RE: [SAtalk] Backhair FP
Hi Matthew, Looks like Backhair is triggering on my X-Face header. At least that's the only thing I can see that might be it. See the following email (BH == BackHair): I changed the rule from full to body. Could you dl and test the current set to see if it misses now? It should, being that body only looks at subject line and message. Please let me know. http://www.emtinc.net/spamhammers.htm/includes/backhair.cf Thanks. Jennifer -- Begin Return-path: xx Envelope-to: xxx Delivery-date: Fri, 30 Jan 2004 09:42:49 -0800 Received: from alderaan.localaccess.com ([69.10.205.107]) by mail1.localaccess.com with esmtp (Exim 4.24) id 1AmcfI-00027p-Nd for xxx; Fri, 30 Jan 2004 09:42:48 -0800 From: Matthew Trent xx Organization: Local Access Communications To: xxx Subject: Test Date: Fri, 30 Jan 2004 09:56:01 -0800 User-Agent: KMail/1.6 X-Face: $gozfl(LUR+*!g.K+9-=W66/$4o)~'bbc/CQdQVDn2RPY~.+g},0 {BV[K[Q!_Al1=X(U2 k44)(-v]Y1*NS.o%/a%^ck'BS^/Ep%BiT4b^qS{qMd`| Vcojd3M-$Ch7feiAq]}o4(:NF%7qG$K?K ?iG9$o.;d7#wnX1[EMAIL PROTECTED]M`]97{L2L^EY} 9;#c9]vEI~neh?c2Ji]G0/'W8p7_}GTQ73;:-a F3IjIferRdf!f]3b*9 ([EMAIL PROTECTED]% MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: 200401300956.01184.xxx X-Spam-Score: -3.9 (---) X-Spam-Report: Content analysis details: (-3.9 points, 5.0 required) pts rule name description -- -- -4.9 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] 1.0 J_BH_43BODY: 4 letters - Unsightly html tag - 3 letters X-Virus-Scanned: Scanned by Clam Antivirus Testing. -- Matt Systems Administrator Local Access Communications 360.330.5535 End -- Matt Systems Administrator Local Access Communications 360.330.5535 --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Backhair FP
My bad. I just posted a change to body rule with the set, but it has to be rawbody. I realized this as soon as I hit send. (oops) Now... I dont know if rawbody looks at the headers... ?? If that doesn't fix it, I wouldn't know how to miss that. Maybe someone else will know. Jennifer Looks like Backhair is triggering on my X-Face header. At least that's the only thing I can see that might be it. See the following email (BH == BackHair): -- Begin Return-path: xx Envelope-to: xxx Delivery-date: Fri, 30 Jan 2004 09:42:49 -0800 Received: from alderaan.localaccess.com ([69.10.205.107]) by mail1.localaccess.com with esmtp (Exim 4.24) id 1AmcfI-00027p-Nd for xxx; Fri, 30 Jan 2004 09:42:48 -0800 From: Matthew Trent xx Organization: Local Access Communications To: xxx Subject: Test Date: Fri, 30 Jan 2004 09:56:01 -0800 User-Agent: KMail/1.6 X-Face: $gozfl(LUR+*!g.K+9-=W66/$4o)~'bbc/CQdQVDn2RPY~.+g},0 {BV[K[Q!_Al1=X(U2 k44)(-v]Y1*NS.o%/a%^ck'BS^/Ep%BiT4b^qS{qMd`| Vcojd3M-$Ch7feiAq]}o4(:NF%7qG$K?K ?iG9$o.;d7#wnX1[EMAIL PROTECTED]M`]97{L2L^EY} 9;#c9]vEI~neh?c2Ji]G0/'W8p7_}GTQ73;:-a F3IjIferRdf!f]3b*9 ([EMAIL PROTECTED]% MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: 200401300956.01184.xxx X-Spam-Score: -3.9 (---) X-Spam-Report: Content analysis details: (-3.9 points, 5.0 required) pts rule name description -- -- -4.9 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] 1.0 J_BH_43BODY: 4 letters - Unsightly html tag - 3 letters X-Virus-Scanned: Scanned by Clam Antivirus Testing. -- Matt Systems Administrator Local Access Communications 360.330.5535 End -- Matt Systems Administrator Local Access Communications 360.330.5535 --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Re: Bigevil and thoughts....
Hi Scott On Fri, 23 Jan 2004 12:30:13 -0500, Chris Santerre [EMAIL PROTECTED] writes: I received a report of an FP in bigevil. The domain was playaudiomessage.com. A quick google shows tons of hits in news.admin.net-abuse.sightings. It had been my hope the bigevil would be ZERO fp. However I'm not going to let the fact that a domain may be used 90% by spammers and 10% by legit sway me now. I think this is a mistake. Before, BigEvil had the high road, not a single domain in it had *ever* been reported as used in ham, warranting a high score. With this change, thats no longer true. We now depend on *your* judgement on how 'unclean' a domain is. And your judgement may not be the same as mine. It may be that 98% of the time I see playaudiomessage.com, it is legit and 2% spam, but your corpus shows the reverse. Should the domain belong in bigevil in that case? I'm not saying that the domain should be forgotten, but that iit should at least be in a different list. I use rules in my local.cf that are the same as bigevil. My Blammo rules wax a spam with 20 points. I realize 7 would do it, but I get sick pleasure out of giving them 20. Then I saw that Chris is doing basically the same thing. (only in manic hyperdrive). So I got lazy and now just download his work and use that. I yank out the ones that I dont agree with. (few) This file he maintains takes an awful lot of time, I know. I would just suggest that anyone who uses it, take the time to look through the thing and remove the domains that they consider not spam, in between, or whatever... If I sound harsh, I dont intend to be. I just think maybe people dont realize how much of Chris' time that file takes up as it is. How-ev-uh your suggestion is good! So maybe someone could take chris' file, take it a step further (after each update) and split it into two files. (but even that would be someones opinion...what is ham to me may be spam to you. Who knows, I might have a thing for kangaroos) Then people could have a choice. Jennifer (will soon get my heart back into this war) 'Bigevil.cf' -- never once seen in ham. 'Maybeevil.cf' -- a small number of hits in ham Scott --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] [SAtalk]Change points of preset rules
Hey guys. How can I change the points of the rules included in spamassassin? I'm trying to increase the points from the HTML_IMAGE_ONLY_02 BODY rule. Thanks in advance, Thorsten Schacht You can override default scores in your local.cf score HTML_IMAGE_ONLY_02 4.0 (restart spamd) Jennifer --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Pox 1.12 - Bad lint fixed
Sorry for any problems this caused you guys. I had the wrong version on my server when I linted that change. ...Fixed now. Thanks for letting me know, Arpi. Jennifer --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Lint error with chickenpox v 1.11
Hi Erik i assume you sent this over the weekend when the file was bad. I sent one this weekend that just showed up on the list this morning! If that isn't the case, grab the new version from my site. I believe it's 1.14. http://www.emtinc.net/spamhammers.htm Jennifer Hi Jennifer, When running lint on the latest chickenpox (1.11) I get this error: donkeykong:/etc/mail/spamassassin/RulesDuJour # /usr/local/bin/spamassassin --lint Failed to compile body SpamAssassin tests, skipping: (Unmatched ( in regex; marked by -- HERE in m/\s( -- HERE ?!(?:alt|biz|mrs|rev|s(?:ci|en|oc))\.|(?:e nd|fwd|org|reg):|[cd]os'[a-zA-Z]{3}[.,;:?%!+^~`'\$*=\#|013467\(\)\[\]\{\} ][a-zA-Z]{2}(?!\.(?:(?-i:[A-Z][a -z]{1})|a[eiu]|b[ebmrsz]|c[afhnrx]|d[bek]|es|f[ir]|g[uz]|h[knrtu]|i[elnqrst] |j[mops]|k[prwy]|m[kx]|n[loz]|p[lr ty]|ru|s[eghm]|t[cnv]|u[ksu]|v[gi])|:no|['`](?:ll|ts|[rv]e))(?:[,'\?!]|\.?\ s)/ at /etc/mail/spamassassin/chic kenpox.cf, rule J_CHICKENPOX_32, line 1. ) Any clues? Erik --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] [RD] Pox Request - language assistance
I have a strange request. I was wondering if some of you who speak a language other than English, or if you know someone who does, could write me (offlist) an email full of contractions in that language. Also please tell me what the language is. :) It would be very helpful. Say whatever you like, I won't know what it means anyway! You could also just send me a list of them. Just didn't sound as fun. You might put the subject Pox Examples so I don't lose them in the spam grinding machine. I've tried doing a little research, but as time consuming as this set has been, it would be nice to get a little help from those of you who speak these languages to speed this process up. Thanks, Jennifer --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Popcorn Backhair have been combined into 1 Set
Hello spam peeps Well I was going to hold off posting this until I had the time to edit the page explaining the Rule Sets, but I got a spam this morning, tagged only by this updated Backhair Set. I was irked enough (thinking these spams might be getting through on other machines) that I will go ahead and at least announce the change. [we all know that cd, I shant mention them] Adam Lopresto and I have recently begun working together on Chickenpox, and while working on that set, it occurred to him how to fix the limitations in Backhair, using similar ideas we're using in pox. This change in essence combines Backhair Popcorn. If you use this newest version of Backhair, you may delete the Popcorn Set. It covers the whole!silly obfu taggamut. I will update the page when I get some free time in the hopes of making this change more clear. I left Popcorn on there for now, but like I said, if you use Backhair version 1.1 (just posted it) you no longer (sniff sniff...) need Popcorn... ..That makes me very sad :'( Popcorn was my first ruleset. http://www.emtinc.net/spamhammers.htm Jenn/ifer -- 44 on new Backhair set ;) ...oooh the urge to say it! B..(cough cough) (cough cough cough) nah, best not to. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Popcorn Backhair have been combined into 1 Set
OY! That set had the original testing scores. Fixed now. Sorry Haste = Bad said, if you use Backhair version 1.1 (just posted it) you no longer http://www.emtinc.net/spamhammers.htm Jenn/ifer -- 44 on new Backhair set ;) ...oooh the urge to say it! B..(cough cough) (cough cough cough) nah, best not to. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Popcorn Backhair have been combined into 1 Set
For some reason this doesn't work for me. I get all kinds of problems when I run spamassassin -D --lint. I don't think it's a problem with the rule set, because it happens on the tripwire rule set also. Any ideas or pointers? I know this is very vague, so if anyone needs more information from me I'd be happy to provide what is needed. Without seeing the errors I can only guess. If you're getting errors on the rules, maybe you didn't get the full file, or maybe a line wrapped? Backhair has an EOF. Thanks, Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Wheeler Sent: Wednesday, January 21, 2004 9:40 AM To: [EMAIL PROTECTED] Subject: [SAtalk] Popcorn Backhair have been combined into 1 Set Hello spam peeps Well I was going to hold off posting this until I had the time to edit the page explaining the Rule Sets, but I got a spam this morning, tagged only by this updated Backhair Set. I was irked enough (thinking these spams might be getting through on other machines) that I will go ahead and at least announce the change. [we all know that cd, I shant mention them] Adam Lopresto and I have recently begun working together on Chickenpox, and while working on that set, it occurred to him how to fix the limitations in Backhair, using similar ideas we're using in pox. This change in essence combines Backhair Popcorn. If you use this newest version of Backhair, you may delete the Popcorn Set. It covers the whole!silly obfu taggamut. I will update the page when I get some free time in the hopes of making this change more clear. I left Popcorn on there for now, but like I said, if you use Backhair version 1.1 (just posted it) you no longer (sniff sniff...) need Popcorn... ..That makes me very sad :'( Popcorn was my first ruleset. http://www.emtinc.net/spamhammers.htm Jenn/ifer -- 44 on new Backhair set ;) ...oooh the urge to say it! B..(cough cough) (cough cough cough) nah, best not to. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Popcorn Backhair have been combined into 1 Set
-Original Message- From: [EMAIL PROTECTED] [mailto:spamassassin- [EMAIL PROTECTED] On Behalf Of Jason Crowe Sent: Wednesday, January 21, 2004 12:21 PM To: [EMAIL PROTECTED] Subject: RE: [SAtalk] Popcorn Backhair have been combined into 1 Set Here is the error. When I copy and paste into emacs it's showing that the lines didn't wrap. pop3:/etc/spamassassin# spamassassin --lint Failed to parse line in SpamAssassin configuration, skipping: descrfull J_BACKHAIR_33 /[\s]\w{3}\/?(?!(?:a(?:bbr|cronym|ddress|pplet|rea)?|b(?:ase(?:font)?| do |i g|lockquote|ody|r|utton)?|c(?:aption|enter|ite|o(scdescribe J_BACKHAIR_34 3 letters - Unsigfull J_BACK Failed to parse line in SpamAssassin configuration, skipping: fuls Failed to parse line in SpamAssassin configuration, skipping: descrfull J_BACKHscoreJ_BACKHAIR_42 1.0 Failed to parse line in SpamAssassin configuration, skipping: desfull J_BACKHs Failed to parse line in SpamAssassin configuration, skipping: defull s I reuploaded the file to the site. Looks like the problem is with my file. Try downloading again and see if you still get errors. Thanks, Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Wheeler Sent: Wednesday, January 21, 2004 11:10 AM To: 'Jason Crowe'; [EMAIL PROTECTED] Subject: RE: [SAtalk] Popcorn Backhair have been combined into 1 Set For some reason this doesn't work for me. I get all kinds of problems when I run spamassassin -D --lint. I don't think it's a problem with the rule set, because it happens on the tripwire rule set also. Any ideas or pointers? I know this is very vague, so if anyone needs more information from me I'd be happy to provide what is needed. Without seeing the errors I can only guess. If you're getting errors on the rules, maybe you didn't get the full file, or maybe a line wrapped? Backhair has an EOF. Thanks, Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Wheeler Sent: Wednesday, January 21, 2004 9:40 AM To: [EMAIL PROTECTED] Subject: [SAtalk] Popcorn Backhair have been combined into 1 Set Hello spam peeps Well I was going to hold off posting this until I had the time to edit the page explaining the Rule Sets, but I got a spam this morning, tagged only by this updated Backhair Set. I was irked enough (thinking these spams might be getting through on other machines) that I will go ahead and at least announce the change. [we all know that cd, I shant mention them] Adam Lopresto and I have recently begun working together on Chickenpox, and while working on that set, it occurred to him how to fix the limitations in Backhair, using similar ideas we're using in pox. This change in essence combines Backhair Popcorn. If you use this newest version of Backhair, you may delete the Popcorn Set. It covers the whole!silly obfu taggamut. I will update the page when I get some free time in the hopes of making this change more clear. I left Popcorn on there for now, but like I said, if you use Backhair version 1.1 (just posted it) you no longer (sniff sniff...) need Popcorn... ..That makes me very sad :'( Popcorn was my first ruleset. http://www.emtinc.net/spamhammers.htm Jenn/ifer -- 44 on new Backhair set ;) ...oooh the urge to say it! B..(cough cough) (cough cough cough) nah, best not to. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference
RE: [SAtalk] Popcorn Backhair have been combined into 1 Set
this change more clear. I left Popcorn on there for now, but like I said, if you use Backhair version 1.1 (just posted it) you no longer (sniff sniff...) need Popcorn... So if I grab Jennifer's backhair I don't need any popcorn? There must be some hidden meaning there. As hairy as my Backhair is getting, no telling what is in there any more! I can tell you the popcorn is in there... (thinking I should get a monkey) Jennifer I've removed popcorn from the default list of thinggies to snag in RulesDeJour. -- Chris Thielen Easily generate SpamAssassin rules to catch obfuscated spam phrases (0BFU$C/\TED SPA/\/\ P|-|RA$ES): http://www.sandgnat.com/cmos/ --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] [RD]FP Backhair - minor change
Added another more obscure tag. Thanks Kelson. Version 1.3 Jennifer --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: blackhair problem (Re: RE: [WL] [SAtalk] Yikes.. rules_du_jour)
Hi, Correct. The only set going through frequent revisions right now is Chickenpox. I think I'm about to post a revision on Backhair/Popcorn, but that will be the first change in months. Still, they will not go i've found a major problem with blachhair set today: it catches most of the mails set using pegasus mail and using attachment in UUEncoding (its default setting): That's a big hit. I talked to Fred who says that this shouldn't be a problem with SA 2.7, which will know to skip attachments. Until then, you could try this as a fix to avoid that. It's not tested, I am only guessing the problem is with [^], which says anything but , and I would also guess it's pretty serious about the anything part, so if you changed that set (in each rule) to what you want to match, like [\w\s] that should fix the problem. Add more characters into that set if you want. And test. :) I could post an alternate set if you want, but I would like to make sure my thinking is straight first. Someone steer me right if I'm talkin' outta me bum. Jennifer ... X-mailer: Pegasus Mail for Windows (v3.01b) * This message contains the file 'isdf6e~1.jpg', which has been * uuencoded. If you are using Pegasus Mail, then you can use * the browser's eXtract function to lift the original contents * out to a file, otherwise you will have to extract the message * and uudecode it manually. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [WL] [SAtalk] Yikes.. rules_du_jour
