPWIRE! You don't want to miss this o ne!
> -Original Message- > From: Kurt Yoder [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 14, 2004 4:54 PM > To: Chris Santerre > Cc: 'Matthew Trent'; Spamassassin-Talk > Subject: RE: [SAtalk] RE: New Ruleset Available!!! TRIPWIRE! You don't > want to miss this o ne! > > > > Chris Santerre said: > > Popcorn, Weeds, Backhair, and Tripwire. One spam could hit 5 of > > each. But > > I'm still curious. I've got to have more rules then anyone else. I > > get VERY > > long description headers. But I don't get any errors. What SA > > version are > > you running? > > Heh... sorry, it's not me having the problem with header length. I > was just asking. I notice that one could theoretically get 878 > matches, which would make for a very woolly message header. > LOL, sorry here as well, got my usernames messed up :) Here is a typical header I get w/ no errors: X-Spam-Status: Yes, hits=40.0 required=5.0 tests=CLICK_BELOW,CTYPE_JUST_HTML,FVGT_TRIPWIRE_HV, FVGT_TRIPWIRE_KJ,FVGT_TRIPWIRE_MH,FVGT_TRIPWIRE_TB, FVGT_TRIPWIRE_VM,FVGT_b_RANDOMTEXT,FVGT_s_SPACES_6, HTML_50_70,HTML_COMMENT_UNIQUE_ID,HTML_FONT_COLOR_MAGENTA, HTML_FONT_COLOR_RED,J_BACKHAIR_12,J_BACKHAIR_13, J_BACKHAIR_14,J_BACKHAIR_21,J_BACKHAIR_22,J_BACKHAIR_23, J_BACKHAIR_24,J_BACKHAIR_26,J_BACKHAIR_32,J_BACKHAIR_33, J_BACKHAIR_34,J_BACKHAIR_35,J_BACKHAIR_42,J_BACKHAIR_43, J_BACKHAIR_44,J_BACKHAIR_45,J_BACKHAIR_52,J_BACKHAIR_56, L_s_MaskedWords4,MY_HTML_OBFU,MY_NO_QU,MY_OBFUJ,MY_OBFUT, MY_OBFUX,MY_OBFUY,MY_OBFUZ,MY_OBFU_MISC,MY_S_URBOSS, MY_TITLE,OBFUSCATING_COMMENT,REG_THANKS,RM_hc_HTML, RM_rb_ANCHOR,RM_rb_BREAK,RM_rb_FONT,RM_rb_HTML,RM_rb_PARA, RM_rb_TITLE,RND_WORD,SPAM_PHRASE_08_13,SUBJ_HAS_SPACES Some of these rules are going the way of the dodo soon. But for this it doesn't matter. I know I have larger then this as well. --Chris --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] RE: New Ruleset Available!!! TRIPWIRE! You don't w ant to miss this o ne!
> -Original Message- > From: Kurt Yoder [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 14, 2004 4:45 PM > To: Chris Santerre > Cc: 'Matthew Trent'; Spamassassin-Talk > Subject: Re: [SAtalk] RE: New Ruleset Available!!! TRIPWIRE! You don't > want to miss this o ne! > > > > Chris Santerre said: > > *SNIP* > >> > >> Well I tried to send this through the GMANE mail-to-news thing but > >> it > >> complained about me not being subscribed to the list, so I'm > >> just sending > >> it directly to you: > >> > >> After installing the tripwire rules I see the following in my > >> Exim paniclog > >> (I'm using exiscan): > >> 2004-01-14 11:50:37 1Agr2C-0008RG-UP string_sprintf expansion > >> was longer > >> than 8192 > >> > >> Seems to happen when a piece of spam hits a ton of the > >> tripwire rules and > >> each hit is reported in the header spam report. Can make for > >> a very long > >> list sometimes (too much header for exim to handle, > >> apparently). Is there a > >> way to combine the rules or something and not report each little > >> hit? > >> -- > > > > OK silly question first: Did it lint correctly? Just making sure you > > downloaded it correctly. > > > > After that, I"ve never heard of a long hitlist causing this. I've > > CC'd the > > SATALK on it. > > Hm... > > Would it be possible to only include the first few lines of tripwire > hits in the header? Any beyond that could be scored as a single > spamassassin entry such as "multiple tripwire hits" and receive the > tripwire score times number of hits. This would make for a > "prettier" header. > Popcorn, Weeds, Backhair, and Tripwire. One spam could hit 5 of each. But I'm still curious. I've got to have more rules then anyone else. I get VERY long description headers. But I don't get any errors. What SA version are you running? --Chris --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Spamwriter
> -Original Message- > From: Mike Batchelor [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 14, 2004 2:39 PM > To: [EMAIL PROTECTED] > Subject: Re: [SAtalk] Spamwriter > > > --On Wednesday, January 14, 2004 8:28 AM -0600 Bob Apthorpe > <[EMAIL PROTECTED]> wrote: > > > IDP broadband > > providers that give their customers direct access to port > 25 on remote > > systems by default. > > Why should I have to pay extra for a business-class DSL line > just so I can > avoid using the ISP's heavily clogged relay, when my own mail > server can > deliver my emails directly? Why should I be told to expect a > crippled > internet connection unless I pay up for business class service, which > consists of only removing the port 25 block? Why punish > people who have > nothing to do with spamming? > I completely agree with this!! I've recently had a discussion off list with some people. I totally believe by DEFAULT this should be blocked for all broadband users. HOWEVER, this is ONLY if a simple request to unblock at NO charge is all it takes. It should be free and available, but NOT defaulted to open. How much spam/viri do you think that would kill right there? So you ask, "What good does that do? Spammers just call up and unblock!" Well with much less traffic, ISPs can now monitor port 25 traffic from customers. Being able to red flag very high traffic. So you say, "That's a George Orwell 1984 society of being watched!" I said traffic, not data. And only port 25. So you say, " But" *WHAM* "ouch." That was the point I slapped you with a fish ;) --Chris --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] RE: New Ruleset Available!!! TRIPWIRE! You don't want to miss th is o ne!
*SNIP* > > Well I tried to send this through the GMANE mail-to-news thing but it > complained about me not being subscribed to the list, so I'm > just sending > it directly to you: > > After installing the tripwire rules I see the following in my > Exim paniclog > (I'm using exiscan): > 2004-01-14 11:50:37 1Agr2C-0008RG-UP string_sprintf expansion > was longer > than 8192 > > Seems to happen when a piece of spam hits a ton of the > tripwire rules and > each hit is reported in the header spam report. Can make for > a very long > list sometimes (too much header for exim to handle, > apparently). Is there a > way to combine the rules or something and not report each little hit? > -- OK silly question first: Did it lint correctly? Just making sure you downloaded it correctly. After that, I"ve never heard of a long hitlist causing this. I've CC'd the SATALK on it. Hm... --Chris --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] a goof-proof (?) test for evil mailers
I've had a rule like this from way back. Works great! header MY_IP Received =~/\b(from xxx\.xxx\.xxx\.xxx)\b/i describe MY_IP WHy would I get email from myself? score MY_IP 1.0 Where xxx is your server ip address. I highly recommend people use this rule. 81 hits in December. It used to be a LOT more. --Chris > -Original Message- > From: Pierre Thomson [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 14, 2004 2:52 PM > To: [EMAIL PROTECTED] > Subject: [SAtalk] a goof-proof (?) test for evil mailers > > > I have noticed that some spam engines (zombies?) use the > receiving relay's IP address as the HELO name, presumably > trying to look like a trusted source. I made a simple test > for this, and it triggers for nearly 10% of inbound spam. > > # substitute your relay's numeric IP address for AAA BBB CCC DDD below > > header PT_SPOOFME Received =~ /from AAA\.BBB\.CCC\.DDD/ > describe PT_SPOOFME pretending to be from ourselves! > score PT_SPOOFME 3.0 > > I can't imagine a configuration where a relay would receive > mail from itself; that's the definition of a mail loop. (And > if it did, it would use the loopback interface...) Therefore > I gave this test a pretty high score. I have been using it > for at least a month with no FP's. > > Does anyone want to run a mass check against a large corpus? > Has anyone seen a valid sending MTA that behaves this way? > Improvements? > > [BTW, it was neat to see my crude "WORDWORD" test taken to > pieces. Someone streamlined the regexp, several more tweaked > it, it got a new name and a second-level test, and now we > have another weapon against Bayes poison. Keep up the good work!] > > Pierre Thomson > BIC > > > > > # a sample spam header fragment as seen by SA on a box with > address 64.72.85.5 : > > Received: from 64.72.85.5 ([219.248.110.109]) > by mail1.rifton.com (8.11.6/8.11.6) with SMTP id i0EJC2Z07868 > for <[EMAIL PROTECTED]>; Wed, 14 Jan 2004 14:12:02 -0500 > Received: from [219.248.110.109] by 3001hosting.comIP with HTTP; > Thu, 15 Jan 2004 00:09:43 +0500 > > > # and another spam from a different X-mailer: > > Received: from 64.72.85.5 (c-24-2-238-98.client.comcast.net > [24.2.238.98]) > by mail1.rifton.com (8.11.6/8.11.6) with SMTP id i0EJM4Z09102 > for <[EMAIL PROTECTED]>; Wed, 14 Jan 2004 14:22:06 -0500 > Received: from [46.12.70.8] by 64.72.85.5 with SMTP; Wed, 14 > Jan 2004 05:11:32 -0200 > > > # and a valid mail from a known ISP: > > Received: from imo-r08.mx.aol.com (imo-r08.mx.aol.com > [152.163.225.104]) > by mail1.rifton.com (8.11.6/8.11.6) with SMTP id i0EJhYZ12005 > for <[EMAIL PROTECTED]>; Wed, 14 Jan 2004 14:43:34 -0500 > Received: from [EMAIL PROTECTED] > by imo-r08.mx.aol.com (mail_out_v36_r4.12.) id > r.1e1.1761647e (18555); > Wed, 14 Jan 2004 14:41:05 -0500 (EST) > > > --- > This SF.net email is sponsored by: Perforce Software. > Perforce is the Fast Software Configuration Management System offering > advanced branching capabilities and atomic changes on 50+ platforms. > Free Eval! http://www.perforce.com/perforce/loadprog.html > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] UPDATES! Bigevil AND Tripwire!