(Didn't mean to go offlist with my reply. Here it is again) On Sat, 17 Jan 2004, Jonathan Nichols wrote: rules_du_jour is kind of neat, but I hope it's not going to drive up Chris Jennifer's bandwidth bills or som 'em over a quota. :P A thought, and a suggestion: Thought: Some of the rules in 'rules du jour' look like they are fairly 'stable'. There is no reason to be downloading 'backhair' or 'weeds' everyday, is there? Correct. The only set going through frequent revisions right now is Chickenpox. I think I'm about to post a revision on Backhair/Popcorn, but that will be the first change in months. Still, they will not go through frequent edits like pox. Jennifer Suggestion: For frequent changers, like 'evilrules', how about setting up a flag system where, for example, a single file is accessed for a timestamp, and only if the timestamp is 'new' does the script perform the various downloads. This way, most nights, there is ONE HTTP access, to get the timestamp, and its a small file, rather than several big ones. This might require a 'central' site to keep the timestamp. But this would work for all of Jennifer's rules, at least. - Charles --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Yikes.. rules_du_jour
rules_du_jour is kind of neat, but I hope it's not going to drive up Chris Jennifer's bandwidth bills or som 'em over a quota. :P Would it be possible to add a mirror or two? I've got a fairly empty T1 that could help out.. I think mine _should_ be okay, especially if it's staggered. We'll watch and see how things go, but you're right, mirrors might be a good idea. I do like Chris' idea though, because I hate bugging everyone with update! Update! I feel like a glow worm salesman on the fourth of july, especially with all the tweaks on pox. I'll watch things and let you know if I start to see a problem. Some good stuff is going on :) I'm pretty excited about it, I shall let you know soon. Jennifer -Jonathan --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Pox Update
Oy... I'm having a really bad day. :) either you will get three of these update notices, or the good people who moderate will see that I keep posting from the wrong account and pull those. Third time is a charm, and I've changed my default email. Sincere apologies!! Newest Chickenpox vaccination here... http://www.emtinc.net/spamhammers.htm ~or~ at Chris (Spam me now!!) Santerre's site http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm Let me know if the numbers prove troublesome, and like I said, you might want to lower the scores to 0.6 ish to start with. (Robert M. gave me some great scoring recommendations based on his tests, but I just haven't gotten around to putting those into the mix just yet.) If you're worried about including the numbers in the punctuation set, just remove them. There are other fixes with the regex as well, so if you use the set, I'd grab these and just pull out the numbers if they worry you. Bill Landry suggested adding 0 and 1, which are working out well for both of us. Today I added in a few more that I see quite often, but haven't watched them much. Jennifer (double checking her sent by) Wheeler --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Pox Update
Top posting :/ 31 41 need a t in the regex toward the end like so... (?:['`]{1}[dst]{1}) Sorry about that. I realized it when I saw too many of them hitting. It's fixed on the spamhammer page. I also let Chris know. I also have started putting version numbers on the sets per request. I set them all to 1.0 even though they've gone through several edits thus far. Sorry for the confusion. Jennifer Woo... do a grep for sorry will ya! I'll shhsh -Original Message- From: [EMAIL PROTECTED] [mailto:spamassassin- [EMAIL PROTECTED] On Behalf Of Jennifer Wheeler Sent: Thursday, January 15, 2004 12:20 PM To: [EMAIL PROTECTED] Subject: [SAtalk] Pox Update Oy... I'm having a really bad day. :) either you will get three of these update notices, or the good people who moderate will see that I keep posting from the wrong account and pull those. Third time is a charm, and I've changed my default email. Sincere apologies!! Newest Chickenpox vaccination here... http://www.emtinc.net/spamhammers.htm ~or~ at Chris (Spam me now!!) Santerre's site http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm Let me know if the numbers prove troublesome, and like I said, you might want to lower the scores to 0.6 ish to start with. (Robert M. gave me some great scoring recommendations based on his tests, but I just haven't gotten around to putting those into the mix just yet.) If you're worried about including the numbers in the punctuation set, just remove them. There are other fixes with the regex as well, so if you use the set, I'd grab these and just pull out the numbers if they worry you. Bill Landry suggested adding 0 and 1, which are working out well for both of us. Today I added in a few more that I see quite often, but haven't watched them much. Jennifer (double checking her sent by) Wheeler --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Pox 1.2
Adam has gone through the set and 'graded my paper'. - the ' was missing in rules ending in {2} - added d to higher up rules ending in {1} (proper names...doh) - he pointed out some extraneous 'code' - on an earlier edit (not announced) he explained the need for speed using ?: in the capturing (), so I fixed those. I put the rules at sort of a midway score. I know you can (and should at least to start) change them, but I can't quite decide where to start them in the file. I think, as I believe someone said earlier, maybe chris, with any rules you're trying out that someone else wrote, you should score them low until you see how they do, then adjust them based on your needs. We all have good intentions, but this isn't easy stuff and we're bound to make mistakes or have oversights. ...which is the whole point of this list and doing this as a team. :) Thank you again Adam, and to everyone else who has given such good suggestions! It's getting there. Jennifer --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Pox 1.2
Hi Jennifer! ...a link would be _helpful_! Thanks! http://www.emtinc.net/spamhammers.htm apologies, Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:spamassassin- [EMAIL PROTECTED] On Behalf Of Jennifer Wheeler Sent: Thursday, January 15, 2004 8:55 PM To: [EMAIL PROTECTED] Subject: [SAtalk] Pox 1.2 Adam has gone through the set and 'graded my paper'. - the ' was missing in rules ending in {2} - added d to higher up rules ending in {1} (proper names...doh) - he pointed out some extraneous 'code' - on an earlier edit (not announced) he explained the need for speed using ?: in the capturing (), so I fixed those. I put the rules at sort of a midway score. I know you can (and should at least to start) change them, but I can't quite decide where to start them in the file. I think, as I believe someone said earlier, maybe chris, with any rules you're trying out that someone else wrote, you should score them low until you see how they do, then adjust them based on your needs. We all have good intentions, but this isn't easy stuff and we're bound to make mistakes or have oversights. ...which is the whole point of this list and doing this as a team. :) Thank you again Adam, and to everyone else who has given such good suggestions! It's getting there. Jennifer --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] [RD] Chickenpox Update
Edited Chickenpox Set is now available. Please read the notes on the site before using the set! I love the set, but I have them scored higher than you might like. I would set the scores lower to test and then score them per your tastes/spam threshold. If you would like to wait for testing results, I believe Bob M. will be testing this newest set against his corpus when he gets some time. http://www.emtinc.net/spamhammers.htm Thank you to Adam L. who has given me *great* regex instruction with this set! Please give me feedback, I anticipate needing to write in more exclusions to make them even safer to use. Thanks! Jennifer --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Silly spam
http://www.emtinc.net/spamhammers.htm i'll probably have an update to the chickenpox set by the end of the week. and i see someone already pointed you to chris' site. There is also the wiki, i believe there is a link from rulesemporium. jennifer On Wed, 7 Jan 2004, Kurt Buff wrote: Several instances of the attached message got through, and I'm wondering what might catch this - we're running v2.60, with popcorn, backhair, weeds, smallpox, nov2rules and bigevil, plus a couple of minor custom rules. Hi, i'm a newbie to the list, is there are URL which has the rules for the above custom rules you mentioned above? --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Bizarre spam
I got several of those in December, but none recently. None of them were tagged. I probably wrote a simple rule for it. Seems I remember something about ev2 in the headers?? Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:spamassassin- [EMAIL PROTECTED] On Behalf Of Christopher Kunz Sent: Tuesday, January 06, 2004 2:22 PM To: [EMAIL PROTECTED] Subject: [SAtalk] Bizarre spam Hi, I received this here just some minutes ago. It went to a role account and through a ticketing system so there's no usable headers (it wasn't scanned by SA either), but the content speaks for itself... Looks like pure bayes poison. Did anyone else receive this and can tell me if it's correctly caught? I can't imagine what content-based rules could catch this bastard... -- SNIP -- html pre To: Juror #3, Van Nuys Superior Court, Dept E, Los Angeles, CA, excused on November 13. This is Juror #4 and I would really like to say Hi and continue our conversation. You can reply to this email or call 818-831-1492. DO YOU KNOW JUROR #3? She is WF, 30's, 5'5, slender build, short light brown hair. She served on jury duty November 12 13, Van Nuys Superior Court in the San Fernando Valley, Los Angeles, CA. Contact me or please pass this message along to her.pThanks, and Happy Holidays!pa href=http://kcfv2yh0cq.eivww.com;/prep/a/html -- SNAP -- --ck --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Rule to block Paris Hilton spam
Eureka! :) believe this works, yes?? At least I think this is what you are going for? Sorry for the wrap. rawbody hilton_b64 /(aGV5IENvbWUgY2hlY2sgb3V0|PGh0bWw+DQo8Ym9keT4NCjxwP(khl|jxr)|aGV5DQoNCk NvbWUgY2hlY2sgb3V0|\n)/ describe hilton_b64 Base 64 encoded paris hilton spam score hilton_b64 .03 good goin peeps! :) Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:spamassassin- [EMAIL PROTECTED] On Behalf Of Chris Santerre Sent: Wednesday, December 31, 2003 11:34 AM To: [EMAIL PROTECTED] Subject: RE: [SAtalk] Rule to block Paris Hilton spam OK, per a suggestion I tried this rule as full. Nope still didn't see the raw code. What am I missing? Is it possible to look for raw base64 code in SA? -Original Message- From: Chris Santerre [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 30, 2003 9:35 AM To: 'Stephane Lentz' Cc: [EMAIL PROTECTED] Subject: RE: [SAtalk] Rule to block Paris Hilton spam Ok, this didn't work overnight. However I did receive spam with the exact first base64 pattern in it. So I think it is just a problem with rawbody So what rule type do we use to catch this raw pattern?? rawbody hilton_b64 raw:/base64code/ would that work? --Chris -Original Message- From: Chris Santerre [mailto:[EMAIL PROTECTED] Sent: Monday, December 29, 2003 5:27 PM To: 'Stephane Lentz'; Chris Thielen Cc: [EMAIL PROTECTED] Subject: RE: [SAtalk] Rule to block Paris Hilton spam I offer this in UNTESTED form. TEsting overnight ;) Your email viewer will wrap these lines. SHould be 3 lines: rawbody hilton_b64 /(?:aGV5IENvbWUgY2hlY2sgb3V0|PGh0bWw+DQo8Ym9keT4NCjxwP(?:khl|j xr)|aGV5DQoNCk NvbWUgY2hlY2sgb3V0)/ describe hilton_b64 Base 64 encoded paris hilton spam score hilton_b64 .01 -Original Message- From: Stephane Lentz [mailto:[EMAIL PROTECTED] Sent: Monday, December 29, 2003 5:14 PM To: Chris Thielen Cc: [EMAIL PROTECTED] Subject: Re: [SAtalk] Rule to block Paris Hilton spam Hi again, On Mon, Dec 29, 2003 at 01:41:17PM -0600, Chris Thielen wrote: Stephane Lentz said: = Thanks for the info. Two samples of such spam are now available at http://milter.free.fr/spam/ (hilton-sample1.txt hilton-sample2.txt files) Stephane, I glanced at the spamassassin source just now. I may be wrong, but it appears that the URI tests only matches on attributes of background, href, src, action. The URL in the spam was html text and not a link of sorts. You may consider changing your rule to a BODY rule instead of a URI rule. = The URI rule works in some cases (no splitting of base64 representation of the URL). I think I understand the problem better now after some further tests . Test messages : - Content-Transfer-Encoding: base64 - just include http://special-selections.com URL (base64 encoded) as body The problem is really related to base64 decoding URI matching. The rule uri LOCAL_HILTON /special-selections\.com/ : - gets triggered if the base64 string (in the body) is in one line : aHR0cDovL3NwZWNpYWwtc2VsZWN0aW9ucy5jb20K - does not match if the base64 string is splitted accross several lines aHR0cDovL3NwZWNpYWwtc2VsZWN0aW9ucy5 jb20K or aHR0cDovL3NwZWNpYWwtc2VsZWN 0aW9ucy5jb20K Is it a new spammer trick (base64 body with URL base64 representation splitted across several lines) ? I guess the work-around is a rawbody rule (right ?) I got no success with a body rule. = Thanks for the link. i will check it out. I was willing to avoid the matching Paris Hilton if possible as I live in Paris and some of my colleagues may book some rooms in Hilton hotels (one never knows) I'm not quite sure how to interpret your statement about being willing to avoid the matching ... so I will expclicitly state what the link does. I understand you do not wish to match the unobfuscated paris hilton. The rules generated by the link above will match *ONLY* obfuscated paris hilton. It will not match Paris Hilton or any case permutations such as PARIS hilton. It *will* match obfuscated versions such as PAR1S H1LTON (and a couple other permutations). Another possible way to attack this is to look for obfuscated paris or obfuscated hilton only (removing the quotes will generate 4 rules instead of 2). See: http://sandgnat.com/cmos/cmos.jsp?words=paris+hilton . -- = Thanks for the clarifications. regards, SL/ --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just
RE: [SAtalk] Rule to block Paris Hilton spam
Oops :) my bad... I actually forgot I had that in there... that was the start to another attempt, and midway through I got a second thought, tried it, and forgot I did that. Haste to get my sub and powerball ticket! I shall get back on it ;) thx Jen -Original Message- From: Brian Sneddon [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 31, 2003 12:14 PM To: 'Jennifer Wheeler'; 'Chris Santerre' Cc: [EMAIL PROTECTED] Subject: RE: [SAtalk] Rule to block Paris Hilton spam Wont that \n at the end of the regex match virtually ALL mail? Brian -Original Message- From: Jennifer Wheeler [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 31, 2003 12:06 PM To: 'Chris Santerre'; [EMAIL PROTECTED] Subject: RE: [SAtalk] Rule to block Paris Hilton spam Eureka! :) believe this works, yes?? At least I think this is what you are going for? Sorry for the wrap. rawbody hilton_b64 /(aGV5IENvbWUgY2hlY2sgb3V0|PGh0bWw+DQo8Ym9keT4NCjxwP(khl|jxr)|aGV5DQoNCk NvbWUgY2hlY2sgb3V0|\n)/ describe hilton_b64 Base 64 encoded paris hilton spam score hilton_b64 .03 good goin peeps! :) Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:spamassassin- [EMAIL PROTECTED] On Behalf Of Chris Santerre Sent: Wednesday, December 31, 2003 11:34 AM To: [EMAIL PROTECTED] Subject: RE: [SAtalk] Rule to block Paris Hilton spam OK, per a suggestion I tried this rule as full. Nope still didn't see the raw code. What am I missing? Is it possible to look for raw base64 code in SA? -Original Message- From: Chris Santerre [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 30, 2003 9:35 AM To: 'Stephane Lentz' Cc: [EMAIL PROTECTED] Subject: RE: [SAtalk] Rule to block Paris Hilton spam Ok, this didn't work overnight. However I did receive spam with the exact first base64 pattern in it. So I think it is just a problem with rawbody So what rule type do we use to catch this raw pattern?? rawbody hilton_b64 raw:/base64code/ would that work? --Chris -Original Message- From: Chris Santerre [mailto:[EMAIL PROTECTED] Sent: Monday, December 29, 2003 5:27 PM To: 'Stephane Lentz'; Chris Thielen Cc: [EMAIL PROTECTED] Subject: RE: [SAtalk] Rule to block Paris Hilton spam I offer this in UNTESTED form. TEsting overnight ;) Your email viewer will wrap these lines. SHould be 3 lines: rawbody hilton_b64 /(?:aGV5IENvbWUgY2hlY2sgb3V0|PGh0bWw+DQo8Ym9keT4NCjxwP(?:khl|j xr)|aGV5DQoNCk NvbWUgY2hlY2sgb3V0)/ describe hilton_b64 Base 64 encoded paris hilton spam score hilton_b64 .01 -Original Message- From: Stephane Lentz [mailto:[EMAIL PROTECTED] Sent: Monday, December 29, 2003 5:14 PM To: Chris Thielen Cc: [EMAIL PROTECTED] Subject: Re: [SAtalk] Rule to block Paris Hilton spam Hi again, On Mon, Dec 29, 2003 at 01:41:17PM -0600, Chris Thielen wrote: Stephane Lentz said: = Thanks for the info. Two samples of such spam are now available at http://milter.free.fr/spam/ (hilton-sample1.txt hilton-sample2.txt files) Stephane, I glanced at the spamassassin source just now. I may be wrong, but it appears that the URI tests only matches on attributes of background, href, src, action. The URL in the spam was html text and not a link of sorts. You may consider changing your rule to a BODY rule instead of a URI rule. = The URI rule works in some cases (no splitting of base64 representation of the URL). I think I understand the problem better now after some further tests . Test messages : - Content-Transfer-Encoding: base64 - just include http://special-selections.com URL (base64 encoded) as body The problem is really related to base64 decoding URI matching. The rule uri LOCAL_HILTON /special-selections\.com/ : - gets triggered if the base64 string (in the body) is in one line : aHR0cDovL3NwZWNpYWwtc2VsZWN0aW9ucy5jb20K - does not match if the base64 string is splitted accross several lines aHR0cDovL3NwZWNpYWwtc2VsZWN0aW9ucy5 jb20K or aHR0cDovL3NwZWNpYWwtc2VsZWN 0aW9ucy5jb20K Is it a new spammer trick (base64 body with URL base64 representation splitted across several lines) ? I guess the work-around is a rawbody rule (right ?) I got no success with a body rule. = Thanks for the link. i will check it out. I was willing to avoid the matching Paris Hilton if possible as I live in Paris and some of my colleagues may book some rooms in Hilton hotels (one never knows) I'm not quite sure how to interpret your statement about
RE: [SAtalk] Spell Checking the Subject Header (RESULTS)
On 12/31/03, Casper Gasper wrote: Things like, '4 consonants in a row are not an English word'. Shortstop? Matchstick? :) Seriously, though, looking for patterns is an interesting idea. For instance, English simply does not allow you to begin a word with vt or bs. Looking for word beginnings might be more useful than looking within words. I bet that with a few minutes fiddling with perl and a dictionary file, I could generate a list of forbidden word-initial letter pairs. Adam Schneider http://adamschneider.net/ I've been using these for several months I like them. Maybe these are at least in the ballpark of what you're talking about / trying to catch. I didn't read the whole thread. Howev-ah... what Chris said :) Jennifer --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk LWTsets.cf Description: Binary data
[SAtalk] Chickenpox Update
I added several filename extensions and fixed oversights in 3 rules. Thanks Scott for the input! http://www.emtinc.net/includes/chickenpox.cf Jennifer --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Re: False positives
-Original Message- From: [EMAIL PROTECTED] [mailto:spamassassin- [EMAIL PROTECTED] On Behalf Of Bob George Sent: Monday, December 29, 2003 4:20 PM To: [EMAIL PROTECTED] Subject: [SAtalk] Re: False positives John Beamon [EMAIL PROTECTED] wrote: [...] (I particularly like seeing the * 0.5 -- BODY: Possible porn - Hot, Nasty, Wild, Young rating on a children's autism mailing list...) Having read through the web page (apparently the email was the SAME HTML page -- argh!), I do wonder what flagged that particular match. That said, if you think THAT is fun, you should try running a Section 508 (accessibility) validator against his page. Talk about ADA non-compliance! :) My take is that Lenny's just a dedicated volunteer devoted to his cause who forgot that other dedicated volunteers are equally dedicated to theirs. In his reply to me, he mentioned he's not a web developer, nor particularly technical. I don't think he's guilty of much more than poor manners and a bit of self-righteousness. Yep. I googled him and he's the father of an autistic child who is very active in promoting awareness and research. Easy to see where the hyperdrive comes from. Still... mix in a compassion sandwich in other areas of your life will ya, Len!? ;) I know... not here, quake server, etc. :) Jennifer I can imagnine the frustration of a non-technical, legitimate mailing list owner trying desperately to get (what they deem) important messages out, without having to become expert in spam-fighting techniques. Those folks are victims of spam too. - Bob --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Image-only spam
Hi Barry, This will also snag a few of those if you want to use them. You could write them to hit the body as well if you wanted, i just use a subject rule for now. describe J_PARISobfu paris header J_PARISSubject =~ /[EMAIL PROTECTED]|1\!][sz5\$](?!(?:paris))/i scoreJ_PARIS1.0 describe J_HILTON obfu hilton header J_HILTON Subject =~ /h[iíl\|1\!][l1\!\|][t7\+][o0u]n(?!(?:hilton))/i scoreJ_HILTON 1.0 Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Barry Callahan Sent: Wednesday, December 24, 2003 9:13 AM To: [EMAIL PROTECTED] Subject: Re: [SAtalk] Image-only spam Heh. Went to http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm and installed the following rulesets: bigevil.cf nov2rules.cf popcornonly.cf weedsonly.cf backhair.cf I've got SpamAssassin monitoring a handful of addresses where 98% of all traffic is spam. So far, I've had one spam squeak through with a score of 4.8... A snippet follows: *SNIPPET* X-Spam-Status: No, hits=4.8 required=5.0 tests=BIZ_TLD,BigEvilList_184, OACYS_CONS_6 autolearn=no version=2.61 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on s3.lakotacreations.com Download the Parls HlLton stolen s-e-x video! This is the original private Parls HlLton sex video that Paris and Rick Soloman made that has been leaked out, and is now available for you to download. Get it while you can, the HiIton's family lawyers are doing everything they can to stop re-distribution of this video http://www.crockolate.biz/paris/paris.html rGzmj0jwTA */SNIPPET* To catch these in the future, I added the pattern s-e-x to the DISGUISE_PORN rule in 20_porn.cf Now to start looking at some real email and see if I have any problems with false positives. :) barryc wrote: After replacing the RPM I got from RedHat (2.44) with the RPMs found on the SpamAssassin website (2.61) it's now catching 2/3 of the spam. The image-only spam I'm getting is now being tagged at 2.0 - 3.6. Now that I'm running a modern release of SpamAssassin, I'll take a look at DCC and Razor, and I'll look into setting up a Bayesian database. --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] sa-learn from Exchange 2000
Hello there Rubin The ruleset name _was_ her idea 8^) I can see that my post could seem a little odd taken out of context, so let me clarify: Jenn's Backhair *ruleset* will help with the bogus html tags. I know nothing about Jenn's backhair. I must confess that I do, however, occasionally find myself pondering (amongst other less trivial matters, like 42) where the hell she came up with that name! Happy holidays all! Rubin I actually was asked this once before :) ..i answered it when i was a bit punchy, but here ya go. (yes, it's slow here today and i have nothing better to do than go digging through the archives!) http://sourceforge.net/mailarchive/message.php?msg_id=6503883 btw 42??? what did you mean by that. that was very creepy to see, because i've tried to convince my brother from an early age, that the number 42 *haunts* me and turns up *everywhere*! that'll either be a very good year for me, or that's the year i'll buy the farm per se! Either way, i'm forwarding your email to my brother for yet *more* proof. ;) Jennifer ps... Lukreme...still waiting for filgret rules! if you dont hurry, i'm stealing that name for my next rule! ;) On Tue, 2003-12-23 at 18:25, Evan Platt wrote: --On Tuesday, December 23, 2003 5:56 PM -0500 Rubin Bennett [EMAIL PROTECTED] wrote: Jennifer's Backhair rules. That sentence could be taken the wrong way... :) Evan --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk -- Rubin Bennett [EMAIL PROTECTED] RB Technologies --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] sa-learn from Exchange 2000
btw 42??? what did you mean by that. that was very creepy to see, because i've tried to convince my brother from an early age, that the number 42 *haunts* me and turns up *everywhere*! that'll either be a very good year for me, or that's the year i'll buy the farm per se! http://en2.wikipedia.org/wiki/The_Answer_to_Life,_the_Universe,_and_Ever ything okay... even creepier :) thanks, Mike! ...think i'll be going home about now. --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] tags in text
Hi again Sam [snip and paste...reordering your original post] So to restate the second part of my original request, Is there a method to modify the score as a function of the number of hits of the same rule? Easier to answer this way. Sorry, I wasn't feeling wordy yesterday and thought the site would explain this. Actually, there may be some other way to accomplish what you are asking, but the rules I pointed you to actually do what you say in a roundabout way. I explained this in a much earlier post, but I'll do so again. The set is written to catch a pattern of obfuscation, you're right. When spammers include meaningblahbitty blah blahless tags in a spam (in order to either disquise a spammy word or some other goal..) they generally do so throughout the spam. That gives you something to look for other than a spammy word. You can now look for many spammy patterns, making the set, in essence, additive. (though maybe not in the common meaning of the word additive in the world of programming...i'm not a programmer so I could be talking out of my bum here) More below... From: Jennifer Wheeler [EMAIL PROTECTED] Date: Mon, 22 Dec 2003 15:01:25 -0500 http://www.emtinc.net/spamhammers.htm Indeed, yours was one of the places I *had* looked. Forgive me if I'm confused, but it seems that your rules are looking for a variety of tag patterns. E.g. frobnozflibberdigibbet and mumblefrapnuts are two separate matches. Did you find that a more general pattern missed too much spam or hit too much ham? No, I never made a more general rule. I saw a spam come through that looked like an extremely blatant in your face use of spammy lingo. I was all, wtf.., and I looked in the source, and saw thoarieghat twiouebhvhey had broken it aaoeribhll up with meaningless tags. Temporary defeatist attitude took me to the couch to watch tv. I thought about how to catch those, and realized that writing to catch the pattern would be the same thing as looking for a big number of spammy words. Just the occurrence of that tag bracketed by words is a spam flag. New spammy terms, and you just have to tell the computer how to read the new words. If you don't like the set, write a general rule that looks for the embedded tag with a random number of letters to the right and left of the tag, bracketed by some sort of stopper to keep it from matching too much, and give it a whopping score. I just think it's better to edge emails up towards spam thresholds with more rules to try and reduce false positives. I had originally considered / .+\.*\.* / ,but was concerned about inadvertently catching everything by accident. Looking at that rule, I believe the second . would match a closing bracket.. so you might actually end up hitting something that matches a legit tag, then keeps looking in the rest of the email until it matches the end of the regex. Sorry I can't give an example, that is just a suspicion and I'm no regex pro. Try it, give it a score of .1, and see what it does hit. Hope I answered what you are asking. It's early, so if not, and after a few cokes, I'll give it another stab. Jennifer I'm hoping that doing this without explicit text strings combined with additive scoring will be enough to get these auto-learned. [snipped to above] CHeers! -sam --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] tags in text
Hi Sam, Probably haven't look hard enough, but has anyone used a rule to detect (real or pseudo) HTML tags embedded in text. Ostensibly they're there to throw off bayes and other pattern matchers. I just put up: rawbody TAG_IN_TEXT /[a-zA-Z0-9]+\\/*[a-zA-Z0-9]*\[a-zA-Z0-9]+/ describe TAG_IN_TEXT score TAG_IN_TEXT 1.0 on my test mailer, and it is hitting OK on what I *think* I'm looking for. http://www.emtinc.net/spamhammers.htm Jennifer Are there any legitimate uses for tetagsxt? If so, I'd like to score each one individually. Is there a method for incrementing the score for each match within a message? Cheers! -sam --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Possible FP on big evil list
Helloo. FP Notice. FP forwarded to me this morning on an ebay Bid Confirmed notice. BigEvilList_133 contains pics.ebaystatic.com which is in the source of the bid confirmed emails from ebay auctions. It pushed it to 8.34; we tag at 7.0. Other custom rules contributed 0.7 to the score, default rules SA 2.61 gave the email 4.8. (Just to help you determine whether or not you want to remove this from your file) Here is the little bugger in the source.. snip tr tda href=http://www.ebay.com/;img src=http://pics.ebaystatic.com/aw/pics/email/eBayLogo.gif; border=0 align=right/afont size=4 face=Verdana You Are the Current High Bidder /font snip Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:spamassassin- [EMAIL PROTECTED] On Behalf Of Chris Santerre Sent: Thursday, December 04, 2003 11:59 AM To: 'Rich Puhek' Cc: Spamassassin-Talk (E-mail) Subject: [SAtalk] Possible FP on big evil list CC'd to list for opinions. OK, this one actually bothers me. The URIs hitting are Pull\.xmr3\.com and xmr3\.com . Googleing on these shows many people blocking this domain. Has this person signed up for this Sams Club newsletter? Is it UCE not spam? (That is a loaded/large debate quetion right there!) I'm hesitant to remove this one. This domain might be used by spammers and legit. Argh! Again, checking openrbl.org doesn't help much. I'm looking for spam hosts, not senders. Now I know why the dynablock guy went mad and retired ;) --Chris (Off to grep the copri.again!) Santerre -Original Message- From: Rich Puhek [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 5:02 PM To: [EMAIL PROTECTED] Subject: *SPAM* Possible FP on big evil list We've received a couple of complaints for the following email. I haven't confirmed if the email itself is legit. It hits BigEvilList_138 and _175. Looks like I was running version 1.52 at the time the email came through to them... although it's also possible I was running 1.5 (changed late this morning). Thanks! --Rich *snip* --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Spammer with dot in the mail from header
HI there -Original Message- From: [EMAIL PROTECTED] [mailto:spamassassin- [EMAIL PROTECTED] On Behalf Of Chris Thielen Sent: Wednesday, December 03, 2003 12:26 PM To: Spamassassin-Talk Cc: Idan Lerer Subject: Re: [SAtalk] Spammer with dot in the mail from header Idan Lerer said: I would like to block spammer that sends me emails with mail from [EMAIL PROTECTED] snip header LOCAL_SAPM_FROM_WALLA ALL =~ /\abcd.\w{0,[EMAIL PROTECTED]/i Idan, quote the dot \.: header LOCAL_SAPM_FROM_WALLA ALL =~ /abcd\.\w{0,[EMAIL PROTECTED]/i oops.. missed the second dot header LOCAL_SAPM_FROM_WALLA ALL =~ /abcd\.\w{0,[EMAIL PROTECTED]/i Jennifer -- Chris Thielen Easily generate SpamAssassin rules to catch obfuscated spam phrases: http://www.sandgnat.com/cmos/ --- This SF.net email is sponsored by OSDN's Audience Survey. Help shape OSDN's sites and tell us what you think. Take this five minute survey and you could win a $250 Gift Certificate. http://www.wrgsurveys.com/2003/osdntech03.php?site=8 ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.net email is sponsored by OSDN's Audience Survey. Help shape OSDN's sites and tell us what you think. Take this five minute survey and you could win a $250 Gift Certificate. http://www.wrgsurveys.com/2003/osdntech03.php?site=8 ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] BIG HUGE EVIL RULE NEWS!!!!