And just like that we have an update already. A few FPs fixed thanks to some SATALK members. So Bigevil 2.06i and Tripwire 1.13 have been posted. (I still think emode.com is spam! But removed.) For those of you who sent me domains to add to bigevil this week, they will be in the next update. I have to test them. For you lazy people: http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf http://www.merchantsoverseas.com/wwwroot/gorilla/99_FVGT_Tripwire.cf Boston on Friday? Could be rabbit, could be. Chris (trying to finish work to go to MIT on Friday) Santerre --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Start Trek "Darmok at Tanagra" subjects
*snip* > > It may be a coincidence, but all these emails have a subject like > that. The body of the mail is just a random collection of words, about > 4 lines long. Some examples: > > Re: FQCDW, thousand years waiting > Re: YAS, here the investigator > Re: SAHQSC, of the gift > Re: IN, that you learne > Re: WJKCPV, breaking to pieces > > Have others encountered this? Has a rule already been written to > recognize this subject pattern? Is it worth it? I'd like to try it, > and probably will, but any pointers are welcome as I've not written > rules myself before. > > Hein Zelle Yeah this has been discussed and already answered by others. I just wanted to say thanks for making me laugh! I can't believe I recognized the subject line for what it was! --Chris, his sails unfurled! --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Domain Name Starts With Numbers - exception
*snip* > > Could anyone tell me if the followup rule to offset the > 30below.com domain > is coded right, and if not, could you hit me with a clue-by-4? > > Thanks! > Roger "Merch" Merchberger > > =-=-=-=-=-=-=-=-=-= > > Follows: Rule that spanks us: > > uri FVGT_u_DOM_START_NUM > /[.\/@]+\d+[a-zA-Z\-]+[a-zA-Z0-9\-]*\.(com|net|biz|info|cc! > describeFVGT_u_DOM_START_NUMFVGT - domain name > starts with numbers > score FVGT_u_DOM_START_NUM1.0 > > Follows: Added 30below specialized rule: > > uri FVGT_u_EXC_30BELOW /[.\/@]+30below\.com/i > describeFVGT_u_EXC_30BELOW FVGT - domain name > offset for 30below > score FVGT_u_EXC_30BELOW -2.0 > It might be easier to say: /\b30below\.com/i instead. Also the group is about to go thru EVERY rule in the SARE. We are looking at the highest spam + ham hitters first. So this should be cleared up soon. Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the strongest of the species that survives, not the most intelligent,but the one most responsive to change.' - attributed to Charles Darwin --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] New Ruleset Available!!! TRIPWIRE! You don't want t o
I suggest an additional meta for airport ham :) Nice find! Yeah Fred is like a pitbull for this stuff! Most of the rule writers in the group think about spam a little too much. Myself included. We won't even go into someone's Wizard of Oz dream ;) --Chris(Cursing Apple today!) Santerre > -Original Message- > From: SRH-Lists [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 14, 2004 12:44 PM > To: 'Fred'; [EMAIL PROTECTED] > Subject: RE: [SAtalk] New Ruleset Available!!! TRIPWIRE! You > don't want > t o > > > http://www.orbitz.com/App/flight/airport_codes_popup.jsp > > And that is just US airports... > > > > now. But please send me examples so I can fix these rules up! > > > > > --- > This SF.net email is sponsored by: Perforce Software. > Perforce is the Fast Software Configuration Management System offering > advanced branching capabilities and atomic changes on 50+ platforms. > Free Eval! http://www.perforce.com/perforce/loadprog.html > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] New Ruleset Available!!! TRIPWIRE! You don't want t o miss this o ne!
> > Thanks all, I hope they work great for everyone and at the > time I am writing > this, I don't see anymore spam with this stuff in it, now it's all > high-level bayes busting words.. > Isn't that project #105738 for us? Bayes poison here we come ;) Yeah this is strictly based on english. SO YMMV if that is not your lanquage of choice. 1-3 FP hits in a ham won't do much. That is why they are scored .07 . Don't thank me on this one. I'm just the Monkey with the loudest voice in the group ;) --Chris --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] New Ruleset Available!!! TRIPWIRE! You don't want to miss this o ne!
Ladies and Gentlemen, Not since eating popcorn covered in backhair in the weeds have I been so excited about a ruleset. Fred, along with the rule writers consortium, has developed a new ruleset called Tripwire. Much testing has gone into this set. I've been using it for over a month! Tripwire has taken OBFU to the next level! It searches for 3 characters that shouldn't be together. This is based on the English language. "But what about PGP sigs?" Taken care of! "But what about Embedded images?" Taken care of! "But what about forwarded emails?" Taken care of! "But what about certain yahoo groups?" Guess? Taken care of! We had been holding it back in the hopes of announcing it with the new SARE website, but we can't hold it back any longer. Its just that good! I feel lucky to work with such a great group of people! So it gives me great pleasure to post in Fred's honor, the link to Tripwire: http://www.merchantsoverseas.com/wwwroot/gorilla/99_FVGT_Tripwire.cf It can also be found on my SARE page under Fred's section. Enjoy! Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' - attributed to Charles Darwin --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] skip attachment scanning?
Negative rules should be left off list. The lurkers eat them up :) The only way I know of to configure this is by procmail skipping email larger then a certain size. But it has been a while since I looked at that part of SA. Otherwise, a rule like this would be fine. (How long until we see a spammer add this code now?) --Chris -Original Message-From: Stenglein, James C [mailto:[EMAIL PROTECTED]Sent: Tuesday, January 13, 2004 12:12 PMTo: [EMAIL PROTECTED]Subject: [SAtalk] skip attachment scanning? Quick question for the list... Our users receive a lot of .doc attachments that seem to be caught with various rules such as backhair. We have no intention of removing the backhair tests though. Anyone know of a simple way to skip attachment scanning or at least what test to use to negate points if an attachment is found? Any input on this rule? header ATTACHMENT_DOC =~ /Content-Description:*.doc / describe ATTACHMENT_DOC Found attachment type .doc score ATTACHMENT_DOC -2.0 Thanks in advance, Junix Technology Services Unix
RE: [SAtalk] Low score for so many hits?