snip You could always lower the score. Only 178 to change :) (Hey that is nothing compared to how many times I had to hit ' | , DELETE, END ' because I was in a hurry to get done!) Hi Chris, You should grab multiedit. Rockage. You can do your edits with little macros. Jennifer --Chris Santerre -Original Message- From: Adam Denenberg [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 11:57 AM To: 'Spamassassin-Talk (E-mail)' Subject: RE: [SAtalk] BIG HUGE EVIL RULE NEWS how agressive are these rules? I am hearing great things about them but dont want to produce FP's on my production system. Any feedback? thanks adam On Wed, 2003-12-03 at 11:42, Chris Santerre wrote: latest is 1.52. Fixed 2 typos and 3 domains. An SF project..Hm... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 11:32 AM To: Chris Santerre Cc: 'Spamassassin-Talk (E-mail)' Subject: Re: [SAtalk] BIG HUGE EVIL RULE NEWS On 2003/12/03 09:31:24 -0500, Chris Santerre wrote: What version of Bigevil do you have? 1.51 has fixed 2 typos in 141 and 153. I had '.com||somedome' empty pipes. site updated within minutes. You got version 1.5 I expect :) The first few lines of: http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf are: # BigEvilList Beta version 1.5 ! # Chris Santerre # All Evilrule files combined into one! # 2622 domains reduced to 178 rules Am I using the wrong link? Should that say something other than 1.5? p.s. Kudos, these rules have made a dramatic improvement on my servers. p.p.s. I may have missed it, but I suggest that the evil rules be made into a sourceforge project, or something like it. A little version control goes a long way! --- This SF.net email is sponsored by OSDN's Audience Survey. Help shape OSDN's sites and tell us what you think. Take this five minute survey and you could win a $250 Gift Certificate. http://www.wrgsurveys.com/2003/osdntech03.php?site=8 ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.net email is sponsored by OSDN's Audience Survey. Help shape OSDN's sites and tell us what you think. Take this five minute survey and you could win a $250 Gift Certificate. http://www.wrgsurveys.com/2003/osdntech03.php?site=8 ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.net email is sponsored by OSDN's Audience Survey. Help shape OSDN's sites and tell us what you think. Take this five minute survey and you could win a $250 Gift Certificate. http://www.wrgsurveys.com/2003/osdntech03.php?site=8 ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.net email is sponsored by OSDN's Audience Survey. Help shape OSDN's sites and tell us what you think. Take this five minute survey and you could win a $250 Gift Certificate. http://www.wrgsurveys.com/2003/osdntech03.php?site=8 ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Bigevil domain hat-check help
-Original Message- From: [EMAIL PROTECTED] [mailto:spamassassin- [EMAIL PROTECTED] On Behalf Of Chris Santerre Sent: Wednesday, December 03, 2003 1:08 PM To: Spamassassin-Talk (E-mail) Subject: [SAtalk] Bigevil domain hat-check help I've got a domain listed in Bigevil that could be legit. I need a hatcheck on this one. It is not that obvious. Can someone give me info on: as1.emv2.com or the emv2.com domain in general? (not WHOIS, I can do that!) http://www.google.com/groups?as_q=emv2.comas_oq=spam%20uce%20ubesafe=i magesie=UTF-8oe=UTF-8lr=num=100as_scoring=dhl=en they look a little suspect to me ;) Jennifer *sigh* 1.54 is up. This domain IS still listed in it. Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm A little nonsense now and then, is relished by the wisest men. - Willy Wonka --- This SF.net email is sponsored by OSDN's Audience Survey. Help shape OSDN's sites and tell us what you think. Take this five minute survey and you could win a $250 Gift Certificate. http://www.wrgsurveys.com/2003/osdntech03.php?site=8 ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.net email is sponsored by OSDN's Audience Survey. Help shape OSDN's sites and tell us what you think. Take this five minute survey and you could win a $250 Gift Certificate. http://www.wrgsurveys.com/2003/osdntech03.php?site=8 ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] BIG HUGE EVIL RULE NEWS!!!!
Chris Santerre. I genuflect! Thanks for the effort. I must decline the hockey game; I live in the middle of basketball country and would have to make quite a pilgrimage to get to a game of any caliber. Would you settle for my switching from cokes to hot chocolates with coffee mate for a week? Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:spamassassin- [EMAIL PROTECTED] On Behalf Of Chris Santerre Sent: Tuesday, December 02, 2003 3:56 PM To: Spamassassin-Talk (E-mail) Subject: [SAtalk] BIG HUGE EVIL RULE NEWS BIG HUGE NEWS A major breakthrough has taken place ALL EVILRULES FILES HAVE BEEN COMBINED!! 2622 domains into 178 rules!!! Ramdon/tracking hosts tags removed! They only increase spamd memory by 1 meg!!! 1 meg! You read correctly! Every evil domain since august has been added! Remove all you old evilrules files. Grab BigEvil.cf and place it in either your /etc/mail/spamassassin dir and restart spamd; or into your $home/.spamassassin dir. I plan to just keep adding to this file!!! http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf Mike Kuentz, you are no longer allowed to put ideas into my head :) My fingers now hurt! Thanks for lighting the spark! Payment for use of this has to be more then the old evilrules. All users are now required to see at least 2 NHL games live! (and NY Islanders don't count!) ENJOY! Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm A little nonsense now and then, is relished by the wisest men. - Willy Wonka --- This SF.net email is sponsored by OSDN's Audience Survey. Help shape OSDN's sites and tell us what you think. Take this five minute survey and you could win a $250 Gift Certificate. http://www.wrgsurveys.com/2003/osdntech03.php?site=8 ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.net email is sponsored by OSDN's Audience Survey. Help shape OSDN's sites and tell us what you think. Take this five minute survey and you could win a $250 Gift Certificate. http://www.wrgsurveys.com/2003/osdntech03.php?site=8 ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] New to Spamassassin
-Original Message- From: [EMAIL PROTECTED] [mailto:spamassassin- [EMAIL PROTECTED] On Behalf Of McWhirter,Julia Sent: Wednesday, November 26, 2003 9:46 AM To: Gilson, Larry; Marvin Raab Cc: [EMAIL PROTECTED] Subject: RE: [SAtalk] New to Spamassassin Yes so I found out, but too be fair he did say it might be too restrictive and in my case it is. I am now looking at enabling bayes unless anyone has any other suggestions. I could be missing something here. I thought I cc'ed you on this but maybe I messed up. Is this not what you were looking for? Or did you see a problem with them? http://www.emtinc.net/spamhammers.htm http://www.emtinc.net/includes/chickenpox.cf twilight zone morning here so I could be floating in a hot air balloon over saskatchewan for all I know. Jennifer One more disclaimer, start low, see what they do, and put scores that work best. Add domain extensions or whatever other potential problems you see in the lookbehinds, but make them the same number of characters as the others in the sets. (biz|com|org) not (biz|com|html) Regards Julia McWhirter IT Manager SuperH (UK) Ltd Network House 2410 Aztec West Almondsbury Bristol BS32 4QX Tel : 01454 465661 Fax : 01454 465601 Mobile : 07979 913494 Email : [EMAIL PROTECTED] Web : www.superh.com --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] paris hilton
Hi Ian -Original Message- From: [EMAIL PROTECTED] [mailto:spamassassin- [EMAIL PROTECTED] On Behalf Of ian douglas Sent: Monday, November 24, 2003 8:42 PM To: [EMAIL PROTECTED] Subject: RE: [SAtalk] paris hilton Haven't seen the spam but one of these should work if your example text is always the same: No, it's different... started out being non-obfuscated, but has gradually gotten more and more l337. I just wrote this, It linted fine, and I tested it only two times. 1. They did not hit on a subject of paris Hilton 2. They did hit on the subject p4ris h1lton Based on that, I would guess this would work. Choose your own score, watch it for awhile, and if it looks okay, jack it up to the score you need. Someone who knows regex may want to clean my hackestry up ;) or point out any potential problems. describe J_PARISobfu paris header J_PARISSubject =~ /p[a4]r[iíl\|1][s5z](?!(?:paris))/i scoreJ_PARIS1.0 describe J_HILTON obfu hilton header J_HILTON Subject =~ /h[iíl\|1][l1\|][t7\+][o0]n(?!(?:hilton))/i scoreJ_HILTON 1.0 Jennifer -id --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Ideas
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Bunce Sent: Tuesday, November 25, 2003 1:23 PM To: [EMAIL PROTECTED] Subject: [SAtalk] Ideas I have been seeing lots of spam like this getting through recently Anyone have any ideas how to reduce this type of spam from getting through? Thanks, Tony B, CCNA, Network+ Systems Administration GO Concepts, Inc. / www.go-concepts.com Are you on the GO yet? What about those you know, are they on the GO? 513.934.2800 1.888.ON.GO.YET Well I have been debating whether or not I should put this set out there, but oh well. Here it is. (seems the technique is picking up a bit lately, and two requests for something today) I've been playing around with this set for several weeks, and I personally have been pretty happy with it. I gave them to Bob to test against his corpus, and they didn't do as well as I had hoped. I still think they are worth a look if you keep them low for starters, then adjust your scoring as needed. There also may be some good ideas from some brain other than the matter that I'm using. Ever seen A Christmas Story? ...just be careful you dont put your eye out. Maybe the best way to continue to grow this set is to test them 'real world' outside our mail environment and see what sorts of tweaks they may need. http://www.emtinc.net/spamhammers.htm http://www.emtinc.net/includes/chickenpox.cf ...well at least it's better than freckle, I got so sick of that word I had to change the name. hope they work, dont put your eye out, suggest away Jennifer --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] [RD] Backhair Update
Backhair set modification similar to the last popcorn update. (a waxing??) More flexible in the hidden tag to include more garbage. http://spamhammers.nxtek.net Jennifer --- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Filtering.
Hi Rajdeep, I have successfully installed the SA. but I am not able to filer the content. Any stuff which I want to filter in there in the rules directory but not getting filter. What I have to do with this? For e.g I have to filter the vulgar stuff. But it does not filterit. My local.cf is as follows:- Are you asking why SA is not tagging spams? Or do you mean that the default SA rules don't seem to be running? Or do you mean that there are emails still coming through containing content you would like to filter that is not covered by the default rules?? I'm pretty unclear what your question is. Maybe try asking it another way. I probably wont be the one that will be able to answer you :) but I think the question may be a little unclear. I would ask what seems too obvious; did you restart after you made your changes to the local file? Jennifer # SpamAssassin config file for version 2.5x # generated by http://www.yrex.com/spam/spamconfig.php (version 1.01) # How many hits before a message is considered spam. required_hits 2.0 # Whether to change the subject of suspected spam rewrite_subject 1 # Text to prepend to subject if rewrite_subject is used subject_tag *SPAM* # Encapsulate spam in an attachment report_safe 2 # Use terse version of the spam report use_terse_report0 # Enable the Bayes system use_bayes 1 # Enable Bayes auto-learning auto_learn 1 # Enable or disable network checks skip_rbl_checks 0 use_razor2 1 use_dcc 1 use_pyzor 1 # Mail using languages used in these country codes will not be marked # as being possibly spam in a foreign language. ok_languagesall # Mail using locales used in these country codes will not be marked # as being possibly spam in a foreign language. ok_locales all Help!!! --- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] [RD] Updated Corn
Hi Guenther, Fresh popcorn if you would like some. I had one come through today (which I actually had anticipated, just had to figure out how to write the rule.) If you use this set, I'd update. It catches quite a lot more in the tag. Thanks for the update. :) My Pleasure! http://spamhammers.nxtek.net How are those files organized on that site? I couldn't find a link to the .cf files, so I just tried. Found popcorn.cf and weeds.cf but backhair.cf doesn't exist... I only linked the popcorn.cf on the site (as a temp download until Chris S. is able to get it on his rules emporium.) I'll leave them on there from now on as well as giving them to chris. The weeds you located were on there just as 'storage'... I'm editing those. ;) sneak peek. Those are still in testing mode. still need to do a few tweaks when I get time, but they do work. ...still, you might grab the other Weeds set since I'm not exactly sure what was up there. (I replaced the set you got from the site with the current weeds.) I've put all three sets up for download. They're the most recent versions and match what you see in the 'showcase area'. Please let me know if you have any problems, I put them up in haste. ;) wget away! Popcorn Only - http://spamhammers.nxtek.net/popcorn.cf Backhair Only - http://spamhammers.nxtek.net/backhair.cf Weeds Only - http://spamhammers.nxtek.net/weeds.cf PBW Gift Basket - http://spamhammers.nxtek.net/pbw.cf (I had the popcorn link above the rules, but it was a little hard to see) Jennifer Also I was wondering, which are the most recent files. The .cf files itself or the version mentioned in index.html? Would be cool to just wget those files... ...guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} --- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] [RD] Updated Corn
Darn it!!! Wget again Guenther. I'm sorry. I STILL didn't have the right Weeds set up there. It is right now. Wow... time to call it a day I think. :) Sorry for the trouble. -Original Message- From: guenther [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 11, 2003 4:14 PM To: Jennifer Wheeler Cc: [EMAIL PROTECTED] Subject: RE: [SAtalk] [RD] Updated Corn http://spamhammers.nxtek.net How are those files organized on that site? I couldn't find a link to the .cf files, so I just tried. Found popcorn.cf and weeds.cf but backhair.cf doesn't exist... I only linked the popcorn.cf on the site (as a temp download until Chris S. is able to get it on his rules emporium.) I'll leave them on there from now on as well as giving them to chris. The weeds you located were on there just as 'storage'... I'm editing those. ;) sneak peek. Those are still in testing mode. still need to do a few tweaks when I get time, but they do work. ...still, you might grab the other Weeds set since I'm not exactly sure what was up there. (I replaced the set you got from the site with the current weeds.) I've put all three sets up for download. Thanks, just grabbed them. (As I wondered about those files I cowardly refused to put them in production mode before. ;-) They're the most recent versions and match what you see in the 'showcase area'. Please let me know if you have any problems, I put them up in haste. ;) wget away! # spamassassin --lint Failed to compile full SpamAssassin tests, skipping: (Unmatched [ in regex; marked by -- HERE in m/[\w\s;]\#(?:0*(?:90|122)|x0*[57]A);[ -- HERE ^]/ at /etc/mail/spamassassin/weeds.cf, rule J_WEEDS_Z, line 1. Obvious, a negated char class without any char... ;) full J_WEEDS_Y /[\w\s;]\\#(?:0*(?:89|121)|x0*[57]9);[\w\s\.\!\?]/i full J_WEEDS_Z /[\w\s;]\\#(?:0*(?:90|122)|x0*[57]A);[^]/i (I had the popcorn link above the rules, but it was a little hard to see) Doh! My bad. Yep, that is hard to see... ...guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} --- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Re: Updated Corn
On 11 Nov 2003, at 13:52, Jennifer Wheeler wrote: Popcorn Only - http://spamhammers.nxtek.net/popcorn.cf Backhair Only - http://spamhammers.nxtek.net/backhair.cf Weeds Only - http://spamhammers.nxtek.net/weeds.cf Why Popcorn, Backhair, and Weeds?? as opposed to snarkle, filgret, and ashcroft, for example... Whew... Finally, a question I'm able to answer on this list!... unable to decipher if you are being funny or sarcastic, ( i'll assume the former) but i shall reply no less, maybe just because i can. :) I'll go along with madness, but at least there is method. Nutshell: Started using spamassassin about 3 1/2 months ago. I don't know perl, learned (??heh) regex from writing spamassassin rules, and I'm reading a book right now on qmail!... but give me a 5 car highway collision and i could triage that in my sleep. Worked as a medic since i was 18 (many years), and now I'm in web dabbling in etcetera. I only tell ya this because i never thought i would be sharing any of my rules with anyone. Not stingy, just never thought i'd come up with anything other than the obvious /v[1\|[EMAIL PROTECTED](edit for the list)[a\a]/i. So i named my rules based on things they reminded me of and i could watch them to make sure i wasn't destroying the mail system. when i saw how effective they were, i couldn't 'not share'. Popcorn-random ridiculous tags exploging here and there and blowing normal spam words into the netherworld. I underestimated their sneakiness, they irritated me, and i came up with the set. Backhair-unsightly tags here and there. easy to figure out, especially if you watch queer eye for the straight guy and the morbid back waxings they put themselves through. I've always found unwanted hair removal amusing and confusing... weeds-even more obvious if you look in the source. I like my html to be pretty. So give me some Paxil and maybe I'd see that one differently. i suppose then i might have called it confetti. just looked like weeds in the source to me. point bein'...i named them for me to remember, and knowing nobody else would be naming rules similar to mine, so adding rules would not be a problem. When i saw they were fairly lethal, and spammers started being even more blatant with what they did or said in emails (thinking they could taunt us and get through no matter what), i decided to share the wealth. and because i was so fond of the work they did to so many spamsi grew attached to the names. i think and remember things in odd ways, so why change when peeps can rename. you may feel free to rename your sets, your names are cute and catchy. I hope you learn to love them as much as i have, and name 'em with whatever moves ya. :) I suppose after what i've seen, it's hard to take a lot of things too darned seriously. Maybe had i known these would be posted, i would have come up with some very logical techy term :) just having a bit of a time making the transition even after being away from the 'streets' for awhile now. I'm sure you didn't really want an answer :) Enjoy the carnage. the last corn is good, Jennifer -- RTFM replies are great, but please specify exactly which FM to R --- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Rule Emporium Update!
snip I scored them super high in a fit of rage. ...that makes me smile. I can picture you leaning back in your chair, watching the next one come through with a score of 790, laughing maniacally and flutter kicking your feet in the air. :) /My dog is very promiscuous\./ ...while enigmatic, this could very well hit quite a few porn spams! Jennifer You may want to adjust scores so they are not so drastic. They have worked great for me in the past few days to catch a handful of messages that would have slipped through otherwise. YMMV but enjoy. And by all means: I know about this much || about regex so all suggestions are MORE than welcomed. I don't even know if I escaped the right characters. cheers, Colin Colin A. Bartlett Kinetic Web Solutions www.kineticweb.biz --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] [RD] Weeds changes
Hi Scott I was going to post a change, but you beat me out of the gates. Last night the topiary king showed me a way to do that pruning. If you would like, you can write those this way. /\\#(?:0*(?:65|97)|x0*[46]1);/i I made the changes on the site if you want to grab them http://spamhammers.nxtek.net you might want to skim through the set and make sure I edited them all correctly. They linted fine. I'll also be sending the set to chris s. today, so I imagine he'll update the .cf he has for download on the emporium when he gets the time. Thanks again for the great addition, and thanks, Adam (if you're reading) for the lesson! Jennifer Oh.. I believe you're right about ;, I don't have them escaped. I did leave the escaped, I don't know about that one. -Original Message- From: [EMAIL PROTECTED] [mailto:spamassassin- [EMAIL PROTECTED] On Behalf Of Scott Sprunger Sent: Tuesday, November 04, 2003 10:02 AM To: 'jennifer'; [EMAIL PROTECTED] Subject: RE: [SAtalk] [RD] Weeds changes I'm not sure that this is any better, but here are two alternatives (using [Aa] for example). Note in these that I don't think that the and ; need to be escaped since they ran through --lint ok. /\#(0*65|0*97|x0*41|x0*61);/i OR /\#(0*(65|97)|x0*(41|61));/i TO REPLACE /(\\#0*65\;|\\#0*97\;|\\#x0*41;|\\#x0*61;)/i -- Scott -Original Message- From: jennifer [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 10:18 AM To: 'Scott Sprunger'; [EMAIL PROTECTED] Subject: RE: [SAtalk] [RD] Weeds changes Hi Scott, Thanks for the heads up. You wouldn't happen to have a sample of one of those spams would you? I'm curious about something. I'm wondering if they were using decimal code for punctuation rather than hex code for letters?? #61; (or #00061;) is actually = not a. So maybe you were seeing punctuation mixed in? #33; being !. If that is the case, we just need to tag on all the punctuation. However, I didn't know about the zeros, and you're right. Thanks! here is a cleaner way to write these, (thanks to a very nice person for pointing that out, A.L.!) /\\#(?:65|97);/ so adding the zeros it would be /\\#0*(?:65|97);/ I'll make this change on the page, but I'll wait a bit to see if I'm 'out in left' with my thinking. I'm realizing spammers are indirectly helping me out in my education, maybe I should say Thank You! to them as well. ...nah. Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Sprunger Sent: Monday, November 03, 2003 8:51 AM To: [EMAIL PROTECTED] Subject: [SAtalk] [RD] Weeds changes This past weekend a flood of new spam arrived which circumvented the weeds rules by using leading zeros and hex values (both legal from an HTML perspective). I've updated my local rules as below. Hope this is useful. BTW, Jennifer thanks for an incredible set of rules! -- Scott describe J_WEEDS_A Decimal or Hex character encoding [Aa] full J_WEEDS_A /(\\#0*65\;|\\#0*97\;|\\#x0*41;|\\#x0*61;)/i scoreJ_WEEDS_A 0.5 describe J_WEEDS_B Decimal or Hex character encoding [Bb] full J_WEEDS_B /(\\#0*66\;|\\#0*98\;|\\#x0*42;|\\#x0*62;)/i scoreJ_WEEDS_B 0.5 describe J_WEEDS_C Decimal or Hex character encoding [Cc] full J_WEEDS_C /(\\#0*67\;|\\#0*99\;|\\#x0*43;|\\#x0*63;)/i scoreJ_WEEDS_C 0.5 describe J_WEEDS_D Decimal or Hex character encoding [Dd] full J_WEEDS_D /(\\#0*68\;|\\#0*100\;|\\#x0*44;|\\#x0*64;)/i scoreJ_WEEDS_D 0.5 describe J_WEEDS_E Decimal or Hex character encoding [Ee] full J_WEEDS_E /(\\#0*69\;|\\#0*101\;|\\#x0*45;|\\#x0*65;)/i scoreJ_WEEDS_E 0.5 describe J_WEEDS_F Decimal or Hex character encoding [Ff] full J_WEEDS_F /(\\#0*70\;|\\#0*102\;|\\#x0*46;|\\#x0*66;)/i scoreJ_WEEDS_F 0.5 describe J_WEEDS_G Decimal or Hex character encoding [Gg] full J_WEEDS_G /(\\#0*71\;|\\#0*103\;|\\#x0*47;|\\#x0*67;)/i scoreJ_WEEDS_G 0.5 describe J_WEEDS_H Decimal or Hex character encoding [Hh] full J_WEEDS_H /(\\#0*72\;|\\#0*104\;|\\#x0*48;|\\#x0*68;)/i scoreJ_WEEDS_H 0.5 describe J_WEEDS_I Decimal or Hex character encoding [Ii] full J_WEEDS_I /(\\#0*73\;|\\#0*105\;|\\#x0*49;|\\#x0*69;)/i scoreJ_WEEDS_I 0.5 describe J_WEEDS_J Decimal or Hex character encoding [Jj] full J_WEEDS_J /(\\#0*74\;|\\#0*106\;|\\#x0*4A;|\\#x0*6A;)/i scoreJ_WEEDS_J 0.5 describe J_WEEDS_K Decimal or Hex character encoding [Kk] full J_WEEDS_K /(\\#0*75\;|\\#0*107\;|\\#x0*4B;|\\#x0*6B;)/i scoreJ_WEEDS_K 0.5 describe J_WEEDS_L Decimal or Hex character encoding [Ll] full J_WEEDS_L /(\\#0*76\;|\\#0*108\;|\\#x0*4C;|\\#x0*6C;)/i scoreJ_WEEDS_L 0.5 describe J_WEEDS_M
RE: [SAtalk] [RD] Open source is Naughty!!!