Someone just emailed me about this. The link added to the end of every post is no longer archiving since last year. http://www.spamassassin.org/lists.html Archive #1 is my Favorite :) We should get that changed! --Chris > -Original Message- > From: Jonathan Nichols [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 13, 2004 11:34 AM > To: [EMAIL PROTECTED] > Subject: Re: [SAtalk] Low score for so many hits? > > > > > > > I agree, I felt bad after hitting send. :) > > > > But an extremely quick look at the archives would have had > on page 1 info > > about this. Not even a need for a search. So for the people > who don't check > > this regularly, that is what the archive is for. A little > homework before a > > post goes a long way. ;) > > > > You forgot one obvious reason, Chris... > > What happens when you click on the list archive link only to > have it go > *splat?* :P > > I've been trying for a few minutes now and the list archive > link found > on > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk just > times out. > SF.net's mailing list archive search is pretty bad too. > > It's quite possible that a lot of people have just plain given up on > searching archives but that doesn't excuse them from using > groups.google.com ;) > > > > --- > This SF.net email is sponsored by: Perforce Software. > Perforce is the Fast Software Configuration Management System offering > advanced branching capabilities and atomic changes on 50+ platforms. > Free Eval! http://www.perforce.com/perforce/loadprog.html > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [WL] [SAtalk] How to count pattern matches?
> -Original Message- > From: Dallas L. Engelken [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 13, 2004 11:38 AM > To: [EMAIL PROTECTED] > Subject: RE: [WL] [SAtalk] How to count pattern matches? > > > > > On Tue, 13 Jan 2004, Christian Recktenwald wrote: > > > > is there a possibility to count the number of occurences of a > > > > given pattern? > > > > > > I've asked for this before. Never heard any replies. > > > I was actually hoping for a test with a minimum threshold, > > such as "If > > > count is greater than 5" then score 'x'. > > > > > > - Charles > > > > > > > There is a custom eval that does this. I will see if the > > author wishes to make it public just yet. It didn't do what > > we thought it would, but we learned a lot from it. So its a > > work in progress. > > > > but you'd still have to call the eval multiple times in order to give > different scores based on true/false return values from your eval... > > i can write this eval for you in just a few minutes if that guy doesnt > want to make it available. > > dallas > Agreed! That was his biggest complaint. One of the things we learned was it depends on the size of the email. We had to look at how many times a phrase hit and was the email big(or small) enough to justify it might indicate spam. --Chris --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [WL] [SAtalk] How to count pattern matches?
> -Original Message- > From: Charles Gregory [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 13, 2004 11:16 AM > To: [EMAIL PROTECTED] > Subject: Re: [WL] [SAtalk] How to count pattern matches? > > > On Tue, 13 Jan 2004, Christian Recktenwald wrote: > > is there a possibility to count the number of occurences of a > > given pattern? > > I've asked for this before. Never heard any replies. > I was actually hoping for a test with a minimum threshold, such as > "If count is greater than 5" then score 'x'. > > - Charles > There is a custom eval that does this. I will see if the author wishes to make it public just yet. It didn't do what we thought it would, but we learned a lot from it. So its a work in progress. --Chris --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Low score for so many hits?
> -Original Message- > From: Chip Paswater [mailto:[EMAIL PROTECTED] > Sent: Monday, January 12, 2004 9:32 PM > To: Chris Santerre > Cc: [EMAIL PROTECTED] > Subject: Re: [SAtalk] Low score for so many hits? > > > > *sigh* > > HABEAS_SWE > > > > Do people read this list or just post questions? Sorry, not > meant to lash > > out, but this Habeas topic has been all the rage today. > Don't know how > > anyone could miss it. > > Wow, way to be rude about it. > > There might exist the possibility that not every subscriber > of this list > reads it daily. Additionally, consider the amount of people > who subscribe to > the list specifically for posting their question. > I agree, I felt bad after hitting send. :) But an extremely quick look at the archives would have had on page 1 info about this. Not even a need for a search. So for the people who don't check this regularly, that is what the archive is for. A little homework before a post goes a long way. ;) (I've been on the other end of this as well. I'm still scared to post to the SPAM-L list! They'll have your Soul!) If you subscribe, but don't read it daily, where do all those posts go? :-) My apologies, Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' - attributed to Charles Darwin --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] (OT) Anti-spam law enacted -- so what's all this jun k in myin-box?Risks Digest 23.12
*snip* > savvy users. Mary Youngblood, abuse team manager at > EarthLink, suggests > putting numbers in the middle of your e-mail address to make it more > difficult to guess and using a separate address for online > shopping and > newsgroup postings. [AP, Jan 11 2004; NewsScan Daily, 12 Jan 2004] >http://apnews.excite.com/article/20040111/D800O3P00.html > *sigh* I think users need _better_ education then that! "Some critics of the law point to technology as the solution, though techniques developed so far have failed." This REALLY pisses me off Spamassassin + DNSRBLs + some custom rules = just about ZERO spam for my users!!! When the hell will the media start saying that?!?!?!?!?!?! *deep breath* "We don't have the solution yet. We have the big Band-Aids," said Spira. We have a LOT of better ideas that more ISPs need to implement. Stopping open by default email ports from home users would be a pretty big step! "Researchers at Microsoft Corp. (MSFT) and elsewhere are studying whether to require small payments to send e-mail, costs that would be prohibitive for spammers who send millions of messages." *cleans mess from head exploding* I don't think MSFT has our best interest in mind there. Do you? Spam is dynamic. So should be antispam. Opensource reacts faster. One mans spam is another mans ham. But sometimes a Spam is a Spam for all. SA does a DAMN fine job of it, and I think we are winning the fight. Despite the media not wanting to inform people of that. Its been a long morning allready. /rant --Chris --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] setting up spamassassin on Gateway server (MX)
What MTA are you running on the MX server? -Original Message-From: Pankaj Shrestha [mailto:[EMAIL PROTECTED]Sent: Tuesday, January 13, 2004 1:28 AMTo: [EMAIL PROTECTED]Subject: [SAtalk] setting up spamassassin on Gateway server (MX) Dear all, I have a MX server that simply accepts the mails and forwards all the mails to the corresponding internal servers. I have been able to install and run properly Spamassassin in our internal servers. But I would like to configure it in our MX server itself. By the way,MX server doesn't have any users. How do I do it. ? Suggestions and links are highly appreciated. Thanking you in advance. MSN 8 helps ELIMINATE E-MAIL VIRUSES. Get 2 months FREE*. --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] filter suggestions
> -Original Message- > From: Brian McGroarty [mailto:[EMAIL PROTECTED] > Sent: Monday, January 12, 2004 11:36 PM > To: [EMAIL PROTECTED] > Subject: [SAtalk] filter suggestions > > > What's the proper way to suggest a new filter to the SA developers? > > I'm getting a TON of mail with a bunch of random uncommon-but-real > words to thwart Bayesian filtering, combined with a single picture > link. Spamassassin is giving these only about one point apiece. > > The picture link never seems to come from the same domain as the > mail. It seems like HTML mail with images not from the sender's domain > would be a very useful test for these. > There has been some serious effort to _reliably_ tagg this stuff. The rule consortium works to get the lowest FP rate possible. Otherwise Bob M. slaps us all with a dead fish! ;) We have yet to come up with a great set of rules or evals yet. Some progress, but we have to anticipate the changes spammers will make. I'm hoping we strike gold soon. I think Fred is begining to dream in random words only. --Chris --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Low score for so many hits?
*sigh* HABEAS_SWE Do people read this list or just post questions? Sorry, not meant to lash out, but this Habeas topic has been all the rage today. Don't know how anyone could miss it. --Chris > -Original Message- > From: Chip Paswater [mailto:[EMAIL PROTECTED] > Sent: Monday, January 12, 2004 5:36 PM > Cc: [EMAIL PROTECTED] > Subject: [SAtalk] Low score for so many hits? > > > Any idea how a message with so many hits got such a low score? > > X-Spam-Level: ** > X-Spam-Checker-Version: SpamAssassin 2.61 > (1.212.2.1-2003-12-09-exp) on anubis > X-Spam-Status: No, hits=2.0 required=5.0 > tests=BAYES_99,BIZ_TLD,CLICK_BELOW, > HABEAS_SWE,HTML_50_60,HTML_LINK_CLICK_HERE,HTML_MESSAGE, > > MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,RCVD_IN_DYNABLOCK,RCVD_IN_SORBS > autolearn=no version=2.61 > > > > --- > This SF.net email is sponsored by: Perforce Software. > Perforce is the Fast Software Configuration Management System offering > advanced branching capabilities and atomic changes on 50+ platforms. > Free Eval! http://www.perforce.com/perforce/loadprog.html > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] [RD] can-spam phrases in legit ham.