-Original Message- From: [EMAIL PROTECTED] [mailto:spamassassin- [EMAIL PROTECTED] On Behalf Of Chris Thielen Sent: Thursday, October 30, 2003 4:22 PM To: Spamassassin-Talk Subject: RE: [SAtalk] [RD] Open source is Naughty!!! I figure now might be a decent time to mention this: http://www.exit0.us/index.php/ChrissMediocreObfuScript Thingamabobbers ...heh woo this thing is cool Chris :) nice goin. Big wrappage # TEST describe J_TEST_P h body LOCAL_OBFU_J_TEST_P/p[-_\*\. ]?(?:e|3|\*|\xC8|\xC9|\xCA|\xCB|\xE8|\xE9|\xEA|\xEB)[-_\*\. ]?(?:n|\xD1|\xF1)[-_\*\. ]?(?:i|l|1|\*|\xCC|\xCD|\xCE|\xCF|\xEC|\xED|\xEE|\xEF)[-_\*\. ]?(?:s|\$|\xA7)/ scoreLOCAL_OBFU_J_TEST_P350.0 WELL! Guess that answers that huh?? :) Thanks! Jennifer --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] [RD] Open source is Naughty!!!
hey Chris Glad you like it... By the way, notice that the script naively assumes the body definition always comes before the describe and/or score line? If you move the describe line below the body line, it will then use the correct rule name (LOCAL_OBFU_J_TEST_P). yeah i was wondering about that. i grabbed it in the last few minutes i was at work so i didn't have much time to play with muh new toy!! thanks for the tip. :) Also, I think word boundaries at the start and end of the source word make for the most effective rule. i've been gathering that from some of the posts, i think it was kai??, checking against dictionaries... made me realize i had some editing to do. I was using them only when i felt like i needed to make a rule safer, which should probably be always. again, thanks for the tips and for the nifty little thingamabobber. Jennifer -Chris Jennifer Wheeler said: -Original Message- From: [EMAIL PROTECTED] [mailto:spamassassin- [EMAIL PROTECTED] On Behalf Of Chris Thielen Sent: Thursday, October 30, 2003 4:22 PM To: Spamassassin-Talk Subject: RE: [SAtalk] [RD] Open source is Naughty!!! I figure now might be a decent time to mention this: http://www.exit0.us/index.php/ChrissMediocreObfuScript Thingamabobbers ...heh woo this thing is cool Chris :) nice goin. Big wrappage # TEST describe J_TEST_Ph body LOCAL_OBFU_J_TEST_P/p[-_\*\. ]?(?:e|3|\*|\xC8|\xC9|\xCA|\xCB|\xE8|\xE9|\xEA|\xEB)[-_\*\. ]?(?:n|\xD1|\xF1)[-_\*\. ]?(?:i|l|1|\*|\xCC|\xCD|\xCE|\xCF|\xEC|\xED|\xEE|\xEF)[-_\*\. ]?(?:s|\$|\xA7)/ score LOCAL_OBFU_J_TEST_P350.0 WELL! Guess that answers that huh?? :) Thanks! Jennifer --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Checking HTML garbage
Hi Jeremy http://spamhammers.nxtek.net The rules are also on Chris Santerre's site along with many other goodies. http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm in the popcorn link Jennifer Hi, Is there anyway to have spamassasin check for this kind of HTML garbage. If so, I could get rid of nearly all my spam. !--vKXrcu-- Thanks, Jeremy Hein --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] [RD] 4c-2v-3c
Hi Larry I have had some very good success with a rawbody and subject test which looks for 4 or more consonants followed by 1 or 2 vowels followed by 3 or more consonants or digits This is the match: /[0-9bcdfghjklmnpqrstvwxz]{4,}[aeiouy]{1,2}[0-9bcdfghjklmnpqrstvwxz]{3,} /i Looks interesting. I'll try it out and let you know how it goes. Thanks! I believe you can change [0-9bcdfghjklmnpqrstvwxz] to [^aeiouy] (Just to shorten it up a smidge.) Jennifer --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Exessive HTML Code
Yes, this would be possible. describe MY_RBDY_EXSV_TAGMY: Excessive HTML Tags rawbody MY_RBDY_EXSV_TAG/[bi]\/[bi]/i scoreMY_RBDY_EXSV_TAG4.0 Backhair did not hit because the number of characters within the tag is fewer than 6. Creating rules to match fewer than 6 characters within the tag delimiters creates false positives. You will most certainly need to score it how you want rather than the arbitrary number I supplied. --Larry I've been using similar rules without havoc. The font/font could be much better, I was just lazy and wrote it just for the spam I had and haven't gotten around to tweaking that one. You could include some more, I just threw these in. rawbody J_HTML_FNTFNT /font color\=\#.{0,6}\/font/i scoreJ_HTML_FNTFNT 1.0 rawbody J_HTML_I_I /i\/i/i scoreJ_HTML_I_I 1.0 rawbody J_HTML_B_B /b\/b/i scoreJ_HTML_B_B 1.0 rawbody J_HTML_LI_LI /li\/li/i scoreJ_HTML_LI_LI 1.0 rawbody J_HTML_UL_UL /ul\/ul/i scoreJ_HTML_UL_UL 1.0 rawbody J_HTML_U_U /u\/u/i score J_HTML_U_U 1.0 But this was for obfuscating b/bphrases rather than words. I did several so I wouldn't have to score them as high. They wouldn't do diddly for the score in Mark's example, that's the first I've seen those tags as 'popcorn' in the source. I figured it was coming based on the other little evasive things they're doing. (many unsuccessful) The key is keep doing secret tweaks to your PB as they change their style, mustn't show all your cards. ;) but a tweak on PB wouldn't be practical in this case. (in my inexperienced opinion) Perhaps it's time for a new set. That would be an easy technique to stop them from using lest they get tagged. When I get some time, I'll play around. Jennifer -Original Message- From: Mark Ritchie [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 8:14 AM To: [EMAIL PROTECTED] Subject: [SAtalk] Exessive HTML Code I've added the popcorn, blackhair, and weeds rules a while back, but I've noticed that I'm still getting quite a few spams messages per day. It always seems to be the most offensive porn and such that makes it through. Here is an example of the source that get's through HTMLhtml body bgcolor=#FF p NOT mi/iatub/brei/i, ei/ixpei/irii/ienci/ied. NOT cheati/iing, on tb/bhe si/iii/ide. br b/bNOT flii/irtini/ig b/b- tb/bhi/iib/bs is 2003's finei/ist ai/ilb/btb/berb/bnab/btive dating lifesb/btyli/ie b/bsoli/iuti/iioi/in wi/iiti/ih thoi/iui/isands oi/if hb/borb/bny housewiveb/bsi/i.br Ani/id i/iyob/bu, Yi/iES, Yb/bOi/iU, i/ican gb/beb/bt ab/bccess to tb/bhi/ie b/bwhb/boi/ile di/iab/btab/bbai/ise of USA-b/blocb/bai/itei/id houi/isewib/bves whi/io'ri/ie in i/ifob/br ab/bni/iytb/bhing - fb/bor onb/be bb/buckb/b!br HYLFb/b! Hb/bousewb/bivi/ies Youi/i'd Like b/bto b/bFlb/birb/bt and Fi/iui/ick - b/byeai/ih, b/byi/iou'd deb/bfinb/bii/itely wb/bant i/ito b/bdo thi/iat, i/iwhi/iy on Earb/bth i/iwoulb/bd you dab/bte, b/banywi/iays?/p p a href=http://www.find-chat.com/cheating/wives.html;Clicb/bk here b/band pb/bab/by 1$ tb/bo b/byb/bour ri/iow of gi/ilori/iious hob/busb/bei/iwife affairs!/a /p br br br br br br br br br pa href=http://www.a1hostingdirect.com/gone.html;b/bNo Morb/be Thanks/a/p /body /html/HTML Now, as you can see the trick here to fool spamassassin is the i and b tags. Would it be possible to make a rule or adjust the rules so the i/i scores high? There is nothing inbetween and I'd have to say anyone sending messages like this is obviously a spammer. Mark --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] [RD] 4c-2v-3c
Do you really want to match punctuation and whitespace, because both of those will match [^aeiouy]? Nope he doesn't... that was my big bad. Wasn't thinking. Thx Jennifer --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] [RD] Open source is Naughty!!!
Someone suggested a range to me awhile back when I asked about this, sorry I cant give props to whoever it was. /\bp[e3]n[\xCC-\xCF\xEC-\xEF][sz52]\b/i Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:spamassassin- [EMAIL PROTECTED] On Behalf Of Martin Radford Sent: Wednesday, October 29, 2003 3:13 PM To: Antony Stone Cc: Spamassassin-Talk (E-mail) Subject: Re: [SAtalk] [RD] Open source is Naughty!!! At Wed Oct 29 19:33:00 2003, Antony Stone wrote: Rather than focusing on what you *don't* want to catch with this rule, how about concentrating on what you do want to catch? Obvious examples are covered by /pen[i1l]s/i - presumably not too many things need adding to the middle regex to match the strings you're interested in? There has been a lot of spam which matches this pattern: /\b[Pp]en\xEDs\b/ \xED is a letter i with an acute accent, IIRC. Martin -- Martin Radford | Only wimps use tape backup: _real_ [EMAIL PROTECTED] | men just upload their important stuff -o) Registered Linux user #9257 | on ftp and let the rest of the world /\\ - see http://counter.li.org | mirror it ;) - Linus Torvalds _\_V --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Moving SPAM to a separate Mailbox
[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sorry for the OT personal comment (sort of), but that *has* to be the best email address I've ever seen! Thanks for the smile. Jennifer --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Popcorn, Backhair, and Weeds
Ok, now I am in the light. I think we are looking at this test from different perspectives. This is what I'm replying to here... My original goal was to shorten the tests into fewer tests but I think I found a way to shorten the tests into one test - bonus. :) I am not in favor of reducing the rule set... it was actually intentional to have so many rules. :) I will explain why. (you are very welcome to change them, however, to best suits your needs. I'm not aruguing.) I can't see a way to really shorten the test to one rule, without an increased danger of hitting on real tags. If it were just one rule, then you would need to give it a very large score (because it would hit just once in an email, although the entire source may be filled with those tags) Reducing the set to one rule takes away the power of the set. When I was thinking of an idea to bring down the new wave of spam filled with these tags (aw lookie. Someone wrote a new little spamming program), I realized that since there are no longer any spammy words to look for, and since there were not enough of the header rules violated to score as sapm, these rules would have to match on patterns in the source as if they were spammy words themselves. So I intentionally made the rules in a large set...idea being, look for many occurrences of hidden garbage tags bracketed by the right pattern of letters/spaces/... to prevent fp-s and it it needs to occur many times in order to give the thing a large score. Now spammers only use the tag one time in an email, rem!-- missed me missed me --ove ...big deal. There are enough other hits from words, phrases, methods etc, to score it high, plus one more point from popcorn_33. If they litter the entire source with those tags, then it basically renders useless most (if not all) of the looking-for-spammy-talk rules. In this case, the popcorn, backhair or weeds set steps in and takes the place of all the default or user defined rules that generally work in an email written by the normal person. With a mix of normally typed body/selectively inserted tags, the default rules and the sets work together. I would think that one rule trying to accomplish the same could be dangerous and would need a huge score to equal the scores popcorn (etc) gives a spam, (making it even more dangerous.) The Kung Fu comes from the set, not just finding one of those tags. The name, on a side note, comes from those tags popping up randomly in the source and obliterating identifiable spam lingo. Just my opinion. :) These rules are working so well, it would take a swat team to get me to remove them from my config file. (And even then I might go down with the ship!) I don't know if I would change them, other than what you and keith have pointed out could be pared from the expression without changing the meaning. I would suggest using the rules as they are. (unless you are having a problem with them in some way) Watch the source to see what adjustments spammers make, because continuing 'as is' will buy their spam a massive score. We will need to add new but similar rules based on their next move, which is why I compulsively read the source of every spam I can get my hands on. I hope that clarifies my intent with those rules. :) Jennifer snip The rules you're working on look good to me. I have a couple questions though, I'm a little confused. What score will you be giving the rules? And are you just trying to reduce the set to one rule? Or are these suggestions for additional rules to supplement the others? I just would like a frame of reference when I think about them. I am starting by using 2 points per test. My original goal was to shorten the tests into fewer tests but I think I found a way to shorten the tests into one test - bonus. :) I have changed the test since my message. I had / \w{1,7}\/?[\w\W]{0,150}\w{1,7}/ This created some false positives in that it would literally catch anything between the first word and the last. This would mean it would skip over other legitimate tags until the test matched 'word'. This was not good. So I changed it to: / \w{1,7}\/?[^]{0,150}\w{1,7}/ This one seems to be working well so far. It will catch any normal and funky stuff within the tags but makes sure it will not run over any subsequent tags. The second rule: /!?-?-? ?\w{7,} ?-?-?/ Is just pattern matching and really reinforces the above test in a subset of spam messages the the above will match. snip --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Popcorn, Backhair, and Weeds
(oops. Sorry Mike, I replied off list) Chris S. now has them on his site in a nice little file. Midway down the page. http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm They are also still on http://spamhammers.nxtek.net with a little explanation, but you will need to copy paste there. :) Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Schrauder Sent: Wednesday, October 15, 2003 11:24 AM To: [EMAIL PROTECTED] Subject: RE: [SAtalk] Popcorn, Backhair, and Weeds where do I get the most up-to-date copy of PBW? Mike S -Original Message- From: Jennifer Wheeler [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 15, 2003 11:45 AM To: 'Larry Gilson'; [EMAIL PROTECTED] Subject: RE: [SAtalk] Popcorn, Backhair, and Weeds Ok, now I am in the light. I think we are looking at this test from different perspectives. This is what I'm replying to here... My original goal was to shorten the tests into fewer tests but I think I found a way to shorten the tests into one test - bonus. :) I am not in favor of reducing the rule set... it was actually intentional to have so many rules. :) I will explain why. (you are very welcome to change them, however, to best suits your needs. I'm not aruguing.) I can't see a way to really shorten the test to one rule, without an increased danger of hitting on real tags. If it were just one rule, then you would need to give it a very large score (because it would hit just once in an email, although the entire source may be filled with those tags) Reducing the set to one rule takes away the power of the set. When I was thinking of an idea to bring down the new wave of spam filled with these tags (aw lookie. Someone wrote a new little spamming program), I realized that since there are no longer any spammy words to look for, and since there were not enough of the header rules violated to score as sapm, these rules would have to match on patterns in the source as if they were spammy words themselves. So I intentionally made the rules in a large set...idea being, look for many occurrences of hidden garbage tags bracketed by the right pattern of letters/spaces/... to prevent fp-s and it it needs to occur many times in order to give the thing a large score. Now spammers only use the tag one time in an email, rem!-- missed me missed me --ove ...big deal. There are enough other hits from words, phrases, methods etc, to score it high, plus one more point from popcorn_33. If they litter the entire source with those tags, then it basically renders useless most (if not all) of the looking-for-spammy-talk rules. In this case, the popcorn, backhair or weeds set steps in and takes the place of all the default or user defined rules that generally work in an email written by the normal person. With a mix of normally typed body/selectively inserted tags, the default rules and the sets work together. I would think that one rule trying to accomplish the same could be dangerous and would need a huge score to equal the scores popcorn (etc) gives a spam, (making it even more dangerous.) The Kung Fu comes from the set, not just finding one of those tags. The name, on a side note, comes from those tags popping up randomly in the source and obliterating identifiable spam lingo. Just my opinion. :) These rules are working so well, it would take a swat team to get me to remove them from my config file. (And even then I might go down with the ship!) I don't know if I would change them, other than what you and keith have pointed out could be pared from the expression without changing the meaning. I would suggest using the rules as they are. (unless you are having a problem with them in some way) Watch the source to see what adjustments spammers make, because continuing 'as is' will buy their spam a massive score. We will need to add new but similar rules based on their next move, which is why I compulsively read the source of every spam I can get my hands on. I hope that clarifies my intent with those rules. :) Jennifer snip The rules you're working on look good to me. I have a couple questions though, I'm a little confused. What score will you be giving the rules? And are you just trying to reduce the set to one rule? Or are these suggestions for additional rules to supplement the others? I just would like a frame of reference when I think about them. I am starting by using 2 points per test. My original goal was to shorten the tests into fewer tests but I think I found a way to shorten the tests into one test - bonus. :) I have changed the test since my message. I had / \w{1,7}\/?[\w\W]{0,150}\w{1,7}/ This created some false positives in that it would literally catch anything between the first word and the last. This would mean it would
RE: [SAtalk] Popcorn, Backhair, and Weeds
I just noticed something else Chris :) ...sorry! I believe you have the rules on your site as they stood before Keith took out the garbage. They still work as you have them... so don't panic! I used them that way for about a month. The Tidied up version are still on http://spamhammers.nxtek.net if you feel like changing the set you have. Same rules, just cleaner. (as if you haven't messed with the darned things enough!!) Did your day just go from worse to carnage? I've noticed that, although these are still hitting like badgers, it seems there is less use of this tag-in-the-middle game than when I first started using them. Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Santerre Sent: Wednesday, October 15, 2003 3:17 PM To: 'Larry Rosenman' Cc: Spamassassin-Talk (E-mail) Subject: RE: [SAtalk] Popcorn, Backhair, and Weeds Oh then I do have it right. I saved them ANSI + UNIX and just dropped them into the ftp. However popcorn wasn't resaved until around 3 pm EST today. but wget and lynx -source seem to work best for others. Thanks for helping! -Original Message- From: Larry Rosenman [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 15, 2003 3:58 PM To: Chris Santerre Cc: Spamassassin-Talk (E-mail) Subject: RE: [SAtalk] Popcorn, Backhair, and Weeds the others were fine. should ascii, with unix line-ends. If you are doing FTP, type ASCII as the type if you are coming from a M$ environment. LER --On Wednesday, October 15, 2003 15:46:53 -0400 Chris Santerre [EMAIL PROTECTED] wrote: ARGH What should the encoding be: ANSI, DOS, or UTF-8? IT could be the way I'm ftping it? WHy is something so simple so difficult. Oh wait, because I'm doing it! ;) Chris -Original Message- From: Larry Rosenman [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 15, 2003 3:22 PM To: Chris Santerre Subject: RE: [SAtalk] Popcorn, Backhair, and Weeds FYI, the popcorn.cf file on your site has DOS linends. LER --On Wednesday, October 15, 2003 14:43:28 -0400 Chris Santerre [EMAIL PROTECTED] wrote: -Original Message- From: Ray Dzek [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 15, 2003 1:58 PM To: [EMAIL PROTECTED] Subject: Re: [SAtalk] Popcorn, Backhair, and Weeds Okay .. silly question then... Do you just copy the evilrules.cf to /etc/mail/spamassassin and restart SA and then SA will just process whatever .cf files are in the folder? Or do I cat that to the local.cf file? You just be able to place in the /etc/mail/spamassassin folder and restart spamd. ALWAYS run 'spamassassin -d --lint' before restarting. If you get no news, it is good news. Sometimes there may be word wraps or hidden characters. I've worked to resolve that. But apparently how you get the file also makes a difference. I never knew the lynx -dump put and newline after 80 characters!! I just made sure popcorn rules were saved in UNIX format. HTH Chris Santerre --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 972-414-9812 E-Mail: [EMAIL PROTECTED] US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749 -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 972-414-9812 E-Mail: [EMAIL PROTECTED] US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749 --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Fan Mail!!! LOL We shut one down!
I'm glad you like. :) I'm still a little taken aback by them. They've been almost too good to be true. I'm working on a couple rules to fill the holes. I've already noticed a few changes they've made to their technique (to no avail so far), and they seem to be working as I told Larry. I'll letcha know after I test them. No nasty letters here. I just block and don't report spammers. ...you know...low profile and all ;) Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Santerre Sent: Tuesday, October 14, 2003 10:19 AM To: Spamassassin-Talk (E-mail) Subject: [SAtalk] Fan Mail!!! LOL We shut one down! Did anyone else get a nasty email this morning? I did! This weekend ROCKED for my SA config. Jennifer, if you were here I'd kiss you and the deaf cat ;) Your rules bring a huge smile to my logs! Now check out this fan mail: --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Too many rules?
How much bandwidth / month does it average?? Jennifer I don't have ftp running on the server. I was actually going to see if anyone wanted to mirror my site, or just the files. I think distributing the lists to another site is a good idea. Any takers for mirroring? --Chris -Original Message- From: Robert Leonard III [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 14, 2003 10:48 AM To: Chris Santerre Subject: Re: [SAtalk] Too many rules? Okay, well it must be something else then.. actually the evilrules.cf are the ones that wont --lint and seem to cause the system to freeze.. my guess is that they somehow get hidden characters when I save them down. My linux box only has 'lynx' so I visit your rules via http and then Save to disk the rules.. I'll have to try and get them another way... do you have ftp running with the current version anyplace? Thanks Chris! - Original Message - From: Chris Santerre [EMAIL PROTECTED] To: 'Robert Leonard III' [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, October 14, 2003 7:44 AM Subject: RE: [SAtalk] Too many rules? Well, all I can tell you is what I'm running. 266 mhz, 64 megs ram, and probably around 3000 rules. Yup, I'll get an exact count later. But I test and run all the great rules people send me for the emporium. I am using spamd and I think you will see a bug difference there. The system runs nothing else. Nothing. No telnetd, no ftp, no local users, ect I have to get up off my butt and walk to the computer room on all my servers. Nice and secure ;) I haven't had a single crash, but no load isn't that great. HTH Chris Santerre -Original Message- From: Robert Leonard III [mailto:[EMAIL PROTECTED] Sent: Saturday, October 11, 2003 11:09 PM To: [EMAIL PROTECTED] Subject: [SAtalk] Too many rules? I've been playing with and implementing a lot of the rules I have found that many of you have contributed.. They have worked wonders for my system.. However When I implemented the gigantic evilrules.cf, they worked great for about an hour.. Then the whole server went into such a slow mode that I had to do a hard reboot just to get it back.. It wasn't dead, but just so bogged down that it couldn't function. My SA box is NOT a superPC.. It's a leftover from the closet.. So.. Can implementing too many rules, slow down the machine to the point of near stoppage? Is this something that perhaps more RAM could help? I'm not in a position to replace the whole PC yet, but I can, perhaps, beef up it's ram.. Ahh.. If only I had all the time and money I needed :) Thanks again all! --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Fan Mail!!! LOL We shut one down!
Yes :) http://spamhammers.nxtek.net They will be here until Chris does his site update, and then you can find them on his Rule Emporium site. Jennifer -Original Message- From: Terry Shows [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 14, 2003 11:59 AM To: Jennifer Wheeler Subject: RE: [SAtalk] Fan Mail!!! LOL We shut one down! Jennifer, Do you have your new rules posted anywhere so that we can pick them up without having to search back through the emails?? From what I have been reading, you seem to be on to something exciting! Terry Shows -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jennifer Wheeler Sent: Tuesday, October 14, 2003 11:40 AM To: 'Chris Santerre'; 'Spamassassin-Talk (E-mail)' Subject: RE: [SAtalk] Fan Mail!!! LOL We shut one down! I'm glad you like. :) I'm still a little taken aback by them. They've been almost too good to be true. I'm working on a couple rules to fill the holes. I've already noticed a few changes they've made to their technique (to no avail so far), and they seem to be working as I told Larry. I'll letcha know after I test them. No nasty letters here. I just block and don't report spammers. ...you know...low profile and all ;) Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Santerre Sent: Tuesday, October 14, 2003 10:19 AM To: Spamassassin-Talk (E-mail) Subject: [SAtalk] Fan Mail!!! LOL We shut one down! Did anyone else get a nasty email this morning? I did! This weekend ROCKED for my SA config. Jennifer, if you were here I'd kiss you and the deaf cat ;) Your rules bring a huge smile to my logs! Now check out this fan mail: --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Fan Mail!!! LOL We shut one down!
Congrats! :) ...I'm thinking now he wishes he hadn't written you the Love Letter. Your EEEee-vil rules are strong! Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Santerre Sent: Tuesday, October 14, 2003 2:01 PM To: Spamassassin-Talk (E-mail) Subject: RE: [SAtalk] Fan Mail!!! LOL We shut one down! UPDATE! I just got off the phone with UPENN.edu! Apparently we have our boy. I think his name is Brian. He has had known issues from the past, and they were already in the process of dealing with the older ones. However I don't think he will get what he deserves. Why wouldn't they have shut him off already? He obviously broke there Usage policy, I read it! Dave at UPENN ISC was quite nice to deal with. They also implemented SA a few months ago for the campus!!! Hoooray! Probably 2.55 b. :-) Unfortunetly, that is probably the last I'll here of it. Unless someone on this list goes to UPENN ;) --Chris Happy dude Santerre --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Popcorn, Backhair, and Weeds
I don't mind at all that you're scrutinizing the rules :) i would love it if someone wants to improve them. Each of the words use \w{#}? So if you have \w{5}? You would be saying either 0 or 5 occurrences of [a-zA-Z0-9_]. From what I understand, placing a ? after {n} does not mean match 0 or more times in this format. {n}? just increases the gravity of matching something exactly n times, and stop trying to match. So that segment matches exactly 5 letters before the hidden tag. Someone correct me if I'm wrong. So is it possible that you would encounter a situation in which you would find: 0 word - tag - 0 word htmlbody bgcolor=#FFcenter The match would be on center: not that I've seen. It's looking for or space, then some letters ({n}? exactly n) then tag, so that wont match. It wont match on center because the \w{5}? is matching {5 letters before a }!-- meaningless letters to obscure a word like the v word --{ and 1-7 letters following} the tag then space or period etc. Each rule hits just one occurrence of an obscured word. The reason I split them up into so many rules is that I like to raise scores cautiously. I was just trying to avoid false positives by hitting many occurrences with low scores rather than one large score. Not sure if my thinking is valid. I encountered a false positive (on a variant of your rules) as I tried to reduce the number of tests down to one. The result was as follows: /(\|\s)\w{0,7}\\/?\s?[\w\s]{6,75}\/?\s?\\w{0,7}(\s|\W|\)/ I think I need to change from \w{0,7} to \w{1,7}; .. if you are only wanting to use one popcorn rule and give it a higher score, then yes, you could change the range on both sides of the hidden tag to \w{1,7} leaving the rest of the expression intact. I didn't test it but I think that should work. In that case, you could probably just up the obfu comment rule in default spamassassin. I haven't looked at it to see if it's looking for the same as these. I just prefer smaller scores for rules. Your idea is good though, because there have been a few occasions when they only use the hidden tag in the remove me link so that would boost it nicely if it had a hefty score. Up to this point, in those cases, there was enough scoring from the rest of the rules in spamassassin, these just boosted it higher. In my case, i might just end up leaving these rules low and boosting the default rule (i trust those rules more than mine!) One last question. Are any of the upper limits necessary? Spammers may just want to keep uping the limit. Would it be beneficial to modify [\w\s]{6,150} to [\w\s]{6,}; etc.? Nah, the upper limits are not necessary... and you're probably right. I set them because I read that not setting an upper limit eats up more memory. I don't know by how much, I was just being cautious and they were working well in this range. If they start increasing the amount of garbage, you could up that range, or just do as you say and not set an upper limit. {n,} or maybe even empty tag. Overall, the rules are a great addition and have been helping a tremendously. I hope you do not find me overbearing by picking at the rules. I think they are great and that is why I am spending some time with them. Thanks again! Not at all!! :) Like I said, I'm new to this and I basically just work these like a puzzle until they do what I want. I feel a little awkward answering questions when there are so many people on this list far more qualified!! Someone jump in if I'm on pluto! I'm glad they're working out for you! Let me know if you come up with some killer variation. I'm sure they'll need to be modified as spammers vary their techniques. Thanks for the input, Jennifer Regards, Larry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Gilson Sent: Friday, October 10, 2003 1:41 PM To: 'Spamassassin-Talk (E-mail)' Subject: RE: [SAtalk] Popcorn, Backhair, and Weeds Hi again Jennifer! I have another question. Both the BACKCHAIR and POPCORN rules have the following format: word - tag - word /(\|\s)\w{5}?\\/?\s?[\w\s]{6,150}\/?\s?\\w{5}?(\s|\W|\)/ Each of the words use \w{#}? So if you have \w{5}? You would be saying either 0 or 5 occurrences of [a-zA-Z0-9_]. So is it possible that you would encounter a situation in which you would find: 0 word - tag - 0 word If so, each rule could hit for only one occurrence. I think the following could produce this affect: htmlbody bgcolor=#FFcenter The match would be on center: /\\\w{6}\\s/ Or would [\n\r] be stripped? or PCENTERSMALL The match would be on center also: /\\\w{6}\\/ My thinking may be incorrect so please correct me if I am wrong. I encountered a false positive (on a variant of your rules) as I tried to reduce the number of tests down to one. The result was as follows: /(\|\s)\w{0,7}\\/?\s?[\w\s]{6,75}\/?\s?\\w{0,7}(\s|\W|\)/ I think I need to change from \w{0,7} to \w{1,7}; or [\w\s]{6,75} to
RE: [SAtalk] Popcorn, Backhair, and Weeds
Hi Keith, Au contraire. That is exactly it. That explanation was beautiful! ( I long for your brain. :) ) Thank you for taking the time to make that so clear! The rules actually work, but I suspected they were filled with garbage. Thanks for cleaning them up! I'll put your shorn version on the page. http://spamhammers.nxtek.net Maybe you could peek at them and get a better idea of what we're trying to do. There are examples of what they match (which is what you describe below other than the range larry changed) ...littered hidden tags in the body. And they add up in spam. The problem Larry is working on is one I couldn't figure out when I wrote these abominations. Which is this... I didn't know how to match '[\w\s]{,150}' ,the 'hidden junk tag obscuring the word' and miss legitimate tags such as b,li or any other tag up to 6 letters. I was afraid of FPs if I didn't set that high enough. As it is, it hits on center but scores low enough that I settled on that hit just to catch more occurrences. A second question I have is how to include all the characters they mix into the junk tag such as 'g$b', without breaking the rule. I tried \S in my ignorance, and realized it would hit on later hidden tags before it stopped matching. I only saw the rules hitting on spams (written that way) but they were, in my opinion, out of control and I didn't wait to find out if they hit ham as well. I changed them back and settled for what I had. Third and final... it seems to me that the two sets (popcorn and backhair) could be combined into one ruleset by someone who understands this better than I do, which is most likely any creature that has the ability to manipulate a keyboard. I tried to combine them, but decided to go ahead and post them since they do work as is. This doesn't matter to me really. I made the second set only because I couldn't figure out any other way to match both examples in that link. The rules work great, but I would love it if you or someone else could tweak them to match smaller tags (like in the following) and miss real tags. No nek$hed tk^to dreak$tm...you can now bexkvpankv$dd youk-lr johnkgson up tz*lo 3 inibchk$jek$as And if not, that is okay too. I'm satisfied with what they're giving me now. I only posted these at the urging of a friend and after seeing how much they were helping out with a sudden boatload of spam breezing through. The link above may shed more light if I didn't make this clear and you would like to see the set. Thanks again for the great explanation!! wow Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith C. Ivey Sent: Saturday, October 11, 2003 5:02 PM To: [EMAIL PROTECTED] Subject: RE: [SAtalk] Popcorn, Backhair, and Weeds Larry Gilson [EMAIL PROTECTED] wrote: I had the following HTML tag OBFU rule (variant of yours): /(\|\s)\w{1,5}?\\/?\s?[\w\s]{6,150}\/?\s?\\w{1,7}?(\s|\W|\)/ There's a lot of clutter in that that makes it harder to follow. Let's try paring it down. First, '' and '' are not special on their own in regexes, so there's no need to backslash them: /(|\s)\w{1,5}?\/?\s?[\w\s]{6,150}\/?\s?\w{1,7}?(\s|\W|)/ When you have an alternation -- something like '(a|b|c)' -- where all the alternatives are single characters, it's better to write it as a character class -- something like '[abc]'. Also, '\s' and '' are both included in '\W', so that last alternation is equivalent to just '\W': /[\s]\w{1,5}?\/?\s?[\w\s]{6,150}\/?\s?\w{1,7}?\W/ Now, nongreedy matching serves no purpose when the thing following it can't be matched by the thing being repeated. In this case you have '\w{1,5}?' followed by '', but '' can't match '\w', so there's no difference between greedy and nongreedy matching there. The matching for the series of '\w' characters has to go all the way to the '' -- it can't stop short. Similarly, the '\W' at the end can never match the '\w' preceding it, so that '?' is also pointless: /[\s]\w{1,5}\/?\s?[\w\s]{6,150}\/?\s?\w{1,7}\W/ That regex is equivalent to your original one, and may help you see better why it's not matching as you expect. It's looking for a '' or whitespace character (space, tab, carriage return, line feed, form feed), followed by 1 to 5 word characters (letters, numbers, and underscores), followed by '', followed by an optional '/', followed by an optional single whitespace character, followed by 6 to 150 word or whitespace characters, followed by an optional '/', followed by an optional single whitespace character, followed by '', followed by 1 to 7 word characters, followed by a nonword character (anything other than letters, numbers, and underscore). I'm not clear on what you want to match, but that's probably not it. -- Keith C. Ivey [EMAIL PROTECTED] Washington, DC --- This SF.net email is sponsored by: SF.net Giveback
RE: [SAtalk] Catching Lots of Remarks in HTML Messages
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Wagner Sent: Thursday, October 09, 2003 9:15 AM To: Spamassassin-Talk (E-mail) Subject: [SAtalk] Catching Lots of Remarks in HTML Messages We seem to be getting more messages like: G!-- bereave --I!-- catechism --RL!-- increment --S T!-- firestone --HA!-- arrowhead --T RE!-- nowaday -- I was curious if Spamassassin would catch these with a rule like: body LOTS_REMARKS /\b!-- /w+ --\b/i describe LOTS_REMARKS HTML Lots of Remarks !-- ### -- The other question is- Are the rules additive? Such that it would score a point for each remark. So I can put the score low, and after 10 remarks it would pass the limit. score LOTS_REMARKS .5 _ These are additive if you don't like to crank up the scores on single rules and prefer lots of smaller hits to bump spam up. Sorry, I posted them in a new thread and you might have missed them. http://spamhammers.nxtek.net/ Jennifer (chris has me all worried now about top and bottom posting!) --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Phrases I have modified....