It was discussed a while back how the phrases like: "This message conforms to the requirements of the 'CAN-SPAM Act of 2003' and was sent to you by .." Just wanted to let you guys know I'm seeing it in legit ham now. Careful using a rule for this stuff. Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' - attributed to Charles Darwin --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Detecting 10+ random words
Comments inline...
>
>
>
> This is a resubmission of a question that I have been trying
> to sort out
> for about a week now. I am trying to tag messages that have more than
> 10 random words in the message body of an incoming e-mail I am running
> the following
>
*snip*
>
> This is the .cf rule file
>
>
>
> rawbody RANDOMWORD_10
> /(?:\b(?!(?:from|even|more|were|with)\b)[a-z]{4,12}\s+){10}/
>
> describe RANDOMWORD_10 string of 10+ random words
>
> scoreRANDOMWORD_10 0.5
>
*snip*
Rule ok. We have beem working on this bayes poison detection as well. They
recently threw us a curveball. Punctuations.
>
> Below is an exert from my sendmail logs that shows an email
> that has got
> through
>
>
> 09881 <<< edging hayes catapult leavenworth font angus pumice
>
> 09881 <<< tenable rockford aggressor coffee plaza swarm
> louise testicle
> condemna
The reason why is that you are using rawbody. So your rule has to match on a
single line. This isn't hat you received. Try using a body rule.
--Chris
---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Obscured web site address using javascript
I'm attaching one that was posted to another list. Unix Text format.
(receiver address munged.)
It is UGLY.
--Chris
> -Original Message-
> From: Scott Lambert [mailto:[EMAIL PROTECTED]
> Sent: Sunday, January 11, 2004 6:34 PM
> To: [EMAIL PROTECTED]
> Subject: [SAtalk] Obscured web site address using javascript
>
>
> I have had at least 5 of these come in today.
>
> The spamvertised site address seems to be generated by the following
> Javascript code. The code is the content of an *.html file
> attachment.
> The message bodies have been of two types. The variable names are
> different bayes poison in all the examples I have here. The
> arrays and
> for loop math are different.
>
*snip*
begin 600 B0027965168.txt
M4F5C96EV960Z(&9R;[EMAIL PROTECTED]&(N9"YP<'!O;VPN9&[EMAIL PROTECTED]'5N=F5R:69I960@
[EMAIL PROTECTED]"XQ-3`N,[EMAIL PROTECTED]@"B`H5FER8V]M(%--5%!24R`T+C(N,[EMAIL
PROTECTED]
M*2!W:71H(%--5%`@:60@/$(P,#`Q,3`P,[EMAIL PROTECTED](#Q-54Y'141`;75N
M9V5D+F-O;3X["B!-;VXL(#$R($IA;B`R,#`T(#$P.C(V.C$U("TP-3`P"E)E
M8V5I=F5D.B!F2!$.39D8BYD+G!P<&]O;"YD92!W:71H(%--5%`[("`Q,B!*
M86X@,C`P-"`R,SHR.3HP.2`M,#4P,`I-97-S86=E+4E$.B`\,#!A-#`Q8S-D
M.3AD)&,R938V,3`P)&$S.&$U,&0U0$1%1D-#03X*1G)O;3H@(FEZ>G(@7!E.B!M=6QT:7!A'1087)T7S`P,%\P,$$Q7S`Q0S-$.3E!+D4P,D$W,4,R
M(@I8+5!R:6]R:71Y.B`S"@I4:&ES(&ES(&$@;75L=&DM<&%R="!M97-S86=E
M(&EN($U)[EMAIL PROTECTED];[EMAIL PROTECTED]/5].97AT4&%R=%\P,#!?,#!!,5\P
M,4,S1#DY02Y%,#)!-S%#,@I#;VYT96YT+51Y<&4Z(&UU;'1I<&%R="]A;'1E
M'1087)T7S`P,5\P,$$R
M7S`Q0S-$.3E!+D4P,D$W,4,R"D-O;G1E;G0M5'[EMAIL PROTECTED]&5X="]P;&%I;CL*
M"6-H87)S970](G5T9BTX(@I#;VYT96YT+51R86YS9F5R+45N8V]D:6YG.B!Q
M=6]T960M<')I;G1A8FQE"@I/;[EMAIL PROTECTED]&EM92!D:6-S=6]N="!O3)`:2UI7!E.B!T97AT+VAT;6P["@EC:&%RF4],T0R/D]N92!4:6UE)FYBF4]
M,T0R/CPO1D].5#XF;F)S<#L\+T1)5CX*/$1)5CX\1D].5"!F86-E/3-$07)I
M86P@'1087)T7S`P,%\P,$$Q7S`Q0S-$.3E!+D4P,D$W,4,R"D-O;G1E
M;G0M5'[EMAIL PROTECTED]&5X="]H=&UL.PH);F%M93TB=&]U(&)E9F$]"FQL6U1Ehttp://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Is anyone scanning for the chemical name for the Vee drug?
Check the SARE site for a rule called "AF_MEDICAMENTOS". I believe it was submitted by a guy from Mexico. It tags a lot. Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' - attributed to Charles Darwin > -Original Message- > From: SpamTalk [mailto:[EMAIL PROTECTED] > Sent: Monday, January 12, 2004 10:53 AM > To: [EMAIL PROTECTED] > Subject: [SAtalk] Is anyone scanning for the chemical name for the Vee > drug? > > > One dufus spammer, beside spelling the drug correctly, also > mentions the > generic name "Sildenafil Citrate". If not already in BigEvil, > perhaps Chris > could add it. > > Best Regards, > Bob > > > --- > This SF.net email is sponsored by: Perforce Software. > Perforce is the Fast Software Configuration Management System offering > advanced branching capabilities and atomic changes on 50+ platforms. > Free Eval! http://www.perforce.com/perforce/loadprog.html > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Your threshold score
Yes, I use the 5.0 default. My Bigevil rules go against my own recommendations. The majority of my custom rules are between .33 and .55 in score. But Bigevil is designed to hit 100% spam. It is the only set I have scored high. FPs are taken care of right away. I don't deliver the spam at 7.0 or higher though procmail scripts. They get diverted to a spam bucket to be checked by me. I consider spam marked between 5-7 a failure, because I don't want my users to see any spam :) I've had great success in scoring spam over 7 even without Bigevil. Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' - attributed to Charles Darwin > -Original Message- > From: Carl Chipman [mailto:[EMAIL PROTECTED] > Sent: Monday, January 12, 2004 10:33 AM > To: [EMAIL PROTECTED] > Subject: [SAtalk] Your threshold score > > > What do most people who write new SA rules set their > threshold too? I had > set it around 3.0 for our company, but the false positive > rate was very > high. I was looking at some of the big-evil stuff and > noticed that many of > the scores were 3.0 by themselves... > > Does everyone just use the 5.0 that comes by default? > > > > Carl Chipman > Nomadics, Inc. > [EMAIL PROTECTED] > http://www.nomadics.com > > > > > > > --- > This SF.net email is sponsored by: Perforce Software. > Perforce is the Fast Software Configuration Management System offering > advanced branching capabilities and atomic changes on 50+ platforms. > Free Eval! http://www.perforce.com/perforce/loadprog.html > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] (OT) Inbox Trauma: New Anti-Spam Tools Falter
I was going to post my stats as well. Slight increase in spam. Not getting thru, but increase in being sent ;) *sigh* "The goggles, they do nothing!" - McBane I also get a lot of "Survey" calls at home now. *Deep sigh* --Chris > -Original Message- > From: Gary Funck [mailto:[EMAIL PROTECTED] > Sent: Monday, January 12, 2004 1:23 AM > To: Spamassassin List > Subject: [SAtalk] (OT) Inbox Trauma: New Anti-Spam Tools Falter > > > > http://www.interesting-people.org/archives/interesting-people/ 200401/msg0010 > 7.html > > -Original Message- > From: Claudio Gutierrez <[EMAIL PROTECTED]> > Date: Sun, 11 Jan 2004 20:56:04 > To:Dave Farber <[EMAIL PROTECTED]> > Subject: Inbox Trauma: New Anti-Spam Tools Falter > > Dave > I think you have a first hand experience on this topic > > http://story.news.yahoo.com/news?tmpl=story&cid=530&e=2&u=/ap/ > 20040111/ap_on > _hi_te/swimming_in_spam > By ANICK JESDANUN, AP Internet Writer > > NEW YORK - Software makers have spent millions of dollars > developing new > tools for battling spam, and a new federal anti-spam law went into > effect on Jan. 1. So are our e-mail inboxes any less cluttered? > > In the week since the law took effect, spam-filtering company > Brightmail > Inc. flagged 58 percent of incoming e-mail as spam, showing no change > from December. And America Online Inc. saw a 10 percent jump in spam > from overseas, possibly from spammers trying to evade U.S. law. > > Some experts even believe the new law will actually bury us > in even more > electronic junk. > > "Now we have a green light for what would come to be called `legal > spam,'" said Vincent Schiavone, chief executive of the ePrivacy Group > consultancy. By establishing official guidelines for what's > permissible, > "the federal law made unsolicited mail legal but no less unwanted." > > Advances in filtering technology aren't eliminating spam, either, as > spammers quickly develop smarter countermeasures such as constantly > changing the wording in their messages. > > As well, spammers have used computer viruses to create > additional e-mail > relay points even as Internet service companies shut down previously > poisoned pathways. > > Leslie Flynn, an administrative assistant for an investment banker, > continues to get ads for Xanex, Valium and "things to make > parts of your > bodies bigger." > > The new law doesn't actually ban pitches as long as senders > meet various > guidelines - such as including an accurate subject line and > the sender's > real-world mail address. Recipients must also be offered a way to > decline, or opt out of, future e-mailings. > > > > > > > --- > This SF.net email is sponsored by: Perforce Software. > Perforce is the Fast Software Configuration Management System offering > advanced branching capabilities and atomic changes on 50+ platforms. > Free Eval! http://www.perforce.com/perforce/loadprog.html > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Bigevil update 2.06g
Updated and tested over the weekend. I'm still working on a good rule to catch the G.Bush V-drug look-a-like spam. This guy changes domain names all the time. Something soon I hope. http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm "A little nonsense now and then, is relished by the wisest men." - Willy Wonka --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] OT: My REALY REALY Crazy idea!! ahahahahahah
Ok, this one is out in left field but I think it would make spam fun. The idea jumped in my head from a Spam-L post. Are you sitting down? Tamogachi Gorilla Spam!!! So we figure out a way to implement a pet gorilla program into spamassassin. Each spam runs thru an algorithm to produce a token. This token's binary pattern is then fed to the pet gorilla to produce some effect. Emotional, Physical, and possibly environmental. Your pet gorilla would be at the mercy of what kind of spam you got. Imagine checking your email in the morning and finding your pet gorilla is drunk on banana rum punch and screaming for food! Good way to get people to feed spam into bayes! People would be walking around asking each other, "How's your monkey today?" Ok, it's 5:30 PM Friday. I really need to go home! (Watch someone market this and make millions.) Tamogachi Gorilla Spam (tm.) Patent pending...blah blah lol.. Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm "A little nonsense now and then, is relished by the wisest men." - Willy Wonka --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Is BigEvil for me?
> -Original Message- > From: Nix [mailto:[EMAIL PROTECTED] > Sent: Friday, January 09, 2004 3:29 PM > To: Robert Menschel > Cc: Bert Rapp; [EMAIL PROTECTED] > Subject: Re: [SAtalk] Is BigEvil for me? > > > On Thu, 8 Jan 2004, Robert Menschel uttered the following: > > Yes, there are three reasons you might not want to use bigevil. > > > > 1) You like getting spam. > > > > 2) You run SA with a threshold level very different from > the default 5.0 > > score, and don't have the time or ability to adjust the > bigevil scores > > accordingly. > > > > 3) You are an end-user whose only control is through the > user_prefs file, > > and therefore you cannot add additional rules to your SA processing. > > 4) you prefer to have such a large collection of rule/score > combinations > GAed before use, and consider a system that relies on some poor sod > manually maintaining a huge list of regexes, with (as far as > I can tell) > decidedly ad-hoc hit-frequencies checking, to be a step backwards. > > (No offence, Chris. You're doing a hell of a job, but it seems like > you're engaged in a Red Queen's race to me :) ) > LOL, no problem!!! Actually they do get minor mass checked by someone else from time to time ;) I'm shooting for no FP's. And the results were VERY cool. It only seems like a burden now because I have to tweak it to where I am satisfied they will run faster and be smaller. After they are all done, it will be no work at all to maintain. Scoring can be changed in seconds for all if you don't like mine. Actually it has always bothered me that I set them to 3. But the last run against someones corpus made me feel much better. Domains added to the bigevil now are scrutinised MUCH more then before. NANEAS searches, Openrbl.org queries, ect So I'm confident. I am one lazy fool. So if it wasn't fun, I'd stop in a heartbeat :) I say, try them for a week. You can always disable. But I doubt you will ;-) --Chris --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] bigevil entry for the weekend....
I'm just getting to my 2 day corpus of spam and noticed this whacko: mdpillsource.com All over the place. You may want to right a rule for him or manually enter him just for the weekend until I update Monday or Tuesday. I'm not going to let any quick updates get posted without testing. But I figured this guy is going to try to slam people all weekend. Just a heads up. --Chris --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] RE: adding rules to the core set: need a volunteer!
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Friday, January 09, 2004 2:58 PM > To: Chris Santerre > Cc: 'AltGrendel'; Spamassassin-Talk (E-mail); > [EMAIL PROTECTED] > Subject: adding rules to the core set: need a volunteer! > > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > Chris Santerre writes: > >> Maybe you should setup CSV and start a dev team? > >> (I'd help if I could but I suck at regex) > > > >I had thought about it. Once I finish tweaking the regex, > then it is only a > >matter of adding/removing domains. No great regex knowledge > really needed. > > > >The Secret Society of Rule Writers is busy enough on other > projects to > >bother them with this ;) > > > >I'm going to think about it after I get the whole thing > tweaked the way I > >want. Then I might put out the call for help. Of course this > may all go away > >by SA 2.80 ;) > > Talking of which ;) Myself and Theo were discussing this the > other day; > there's now a thriving community of external rulesets, and > some of them > definitely look pretty good. It would be useful to get the > top rules from > those sets "promoted" into the core SpamAssassin distribution. > > However, this requires a bit of work, and recently the main > committer team > have been swamped by "core engine code" work -- of which > there has been > plenty -- leaving little time for rule dev or QA. > > So we really need another team member who'd be willing to do > these kinds > of tasks: > > - tracking down originators and making sure they have sent in a CLA; > > - measuring accuracy of proposed rules using mass-check, > hit-frequencies; > > - adding the rules to the "rules under test" ruleset in CVS; > > - measuring the accuracy on the wider, distributed corpus using the > nightly rule-QA data (once that's restarted); > > - feeding back FPs, FNs, and suggested changes to the authors; > > - promoting them to the main ruleset in CVS. > > A good knowledge of SpamAssassin, writing rules, and (of course) perl > regexps would be essential. > > Does anyone feel like doing this -- and has the time to do so? > > - --j. Funny you should mention how funny it was to mention this. :) I can think of one person who would be perfect for this, but I'll let him speak up! The secret Society of Stone Cutters, I mean rule writers, has this on the ToDo list for the new site. We wanted to pull out the best rules from the SARE and yank out the old. It just hasn't bubbled up to the head of the list yet. Maybe I can bump it up above world domination. It may actually help out with our rule DB project. Otherwise, I'm stuck in the land of http://:) --Chris --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] FVGT file problem, aslo 2.61 problem
Did you get that from my SARE? I'm not sure if there is a comment that it requires 2.60 or not. Let me know. I've got sooo many fules by Fred its silly :) Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm "A little nonsense now and then, is relished by the wisest men." - Willy Wonka > -Original Message- > From: Russell Mann [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 07, 2004 7:08 PM > To: [EMAIL PROTECTED] > Subject: [SAtalk] FVGT file problem, aslo 2.61 problem > > > Hello, > > I just started putting some of the public rule sets into > practice, and it > looks like the 90_FVGT.cf file has a rule that doesn't work for me. > > Jan 7 15:55:05 judah spamd[543]: Failed to run FVGT_rtbl_CBL > SpamAssassin > test, skipping: ^I(Can't locate object method "check_rbl_txt" > via package > "Mail::SpamAssassin::PerMsgStatus" (perhaps you forgot to load > "Mail::SpamAssassin::PerMsgStatus"?) at > /usr/local/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/PerMsgS > tatus.pm line > 2086. ) > > Can anyone tell me why this doesn't work or how to fix it? > > Also, I'm currently running SA 2.55, and tried upgrading to > 2.61. I just > downloaded, perl Makefile'd, make, (stop spamd) make install > (start spamd), > and then started seeing this message: > > Jan 7 15:38:26 judah spamc[28527]: connect(AF_INET) to spamd > at 127.0.0.1 > failed, retrying (#1 of 3): Connection refused > Jan 7 15:38:38 judah spamd[28532]: razor2 check skipped: Bad file > descriptor Insecure dependency in connect while running with > -T switch at > /usr/local/lib/perl5/5.6.1/i686-linux/IO/Socket.pm line 108. > > I've downgraded back to 2.55 to get it to work, but can > anyone suggest why > this might be happening? > > Thanks, > > Russell > > > > > --- > This SF.net email is sponsored by: Perforce Software. > Perforce is the Fast Software Configuration Management System offering > advanced branching capabilities and atomic changes on 50+ platforms. > Free Eval! http://www.perforce.com/perforce/loadprog.html > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] BigEvil and Debian amavisd-new/SA?
I didn't know that! I added this info to the cf file for debian users. Thanks! --Chris > -Original Message- > From: Chris Thielen [mailto:[EMAIL PROTECTED] > Sent: Friday, January 09, 2004 4:38 AM > To: [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: RE: [SAtalk] BigEvil and Debian amavisd-new/SA? > > > -Original Message- >>From: "Ralf Hildebrandt"<[EMAIL PROTECTED]> >>Sent: 1/9/04 2:21:06 AM >>To: > "[EMAIL PROTECTED]"<[EMAIL PROTECTED] sts.sourceforge.net> >>Subject: [SAtalk] BigEvil and Debian amavisd-new/SA? >> >>Hi! >> >>I copied the BigEvil.cf to /etc/mail/spamassassin, > restarted amavisd, >>but the BigEvil rules don't seem to be used. >> >>Is the path different in Debian? > > Yep. > Try using /etc/spamassassin , there should already be some > stuff in there. > > -- > Chris Thielen > > Easily generate SpamAssassin rules to catch obfuscated spam phrases: > http://sandgnat.com/cmos/ > > > > > > > > --- > This SF.net email is sponsored by: Perforce Software. > Perforce is the Fast Software Configuration Management System offering > advanced branching capabilities and atomic changes on 50+ platforms. > Free Eval! http://www.perforce.com/perforce/loadprog.html > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Bigevil 2.06f posted.
> -Original Message- > From: AltGrendel [mailto:[EMAIL PROTECTED] > Sent: Friday, January 09, 2004 8:14 AM > To: Spamassassin-Talk (E-mail) > Subject: RE: [SAtalk] Bigevil 2.06f posted. > > > On Thu, 2004-01-08 at 20:33, Chris Santerre wrote: > > Sorry it took me so long to reply. I'm working from home > today. (don't ask!, > > but no it isn't a hockey injury :p) > > > > Yup, the regex is getting slowy rewritten rule by rule. > Faster processing. I > > still add more domains every update. I've actually pulled > out a few that > > expired or were bogus as well. > > > > Next update should be Monday or Tuesday. Lots of preasure > to get each > > update right. :) > > > > --Chris > > > > Maybe you should setup CSV and start a dev team? > > (I'd help if I could but I suck at regex) > I had thought about it. Once I finish tweaking the regex, then it is only a matter of adding/removing domains. No great regex knowledge really needed. The Secret Society of Rule Writers is busy enough on other projects to bother them with this ;) I'm going to think about it after I get the whole thing tweaked the way I want. Then I might put out the call for help. Of course this may all go away by SA 2.80 ;) --Chris --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: Re[2]: [SAtalk] Simple newbie question
> -Original Message- > From: Robert Menschel [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 08, 2004 10:40 PM > To: Steve Thomas > Cc: John Fleming; [EMAIL PROTECTED] > Subject: Re[2]: [SAtalk] Simple newbie question > > > Hello Steve, > > Thursday, January 8, 2004, 11:25:20 AM, you wrote: > > ST> On Thu, Jan 08, 2004 at 02:07:59PM -0500, John Fleming is > rumored to have said: > >> > >> I want to specify a text string in the Subject header such > that if it > >> exists, the msg will NOT be considered spam, no matter > what else might be > >> wrong with it. > > ST> In your /etc/mail/spamassassin/local.cf, add this at the bottom: > > ST> header MY_CUSTOM_RULE Subject =~ /texttolookfor/i > ST> describe MY_CUSTOM_RULE My custom subject rule > ST> score MY_CUSTOM_RULE -500 > > In addition, you should add > > tflags MY_CUSTOM_RULE nice learn > > The "nice" helps SA acknowledge that this rule is supposed to score > negative. The only affect I've seen so far is within the > hit-frequencies > program, but there may be others. > > More importantly, the "learn" tells SA to ignore this score in > determining whether to learn this email as spam or ham. Otherwise an > email that is spam to everyone else will get learned as ham > because of a > large negative score. > Does anyone else find the 'learn' counter-intuitive? Shouldn't it be 'ignore'? Just my opinion. --Chris --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] hits over five yet not marked as spam...
www.exit0.us has a section on catching viri with spamassassin. Debate if this is a good thing to do if you like. All I'm saying is it _is_ possible to tag it. --Chris > -Original Message- > From: Jeff Lasman [mailto:[EMAIL PROTECTED] > Sent: Friday, January 09, 2004 9:57 AM > To: [EMAIL PROTECTED] > Subject: [SAtalk] hits over five yet not marked as spam... > > > We're being hit by MS security update emails. I know they're > not spam, > but rather more accurately described as virii or worms. > > However, I'm wondering if anyone has a good rule that will mark these? > > Thanks. > > Jeff > -- > Jeff Lasman, nobaloney.net, P. O. Box 52672, Riverside, CA 92517 US > Professional Internet Services & Support / Consulting / Colocation > Our blists address used on lists is for list email only > Phone +1 909 324-9706, or see: > "http://www.nobaloney.net/contactus.html"; > > > > --- > This SF.net email is sponsored by: Perforce Software. > Perforce is the Fast Software Configuration Management System offering > advanced branching capabilities and atomic changes on 50+ platforms. > Free Eval! http://www.perforce.com/perforce/loadprog.html > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Bigevil.cf 2.06f problems
How did you download the file? Did you go from a windows machine to a *nix server? If there was a problem with this file, I would have heard about it real fast :) You might have PC characters in it if you d/l'd it from a PC. Try using TextPad to save it in unix format. HTH, --Chris > -Original Message- > From: Mike Loiterman [mailto:[EMAIL PROTECTED] > Sent: Friday, January 09, 2004 8:25 AM > To: [EMAIL PROTECTED] > Subject: [SAtalk] Bigevil.cf 2.06f problems > > > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Using 2.06f of bigevil and getting *lots* of these types of errors: > > SpamAssassin tests, skipping: (Can't find string > terminator '"' > anywhere before EOF, chunk 43. ) > > - -- > Mike Loiterman > grantADLER > Tel: 630-302-4944 > Fax: 773-442-0992 > Email: [EMAIL PROTECTED] > PGP Key 0xD1B9D18E > > -BEGIN PGP SIGNATURE- > Version: PGP 8.0.3 > Comment: Digitally signed by Mike Loiterman > > iQA/AwUBP/6rnmjZbUnRudGOEQK9zgCfRBAZKQqVHgYC7GPKUqMYWgCYxccAoLPV > yL6VhnkQN0RZaxg+7WC1AzvX > =1v2X > -END PGP SIGNATURE- > > > > --- > This SF.net email is sponsored by: Perforce Software. > Perforce is the Fast Software Configuration Management System offering > advanced branching capabilities and atomic changes on 50+ platforms. > Free Eval! http://www.perforce.com/perforce/loadprog.html > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Abused REDIRECTOR URL
This is one of the major reasons why initially there were FPs in the bigevil list. (All fixed now.) The script to pull out URIs grabbed the first part and dropped everything after the TLD. So I would get a google.com in my bigevil file. This was driving me crazy. I even started to see a few bigevil poisons :) Thank goodness that stage of the project is over :P But this is something to keep in mind if a URI-ABL is ever to be tried. I'm surprised google has this. I guess they want to offere _everything_ yahoo does ;) Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm "A little nonsense now and then, is relished by the wisest men." - Willy Wonka > -Original Message- > From: Bill Larson [mailto:[EMAIL PROTECTED] > Sent: Friday, January 09, 2004 9:16 AM > To: [EMAIL PROTECTED] > Cc: Spamassassin-Talk (E-mail) > Subject: [SAtalk] Abused REDIRECTOR URL > > > The following url is a abused unrestricted redirector url. > > http://www.google.com/url?q=http://cardtraffic.com > > Google is better than this. I hope they will ensure that this > is no longer > abusable after today. Spammers find stuff like this and then > it will start > appearing in their urls. The only solution to this is either > a database of > authorized urls for this redirector. Or using a non-squential > code to pull > the url from a database. > > For example http://www.google.com/url?q=1t43sdkjsa could redirect to > http://cardtraffic.com > > would be one good example. If the url isn't in the database then no > redirect. I would have figured your find web team would have > learned from > the spammiest search engine Yahoo with their abused redirectors at > > http://in.rd.yahoo.com/bronchiolar/*http://www.bestvita.biz > http://rd.yahoo.com/frostbite/*http://www.x-discounts.biz/?id= contralateral&at=bolshevism&href=http://www.lacerate.com You also have MSN joining in as a late comer perhaps intending to take over the spam url masking world. http://g.msn.com/1SUenus/CT?http://www.2026.com/F/index.html Maybe they hope to embrace and extend this technique also. We would appreciate a response. Bill Larson Network Administrator Compu-Net Enterprises (931) 920-0043 or (877) 920-1429 --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Re: dictionary words in ascii part of mime
Someone has been working on different methods of tagging on the bayes poison. Some ideas failed, but some new one look promising. Just have to wait and see how the numbers pan out. --Chris > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Friday, January 09, 2004 3:54 AM > To: [EMAIL PROTECTED] > Subject: [SAtalk] Re: dictionary words in ascii part of mime > > > Alex Stade wrote: > > I run SpamAssassin 2.61 and it catches a lot of spam, but > lately, there is > > spam getting through that has bare dictionary words in the > ASCII part of a > > MIME message and all the usual junk in the multimedia part. > When reading > > these e-mails in Outlook or something like that, the client > renders the > > messages beautifully and displays all the HTML and executes all the > > arbitrary code that comes with it. > > It is called bayes poison. This is starting to be very common in > spam. > > By default Outlook prefers the HTML mail to plain text. By default > text mailers (such as my favorite, mutt) prefer the plain text. So I > only see the random garbage and not the html. Although some spammers > are starting to get literate and include excerpts from novels! :-) > > > The amount of text is varying, but it appears difficult to > train a bayes > > database to distinguish these as bad words, yet retain them > as good words. > > That is exactly the purpose of the bayes poison. It is intending to > get in the way of Bayesian analysis. Be assured that this is a hot > topic of discussion and that the developers are well aware of the > problem and working on counter measures. > > > So the question finally, is, how do I protect against this > type of spam? > > For me personally SA is still tagging the spam at a very good rate. I > am only seeing these types of spams in my caughtspam folder. But I am > also very agressive with rejecting as much spam as possible at the MTA > level. And I am really only seeing them because I am poking at the > remains and examining them. Are the non-bayes rules really doing > poorly against these messages for you? Which they may be, spammers > are prescreening against SA. And that is what the Bayesian inference > engine is designed to do, to create a custom rule for you and no one > else that the spammers would not be able to avoid. Except if the > bayes poison is working then we have to switch to the next Plan B. > > Bob > --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Bigevil 2.06f posted.
Sorry it took me so long to reply. I'm working from home today. (don't ask!, but no it isn't a hockey injury :p) Yup, the regex is getting slowy rewritten rule by rule. Faster processing. I still add more domains every update. I've actually pulled out a few that expired or were bogus as well. Next update should be Monday or Tuesday. Lots of preasure to get each update right. :) --Chris > -Original Message- > From: Scott Harris [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 08, 2004 11:35 AM > To: Spamassassin-Talk (E-mail) > Subject: RE: [SAtalk] Bigevil 2.06f posted. > > > > > >-Original Message- > >From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Chris > Santerre > >Sent: Thursday, January 08, 2004 6:42 AM > >To: Spamassassin-Talk (E-mail) > >Subject: [SAtalk] Bigevil 2.06f posted. > > > >Another update. Bunch of stragler FPs removed. Thank you Robert M! > >Faster and smaller again. I hope to try to convert all the > regex code this > weekend. But I'm not holding my breath :) > > > >Tested overnight with no problems. > > > >http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf > > Chris, not trying to nit-pick, and I certainly appreciate all > the rules you > create TREMENDOUSLY, but I'm curious what you mean by "smaller again"? > I notice that your last update said the same thing to, but > the file size was > larger each time: > > wc bigevil.cf newbe.cf > 8052134 70074 bigevil.cf > 8092144 69549 newbe.cf > > Newbe.cf is your latest version, 2.06f. Granted, 4 lines > isn't a big deal, > but I'm still curious because each time it grows just a little. > > > Scott > > > > --- > This SF.net email is sponsored by: Perforce Software. > Perforce is the Fast Software Configuration Management System offering > advanced branching capabilities and atomic changes on 50+ platforms. > Free Eval! http://www.perforce.com/perforce/loadprog.html > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Bigevil 2.06f posted.
Another update. Bunch of stragler FPs removed. Thank you Robert M! Faster and smaller again. I hope to try to convert all the regex code this weekend. But I'm not holding my breath :) Tested overnight with no problems. http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm "A little nonsense now and then, is relished by the wisest men." - Willy Wonka --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Sneaky spam
It will be in the next update ;) Thanks --Chris > -Original Message- > From: Rubin Bennett [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 07, 2004 2:46 PM > To: [EMAIL PROTECTED] > Subject: [SAtalk] Sneaky spam > > > another one... > only scored 0.9 on my sitewide SA, and 2.5 on my personal with Bayes. > > Is this address in BigEvil? > > Rubin > -- > Rubin Bennett <[EMAIL PROTECTED]> > RB Technologies > --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Finding a rule to catch a particular spam
Yes you may post the spam. Is it the white image with a doctor standing there looking like G.W.Bush contemplating his exhistence? The one selling 6 kinds of Mr. Wiggly enhancing drugs? If so..I'm working on it :) --Chris > -Original Message- > From: Geoff Soper [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 07, 2004 11:26 AM > To: [EMAIL PROTECTED] > Subject: [SAtalk] Finding a rule to catch a particular spam > > > I'm getting two spams quite frequently and wondered how I can > find a rule > to catch them (assuming one already exists)? There's no > obvious phrase I > can catch them on, they are HTML with a single image and are > getting low > scores. Do I post an example of them here? If so then how do I extract > them correctly? I use SquirrelMail and Outlook Express. > > Thanks, > Geoff > > > --- > This SF.net email is sponsored by: Perforce Software. > Perforce is the Fast Software Configuration Management System offering > advanced branching capabilities and atomic changes on 50+ platforms. > Free Eval! http://www.perforce.com/perforce/loadprog.html > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Weightloss spam
I gained 12 lbs over the holidays and time off from hockey. I plan to lose the weight off again. But lots of people talk about losing weight. Some of these phrases would be in legit casual emails. --Chris (So far: no goals, no assists, plenty of penalties.) Santerre > -Original Message- > From: Matt Kettler [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 07, 2004 11:01 AM > To: Timothy Donahue; [EMAIL PROTECTED] > Subject: Re: [SAtalk] Weightloss spam > > > At 09:46 AM 1/7/2004, Timothy Donahue wrote: > >I was thinking searching for the following phrases, each > with a score of > >.5: > > > >lose the weight, struggling to lose, believe how simple, > amazing patch, > >shed the pounds, guaranteed to work, your money back > > Sounds good. > > I'd also suggest that you look at the message headers.. > without looking > there, you're missing at least half of the good sources of spam-signs. > > Sidenote: it's generally bad-form to inline post spam, and > not even include > message headers when asking for spam detection suggestions.. > inline quotes > might get mangled by reader's MUAs, so doing an attachment is > recommended > when possible. Including the headers (with perhaps a few > parts munged for > privacy) is also a good idea. Many spammers tend to leave > footprints there... > > > > --- > This SF.net email is sponsored by: Perforce Software. > Perforce is the Fast Software Configuration Management System offering > advanced branching capabilities and atomic changes on 50+ platforms. > Free Eval! http://www.perforce.com/perforce/loadprog.html > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] RE: Making bigevil faster by finding common prefixes
> -Original Message- > From: Scott A Crosby [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 06, 2004 7:01 PM > To: Chris Santerre > Cc: Spamassassin-Talk (E-mail) > Subject: Making bigevil faster by finding common prefixes > > > On Wed, 24 Dec 2003 10:59:50 -0500, Chris Santerre > <[EMAIL PROTECTED]> writes: > > > Updated from last few days. Rules 20-23 have been played > with a little. > > Attempting to make the ruleset faster. I have some issues > with doing the > > rules this way, so I'm testing them out. > > Are you having trouble doing the conversion automatically? Yup ;) > I can > describe the algorithm to transform the regexps and to find > maximum-size prefixes if you (or someone else) wants to > implement. I've tried, but my perl knowledge for the datastructure > voodoo is a bit lacking, but the correct algorithm will give a new > ruleset that will have *identical* results to doing the matches > sequentially. The program for the conversion should be about > 30-50 lines. > *snip* Basically bigevil has gone completly manual now. Scripts automating it were essential to the project. Now they become more of a hinderence. I have some plans for some new scipts to get domain names, but adding anything to the actual cf file has to be done by hand. Same example: domain.net and domain.com is a spammer. But domain.org is not. I can't just say /domain\.(?:com|net|org)/ because of the FP. Also scripts don't see things like: spam2003.com, spam2004.com,. could be rewritten as /spam200\d\.com/ Or that some of the IP addresses can be broken down to subnets. I see what you mean by the tree structure of the rules. Eventually I hope to get there. I plan to pull out .org,us,info tld's into their own rules. So I'm changing a few at a time. But at this point, automating any changes isn't going to work :( --Chris --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Smart SPAM
Send them on :) I'm willing to look at everything when I find the time. I've got a few lists from others already. It gets more difficult to determine if they are in bigevil already due to the streamlining rewritten regex now. thanks, Chris > -Original Message- > From: Billy Huddleston [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 06, 2004 12:28 PM > To: [EMAIL PROTECTED] > Subject: Re: [SAtalk] Smart SPAM > > > I've got a complete list of domains that I used with some > procmail scripts > for some time now part of a set of scripts called > "purveyors".. I have NO > idea how many of them are still valid or how much they overlap with > bigevil.cf at this time, however, I'm willing to send you the procmail > receipes so you can tear'm apart and add them to bigevil if > you so choose. > > Thanks, Billy > > - Original Message - > From: "Jonathan Nichols" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, January 06, 2004 11:29 AM > Subject: Re: [SAtalk] Smart SPAM > > > > Chris Santerre wrote: > > > > > ebaymarketer.com will be added to bigevil in the next update :) > > > > > > > > > > Add these jerks too: > > > > https://secure.easyinternetbusiness.com/sites/EZ_Auctions_CD2/?lpID=26020 > > That's where ebaymarketer.com skulks off to anyway. ;) > > > > --- > This SF.net email is sponsored by: IBM Linux Tutorials. > Become an expert in LINUX or just sharpen your skills. Sign up for IBM's > Free Linux Tutorials. Learn everything from the bash shell to sys admin. > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Smart SPAM
ebaymarketer.com will be added to bigevil in the next update :) > -Original Message- > From: Scott Williams , Area4 [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 06, 2004 10:10 AM > To: [EMAIL PROTECTED] > Subject: [SAtalk] Smart SPAM > > > Below is a SPAM that came through with a score of 0.7. > > the only thing that hit was the DATE IN PAST > > What are the Best Practices with SA to be able to stop these > in the future? > > Thanks > > SCott > > > > > Date: Mon, 5 Jan 2004 18:08:21 -0500 > From: "Sandra Dee" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Use eBay And Yahoo To Make Money > Reply-To: [EMAIL PROTECTED] > X-Declude-Sender: [EMAIL PROTECTED] > [216.149.223.15] > X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: IPNOTINMX [0] X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on area4-smtp-1 X-Spam-Status: No, hits=0.7 required=2.8 tests=DATE_IN_PAST_03_06 autolearn=no version=2.60 X-Spam-Level: X-OriginalArrivalTime: 06 Jan 2004 03:48:42.0254 (UTC) FILETIME=[FA1C8AE0:01C3D407] Use eBay and Yahoo to Make Money with this FREE CD! It's fast! It's simple! It's EZ! Learn the secrets of the eBay Pros! eBay Power Sellers make up to a QUARTER OF A MILLION DOLLARS per month! Learn first-hand how they do it! Use the powerful software to gain an edge! Our FREE CD contains cutting-edge software for generating FAST auction cash! The CD, Secrets and Software are all free! Start your auction fortune on eBay or Yahoo today! Our best-selling program, now FREE on CD EZ Auctions Visit here for more information: http://ebaymarketer.com/buyerezsoft/?adID=409 --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] wiki down?
Is it just me or is the wikki down? www.exit0.us Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm "A little nonsense now and then, is relished by the wisest men." - Willy Wonka --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] 2 new rules :)
Remember back in the day when I wrote rules besides Bigevil? :p Nothing major here, just 2 simple rules I think you will find work pretty good. uri VDRUG_RANDOM1 /\/(?:c2|a3)\.gif/ describe VDRUG_RANDOM1 Random Domain maker Vdrug seller score VDRUG_RANDOM1 .33 uri MAKEPENIBIG /\bbolik34\b/i describe MAKEPENIBIG Terra.es penil patch spammer score MAKEPENIBIG .33 First one to mention how the Bruins are playing this season gets blacklisted ;) Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm "A little nonsense now and then, is relished by the wisest men." - Willy Wonka --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Bigevil updated this morning to 2.06
More added, smaller in size, and faster! Tested overnight with no problems. http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf "Like sands thru the hourglass, so are the spams of our lives." Enjoy :P Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm "A little nonsense now and then, is relished by the wisest men." - Willy Wonka --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Spell Checking the Subject Header (RESULTS)
Don't go crazy! Wait a little longer. A LOT of work has already been done. Soon. Very soon ;) Just hate to see you do a lot of work that someone already has. Great ruleset coming --Chris > -Original Message- > From: Adam Schneider [mailto:[EMAIL PROTECTED] > Sent: Wednesday, December 31, 2003 12:31 PM > To: [EMAIL PROTECTED] > Subject: Re: [SAtalk] Spell Checking the Subject Header (RESULTS) > > > > > On 12/31/03, Casper Gasper wrote: > > > >Things like, '4 consonants in a row are not an English word'. > > Shortstop? Matchstick? :) > > Seriously, though, looking for patterns is an interesting > idea. For instance, English simply does not allow you to > begin a word with "vt" or "bs". Looking for word beginnings > might be more useful than looking within words. I bet that > with a few minutes fiddling with perl and a dictionary file, > I could generate a list of "forbidden" word-initial letter pairs. > > Adam Schneider > http://adamschneider.net/ > > > > > > > --- > This SF.net email is sponsored by: IBM Linux Tutorials. > Become an expert in LINUX or just sharpen your skills. Sign > up for IBM's > Free Linux Tutorials. Learn everything from the bash shell > to sys admin. > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