Summoning the hermit out of her cave huh? ;) yeah I'll give a hand. -Original Message- From: Chris Santerre [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2003 9:40 AM To: 'VonEssen, John'; [EMAIL PROTECTED] Subject: RE: [SAtalk] Phrases I have modified I have some notes on these as well. I think it would be great to put on the wiki! Or maybe I'll just make a separate cf file on remove me phrases. I'll try to get that started today. I am s far behind in work it isn't funny. However I did get to go to a great sushi bar in Manhattan yesterday! ;) The only problem is not tagging legit unsubscribe phrases. I have some rules on things like unsub.gif already. I haven't got a chance to update the emporium in a while. Jen W. would you like to help me on these? I've actually had a spam say no more of this shit as a phrase! --Chris Santerre -Original Message- From: VonEssen, John [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 08, 2003 2:13 PM To: [EMAIL PROTECTED] Subject: [SAtalk] Phrases I have modified Just food for thought for the next release... I have been seeing more and more spam using different phrases for remove me phrases. Some use the work cease: Cease offer(s) Cease update(s) Cease email Cease mailing(s) John --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Popcorn, Backhair, and Weeds
Chris S. is going to be posting these on his site when he gets time, and I believe he was also waiting on my tweaks. I have tweaked to the best of my ability, which is scarce. :) I will post these now since there was some discussion on catching tidal waves of hidden tags obscuring known spam words and phrases. If you can improve on these, please let me know. I've been using these for about 3 weeks and they are kicking boo-tay. Thanks Chris for your input! Sit back, tail your mail log, and watch the show. :) It's rather humorous. (wow I probably just bought a bucket load of spam. Good material for more rules!) http://spamhammers.nxtek.net Jennifer --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Help Unblacklisting RBL
what am i doing wrong here? I am trying to unblacklist an address getting tagged by Infinite-Monkeys. *** 1. unblacklist_from is used to de-blacklist a SpamAssassin blacklist (which is defined using the blacklist_from option) I understand this now. Thank you. 2. If you don't want to use Monkeys... I do want to continue to use Monkeys. 3. If you want to avoid marking a domain's messages as spam, regardless of why they are marked as spam, use whitelist_from. This is what I did before I realized the spam tag came from monkeys rather than score. They didn't even break our threshold. Here is the section of the header. NxTek-MailScan-SpamCheck: spam, Infinite-Monkeys, SpamAssassin (score=-99.3, required 6.4, NO_REAL_NAME 1.15, USER_IN_WHITELIST -100.00, X_AUTH_WARNING -0.40) So whitelisting doesn't seem to be the answer in this case. I shall read more and see if I can figure this thing out. Mayhaps the person who requested this can live with the spam tag. I appreciate your help though. Thanks. Jennifer --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Help Unblacklisting RBL
Good lord I'm an idiot! It's MailScanner that is using the infinite monkeys check, not SpamAssassin. I just double checked after you pointed this out. Thank You!! Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Morris Sent: Wednesday, September 17, 2003 11:35 AM To: Jennifer Wheeler Cc: [EMAIL PROTECTED] Subject: Re: [SAtalk] Help Unblacklisting RBL Nope -- it's got nothing to do with SpamAssassin at all, so no amount of whitelisting it in SA will help you. You need to whitelist it in the software that's actually marking it as spam. Jennifer Wheeler wrote: what am i doing wrong here? I am trying to unblacklist an address getting tagged by Infinite-Monkeys. *** 1. unblacklist_from is used to de-blacklist a SpamAssassin blacklist (which is defined using the blacklist_from option) I understand this now. Thank you. 2. If you don't want to use Monkeys... I do want to continue to use Monkeys. 3. If you want to avoid marking a domain's messages as spam, regardless of why they are marked as spam, use whitelist_from. This is what I did before I realized the spam tag came from monkeys rather than score. They didn't even break our threshold. Here is the section of the header. NxTek-MailScan-SpamCheck: spam, Infinite-Monkeys, SpamAssassin (score=-99.3, required 6.4, NO_REAL_NAME 1.15, USER_IN_WHITELIST -100.00, X_AUTH_WARNING -0.40) So whitelisting doesn't seem to be the answer in this case. I shall read more and see if I can figure this thing out. Mayhaps the person who requested this can live with the spam tag. I appreciate your help though. Thanks. Jennifer --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Help Unblacklisting RBL
what am i doing wrong here? I am trying to unblacklist an address getting tagged by Infinite-Monkeys. using spamassassin 2.55 i put the following line in /etc/mail/spamassassin/local.cf with all my other rules and whitelisted addresses (all work fine) but this will not work... unblacklist_from [EMAIL PROTECTED] unblacklist_from [EMAIL PROTECTED] I looked in the manual and it looks to me like i did it right. here was what it says... unblacklist_from [EMAIL PROTECTED] Used to override a default blacklist_from entry, so for example a distribution blacklist_from can be overriden in a local.cf file, or an individual user can override a blacklist_from entry in their own user_prefs file. e.g. unblacklist_from [EMAIL PROTECTED] [EMAIL PROTECTED] unblacklist_from [EMAIL PROTECTED] ...which looks to me like this is what i need to do to let this through, as whitelisting would just give it a mondo negative, but InfiniteMonkeys smacks it down. I dont want to stop using them though. ...love 'em. Is there some other setting somewhere that might be affecting this? Any help would be appreciated. Thanks Jennifer --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Help Unblacklisting RBL
I completely agree with your opinion about the open proxy biz. I'll see if we can get them to take care of that on their end. In the meantime, I've been asked to get these particular emails through to us without a spam tag :) I'm just having trouble accomplishing that. (and have had to fight to keep using rbls) thanks tho for explaining the unblacklist deal, i misunderstood that. Whitelisting would be fine with me, but when i tried that (first thing i tried), it still got a spam tag. negative score, but gets tagged because of the rbl. I dont know if there is a rule for tagging or not based on rbl. ?? I would go for that if that were my only option. (i like that monkeys tags it if they sneak one under the radar). thanks! jennifer what am i doing wrong here? I am trying to unblacklist an address getting tagged by Infinite-Monkeys. using spamassassin 2.55 i put the following line in /etc/mail/spamassassin/local.cf with all my other rules and whitelisted addresses (all work fine) but this will not work... unblacklist_from [EMAIL PROTECTED] unblacklist_from [EMAIL PROTECTED] You're sure you don't want whitelist_from_rcvd or something like that? If I'm reading the man page for Mail:SpamAssassin::Conf correctly, unblacklist_from only works if you've previously manually blacklisted an entity or network, such as: blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] unblacklist_from [EMAIL PROTECTED] unblacklist_from [EMAIL PROTECTED] unblacklist_from should have no effect on entries in DNSBLs like proxies.relays.monkeys.com. The longer-term (and hence, more difficult) solution is to help the admin of the machine listed in proxies.relays.monkeys.com secure their open proxy so they are no longer (justifiably) blacklisted. Whitelisting systems listed in open proxy DNSBLs should be a temporary triage-style fix until the proxy can be locked down. -- Bob --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Hebrew i ?? male organ spam
this is exactly what I was looking for. Thank you for pointing me in the right direction! However, I'm still unable to make it work. When you pointed out the hex representation to me, it turned on the light and now I know I can paste those characters in multi edit and look at it in hex mode if I'm not exactly sure what a character is. This one is ED as you said. So here are the things I have tried, nothing works, so I am doing something wrong. Perhaps I should give in to the tricky spamsters and let this go but I hate to do that. *I tried this based on what Justin said /pen[\xCC-\xCF\xEC-\xEF]s|p3n[\xCC-\xCF\xEC-\xEF]s/ and as david suggested I tried it with just the character in question /\í/ /\xED/ none of these are picking it up. Wondering if I am formatting this wrong. jennifer ___ If you use backslashed escape codes it should work -- e.g. man iso_8859_1 notes these i chars: 314 204 CC CCLATIN CAPITAL LETTER I WITH GRAVE 315 205 CD CDLATIN CAPITAL LETTER I WITH ACUTE 316 206 CE CELATIN CAPITAL LETTER I WITH CIRCUMFLEX 317 207 CF CFLATIN CAPITAL LETTER I WITH DIAERESIS 354 236 EC ECLATIN SMALL LETTER I WITH GRAVE 355 237 ED EDLATIN SMALL LETTER I WITH ACUTE 356 238 EE EELATIN SMALL LETTER I WITH CIRCUMFLEX 357 239 EF EFLATIN SMALL LETTER I WITH DIAERESIS so [\xCC-\xCF\xEC-\xEF] should catch all those. (in ISO-8859 charsets at least.) Basically, \xNN where NN is the hex representation. --j. --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Hebrew i ?? male organ spam
Has anyone made a rule using what appears to be a Hebrew letter I? í I wanted to add it to my male organ rule, but spamassassin doesn't seem to recognize it. I did a search in the /spamassassin/languages file and didn't see í in there. i would have thought it would have been with 0 he.iso-8859-8but I'm just guessing here. I dont know much about that file, I just thought to look there and I assume that must be categorizing languages for spamassassin. Can this be edited, as in add that í in there?? I'm sorry, I'm very new to this stuff. Here is the word I wanted to grab ... Penís And í is the only character that won't work in this rule... /p3n(i|\||1|l|í)s|pen(\||1|l|í)s/i thanks, Jennifer ...My first post and I'm using such language!! oy --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Hebrew i ?? male organ spam
Actually ya got me... I found it by doing a search and found it on a bunch of Israeli sites, and in more searching, found it in the hebrew character set http://www.gar.no/home/mats/8859-8.htm search for hebrew mem and you will see it. An i but the dot in the i is a backwards `. I got it in a very generic spam that scored a 4.8. Ours is set to 6.4. I just wanted to be able to set that rule to grab those in the future. I've seen it used a lot in other spams as well. -Original Message- From: Dave Stern - Former Rocket Scientist [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 29, 2003 11:53 AM To: Jennifer Wheeler Cc: [EMAIL PROTECTED] Subject: Re: [SAtalk] Hebrew i ?? male organ spam On Tue, 29 Jul 2003, Jennifer Wheeler wrote: Has anyone made a rule using what appears to be a Hebrew letter I? í I wanted to add it to my male organ rule, but spamassassin doesn't seem to recognize it. I did a search in the /spamassassin/languages file and didn't see í in there. i would have thought it would have been with 0 he.iso-8859-8but I'm just guessing here. I dont know much about that file, I just thought to look there and I assume that must be categorizing languages for spamassassin. Can this be edited, as in add that í in there?? I'm sorry, I'm very new to this stuff. Here is the word I wanted to grab ... Penís And í is the only character that won't work in this rule... /p3n(i|\||1|l|í)s|pen(\||1|l|í)s/i What the heck is a hebrew i? How about in user_prefs or local rules ok_locales en ie only allow english ascii =-=-=-=-=-=-=-=-=-=-=-=- generated by /dev/dave -=-=-=-=-=-=-=-=-=-=-=-=-=-= David SternUniversity of Maryland Institute for Advanced Computer Studies --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Hebrew i ?? male organ spam
Thanks for the suggestion David, but we can't allow only English. We're running this on a server with international clients. Guess I should have mentioned that. :) -Original Message- Subject: Re: [SAtalk] Hebrew i ?? male organ spam And í is the only character that won't work in this rule... /p3n(i|\||1|l|í)s|pen(\||1|l|í)s/i What the heck is a hebrew i? How about in user_prefs or local rules ok_locales en ie only allow english ascii =-=-=-=-=-=-=-=-=-=-=-=- generated by /dev/dave -=-=-=-=-=-=-=-=-=-=-=-=-=-= David SternUniversity of Maryland Institute for Advanced Computer Studies --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01 /01 ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk