RE: [SAtalk] Backhair FP

2004-01-30 Thread Jennifer Wheeler 
Hi Matthew,
 
 Looks like Backhair is triggering on my X-Face header. At least that's
the
 only thing I can see that might be it. See the following email (BH ==
 BackHair):

I changed the rule from full to body.  Could you dl and test the current
set to see if it misses now?  It should, being that body only looks at
subject line and message.  Please let me know.
http://www.emtinc.net/spamhammers.htm/includes/backhair.cf 

Thanks.
Jennifer

 
 -- Begin
 Return-path: xx
 Envelope-to: xxx
 Delivery-date: Fri, 30 Jan 2004 09:42:49 -0800
 Received: from alderaan.localaccess.com ([69.10.205.107])
 by mail1.localaccess.com with esmtp (Exim 4.24)
 id 1AmcfI-00027p-Nd
 for xxx; Fri, 30 Jan 2004 09:42:48 -0800
 From: Matthew Trent xx
 Organization: Local Access Communications
 To: xxx
 Subject: Test
 Date: Fri, 30 Jan 2004 09:56:01 -0800
 User-Agent: KMail/1.6
 X-Face: $gozfl(LUR+*!g.K+9-=W66/$4o)~'bbc/CQdQVDn2RPY~.+g},0
 {BV[K[Q!_Al1=X(U2 k44)(-v]Y1*NS.o%/a%^ck'BS^/Ep%BiT4b^qS{qMd`|
 Vcojd3M-$Ch7feiAq]}o4(:NF%7qG$K?K
?iG9$o.;d7#wnX1[EMAIL PROTECTED]M`]97{L2L^EY}
 9;#c9]vEI~neh?c2Ji]G0/'W8p7_}GTQ73;:-a F3IjIferRdf!f]3b*9
 ([EMAIL PROTECTED]%
 MIME-Version: 1.0
 Content-Disposition: inline
 Content-Type: text/plain;
   charset=us-ascii
 Content-Transfer-Encoding: 7bit
 Message-Id: 200401300956.01184.xxx
 X-Spam-Score: -3.9 (---)
 X-Spam-Report: Content analysis details:   (-3.9 points, 5.0 required)
 pts rule name  description
  --
 --
 -4.9 BAYES_00   BODY: Bayesian spam probability is
0
 to 1%
 [score: 0.]
 1.0 J_BH_43BODY: 4 letters - Unsightly html
tag -
 3
 letters
 X-Virus-Scanned: Scanned by Clam Antivirus
 
 Testing.
 --
 Matt
 Systems Administrator
 Local Access Communications
 360.330.5535
  End
 
 
 --
 Matt
 Systems Administrator
 Local Access Communications
 360.330.5535
 
 
 ---
 The SF.Net email is sponsored by EclipseCon 2004
 Premiere Conference on Open Tools Development and Integration
 See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
 http://www.eclipsecon.org/osdn
 ___
 Spamassassin-talk mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/spamassassin-talk




---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Backhair FP

2004-01-30 Thread Jennifer Wheeler 
My bad.  I just posted a change to body rule with the set, but it has to
be rawbody.  I realized this as soon as I hit send.  (oops)  Now... I
don’t know if rawbody looks at the headers... ??  If that doesn't fix
it, I wouldn't know how to miss that.  Maybe someone else will know.

Jennifer
 
 Looks like Backhair is triggering on my X-Face header. At least that's
the
 only thing I can see that might be it. See the following email (BH ==
 BackHair):
 
 -- Begin
 Return-path: xx
 Envelope-to: xxx
 Delivery-date: Fri, 30 Jan 2004 09:42:49 -0800
 Received: from alderaan.localaccess.com ([69.10.205.107])
 by mail1.localaccess.com with esmtp (Exim 4.24)
 id 1AmcfI-00027p-Nd
 for xxx; Fri, 30 Jan 2004 09:42:48 -0800
 From: Matthew Trent xx
 Organization: Local Access Communications
 To: xxx
 Subject: Test
 Date: Fri, 30 Jan 2004 09:56:01 -0800
 User-Agent: KMail/1.6
 X-Face: $gozfl(LUR+*!g.K+9-=W66/$4o)~'bbc/CQdQVDn2RPY~.+g},0
 {BV[K[Q!_Al1=X(U2 k44)(-v]Y1*NS.o%/a%^ck'BS^/Ep%BiT4b^qS{qMd`|
 Vcojd3M-$Ch7feiAq]}o4(:NF%7qG$K?K
?iG9$o.;d7#wnX1[EMAIL PROTECTED]M`]97{L2L^EY}
 9;#c9]vEI~neh?c2Ji]G0/'W8p7_}GTQ73;:-a F3IjIferRdf!f]3b*9
 ([EMAIL PROTECTED]%
 MIME-Version: 1.0
 Content-Disposition: inline
 Content-Type: text/plain;
   charset=us-ascii
 Content-Transfer-Encoding: 7bit
 Message-Id: 200401300956.01184.xxx
 X-Spam-Score: -3.9 (---)
 X-Spam-Report: Content analysis details:   (-3.9 points, 5.0 required)
 pts rule name  description
  --
 --
 -4.9 BAYES_00   BODY: Bayesian spam probability is
0
 to 1%
 [score: 0.]
 1.0 J_BH_43BODY: 4 letters - Unsightly html
tag -
 3
 letters
 X-Virus-Scanned: Scanned by Clam Antivirus
 
 Testing.
 --
 Matt
 Systems Administrator
 Local Access Communications
 360.330.5535
  End
 
 
 --
 Matt
 Systems Administrator
 Local Access Communications
 360.330.5535
 
 
 ---
 The SF.Net email is sponsored by EclipseCon 2004
 Premiere Conference on Open Tools Development and Integration
 See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
 http://www.eclipsecon.org/osdn
 ___
 Spamassassin-talk mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/spamassassin-talk




---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Re: Bigevil and thoughts....

2004-01-30 Thread Jennifer Wheeler 
Hi Scott
 
 On Fri, 23 Jan 2004 12:30:13 -0500, Chris Santerre
 [EMAIL PROTECTED] writes:
 
  I received a report of an FP in bigevil. The domain was
  playaudiomessage.com. A quick google shows tons of hits in
  news.admin.net-abuse.sightings. It had been my hope the bigevil
  would be ZERO fp. However I'm not going to let the fact that a
  domain may be used 90% by spammers and 10% by legit sway me now.
 
 I think this is a mistake. Before, BigEvil had the high road, not a
 single domain in it had *ever* been reported as used in ham,
 warranting a high score. With this change, thats no longer true. We
 now depend on *your* judgement on how 'unclean' a domain is. And your
 judgement may not be the same as mine. It may be that 98% of the time
 I see playaudiomessage.com, it is legit and 2% spam, but your corpus
 shows the reverse. Should the domain belong in bigevil in that case?
 
 I'm not saying that the domain should be forgotten, but that iit
 should at least be in a different list.

I use rules in my local.cf that are the same as bigevil.  My Blammo
rules wax a spam with 20 points.  I realize 7 would do it, but I get
sick pleasure out of giving them 20.  Then I saw that Chris is doing
basically the same thing.  (only in manic hyperdrive).  So I got lazy
and now just download his work and use that.  I yank out the ones that I
don’t agree with.  (few)  This file he maintains takes an awful lot of
time, I know.  I would just suggest that anyone who uses it, take the
time to look through the thing and remove the domains that they consider
not spam, in between, or whatever...  If I sound harsh, I don’t intend
to be.  I just think maybe people don’t realize how much of Chris' time
that file takes up as it is.  

How-ev-uh  your suggestion is good!  So maybe someone could take
chris' file, take it a step further (after each update) and split it
into two files.  (but even that would be someones opinion...what is ham
to me may be spam to you.  Who knows, I might have a thing for
kangaroos)  Then people could have a choice.

Jennifer (will soon get my heart back into this war)  

 
 'Bigevil.cf' -- never once seen in ham.
 'Maybeevil.cf' -- a small number of hits in ham
 
 Scott
 
 
 ---
 The SF.Net email is sponsored by EclipseCon 2004
 Premiere Conference on Open Tools Development and Integration
 See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
 http://www.eclipsecon.org/osdn
 ___
 Spamassassin-talk mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/spamassassin-talk





---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] [SAtalk]Change points of preset rules

2004-01-28 Thread Jennifer Wheeler 


 
 Hey guys.
 
 How can I change the points of the rules included in spamassassin?
 I'm trying to increase the points from the HTML_IMAGE_ONLY_02 BODY
rule.
 
 Thanks in advance,
 
 Thorsten Schacht

You can override default scores in your local.cf

score HTML_IMAGE_ONLY_02 4.0

(restart spamd)

Jennifer

 
 
 
 ---
 The SF.Net email is sponsored by EclipseCon 2004
 Premiere Conference on Open Tools Development and Integration
 See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
 http://www.eclipsecon.org/osdn
 ___
 Spamassassin-talk mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/spamassassin-talk





---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Pox 1.12 - Bad lint fixed

2004-01-27 Thread Jennifer Wheeler 
Sorry for any problems this caused you guys.  I had the wrong version on
my server when I linted that change.  ...Fixed now.  Thanks for letting
me know, Arpi.

Jennifer




---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Lint error with chickenpox v 1.11

2004-01-27 Thread Jennifer Wheeler 
Hi Erik

i assume you sent this over the weekend when the file was bad.  I sent one
this weekend that just showed up on the list this morning!  If that isn't
the case, grab the new version from my site.  I believe it's 1.14.

http://www.emtinc.net/spamhammers.htm

Jennifer

 Hi Jennifer,

 When running lint on the latest chickenpox (1.11) I get this error:

 donkeykong:/etc/mail/spamassassin/RulesDuJour #
 /usr/local/bin/spamassassin
 --lint
 Failed to compile body SpamAssassin tests, skipping:
 (Unmatched ( in regex; marked by -- HERE in m/\s( -- HERE
 ?!(?:alt|biz|mrs|rev|s(?:ci|en|oc))\.|(?:e
 nd|fwd|org|reg):|[cd]os'[a-zA-Z]{3}[.,;:?%!+^~`'\$*=\#|013467\(\)\[\]\{\}
 ][a-zA-Z]{2}(?!\.(?:(?-i:[A-Z][a
 -z]{1})|a[eiu]|b[ebmrsz]|c[afhnrx]|d[bek]|es|f[ir]|g[uz]|h[knrtu]|i[elnqrst]
 |j[mops]|k[prwy]|m[kx]|n[loz]|p[lr
 ty]|ru|s[eghm]|t[cnv]|u[ksu]|v[gi])|:no|['`](?:ll|ts|[rv]e))(?:[,'\?!]|\.?\
 s)/ at /etc/mail/spamassassin/chic
 kenpox.cf, rule J_CHICKENPOX_32, line 1.
 )

 Any clues?

 Erik



 ---
 The SF.Net email is sponsored by EclipseCon 2004
 Premiere Conference on Open Tools Development and Integration
 See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
 http://www.eclipsecon.org/osdn
 ___
 Spamassassin-talk mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/spamassassin-talk




---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] [RD] Pox Request - language assistance

2004-01-22 Thread Jennifer Wheeler 
I have a strange request.  I was wondering if some of you who speak a
language other than English, or if you know someone who does, could
write me (offlist) an email full of contractions in that language.  Also
please tell me what the language is.  :)  It would be very helpful.  Say
whatever you like, I won't know what it means anyway!  You could also
just send me a list of them.  Just didn't sound as fun.  You might put
the subject Pox Examples so I don't lose them in the spam grinding
machine.

I've tried doing a little research, but as time consuming as this set
has been, it would be nice to get a little help from those of you who
speak these languages to speed this process up.

Thanks,
Jennifer



---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Popcorn Backhair have been combined into 1 Set

2004-01-21 Thread Jennifer Wheeler 
Hello spam peeps

Well I was going to hold off posting this until I had the time to edit
the page explaining the Rule Sets, but I got a spam this morning, tagged
only by this updated Backhair Set. I was irked enough (thinking these
spams might be getting through on other machines) that I will go ahead
and at least announce the change.  [we all know that cd, I shant
mention them]

Adam Lopresto and I have recently begun working together on Chickenpox,
and while working on that set, it occurred to him how to fix the
limitations in Backhair, using similar ideas we're using in pox.  This
change in essence combines Backhair  Popcorn.

If you use this newest version of Backhair, you may delete the Popcorn
Set. It covers the whole!silly obfu taggamut.

I will update the page when I get some free time in the hopes of making
this change more clear.  I left Popcorn on there for now, but like I
said, if you use Backhair version 1.1 (just posted it) you no longer
(sniff sniff...) need Popcorn... 

..That makes me very sad  :'(  Popcorn was my first ruleset.

http://www.emtinc.net/spamhammers.htm 

Jenn/ifer -- 44 on new Backhair set ;)   ...oooh the urge to say it!
B..(cough cough) (cough cough cough) nah, best not to.
 



---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Popcorn Backhair have been combined into 1 Set

2004-01-21 Thread Jennifer Wheeler 
OY!  That set had the original testing scores.  Fixed now.  Sorry

Haste = Bad

 said, if you use Backhair version 1.1 (just posted it) you no longer
 
 http://www.emtinc.net/spamhammers.htm 
 
 Jenn/ifer -- 44 on new Backhair set ;)   ...oooh the urge to say
it!
 B..(cough cough) (cough cough cough) nah, best not to.
 
 
 
 
 ---
 The SF.Net email is sponsored by EclipseCon 2004
 Premiere Conference on Open Tools Development and Integration
 See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
 http://www.eclipsecon.org/osdn
 ___
 Spamassassin-talk mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Popcorn Backhair have been combined into 1 Set

2004-01-21 Thread Jennifer Wheeler 
 For some reason this doesn't work for me. I get all kinds of problems
when
 I
 run spamassassin -D --lint. I don't think it's a problem with the rule
 set,
 because it happens on the tripwire rule set also. Any ideas or
pointers? I
 know this is very vague, so if anyone needs more information from me
I'd
 be
 happy to provide what is needed.

Without seeing the errors I can only guess.  If you're getting errors on
the rules, maybe you didn't get the full file, or maybe a line wrapped?
Backhair has an EOF.

 
 Thanks,
 Jason
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Jennifer
 Wheeler
 Sent: Wednesday, January 21, 2004 9:40 AM
 To: [EMAIL PROTECTED]
 Subject: [SAtalk] Popcorn  Backhair have been combined into 1 Set
 
 
 Hello spam peeps
 
 Well I was going to hold off posting this until I had the time to edit
 the page explaining the Rule Sets, but I got a spam this morning,
tagged
 only by this updated Backhair Set. I was irked enough (thinking these
 spams might be getting through on other machines) that I will go ahead
 and at least announce the change.  [we all know that cd, I shant
 mention them]
 
 Adam Lopresto and I have recently begun working together on
Chickenpox,
 and while working on that set, it occurred to him how to fix the
 limitations in Backhair, using similar ideas we're using in pox.  This
 change in essence combines Backhair  Popcorn.
 
 If you use this newest version of Backhair, you may delete the Popcorn
 Set. It covers the whole!silly obfu taggamut.
 
 I will update the page when I get some free time in the hopes of
making
 this change more clear.  I left Popcorn on there for now, but like I
 said, if you use Backhair version 1.1 (just posted it) you no longer
 (sniff sniff...) need Popcorn...
 
 ..That makes me very sad  :'(  Popcorn was my first ruleset.
 
 http://www.emtinc.net/spamhammers.htm
 
 Jenn/ifer -- 44 on new Backhair set ;)   ...oooh the urge to say
it!
 B..(cough cough) (cough cough cough) nah, best not to.
 
 
 
 
 ---
 The SF.Net email is sponsored by EclipseCon 2004
 Premiere Conference on Open Tools Development and Integration
 See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
 http://www.eclipsecon.org/osdn
 ___
 Spamassassin-talk mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
 
 
 
 ---
 The SF.Net email is sponsored by EclipseCon 2004
 Premiere Conference on Open Tools Development and Integration
 See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
 http://www.eclipsecon.org/osdn
 ___
 Spamassassin-talk mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Popcorn Backhair have been combined into 1 Set

2004-01-21 Thread Jennifer Wheeler 


 -Original Message-
 From: [EMAIL PROTECTED]
[mailto:spamassassin-
 [EMAIL PROTECTED] On Behalf Of Jason Crowe
 Sent: Wednesday, January 21, 2004 12:21 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [SAtalk] Popcorn  Backhair have been combined into 1 Set
 
 
 Here is the error. When I copy and paste into emacs it's showing that
the
 lines didn't wrap.
 
 pop3:/etc/spamassassin# spamassassin --lint
 Failed to parse line in SpamAssassin configuration, skipping:
descrfull
 J_BACKHAIR_33

/[\s]\w{3}\/?(?!(?:a(?:bbr|cronym|ddress|pplet|rea)?|b(?:ase(?:font)?|
do
 |i
 g|lockquote|ody|r|utton)?|c(?:aption|enter|ite|o(scdescribe
J_BACKHAIR_34
 3 letters - Unsigfull J_BACK
 Failed to parse line in SpamAssassin configuration, skipping: fuls
 Failed to parse line in SpamAssassin configuration, skipping:
descrfull
 J_BACKHscoreJ_BACKHAIR_42   1.0
 Failed to parse line in SpamAssassin configuration, skipping: desfull
 J_BACKHs
 Failed to parse line in SpamAssassin configuration, skipping: defull
s

I reuploaded the file to the site.  Looks like the problem is with my
file.  Try downloading again and see if you still get errors.  

 
 
 Thanks,
 Jason
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Jennifer
 Wheeler
 Sent: Wednesday, January 21, 2004 11:10 AM
 To: 'Jason Crowe'; [EMAIL PROTECTED]
 Subject: RE: [SAtalk] Popcorn  Backhair have been combined into 1 Set
 
 
  For some reason this doesn't work for me. I get all kinds of
problems
 when
  I
  run spamassassin -D --lint. I don't think it's a problem with the
rule
  set,
  because it happens on the tripwire rule set also. Any ideas or
 pointers? I
  know this is very vague, so if anyone needs more information from me
 I'd
  be
  happy to provide what is needed.
 
 Without seeing the errors I can only guess.  If you're getting errors
on
 the rules, maybe you didn't get the full file, or maybe a line
wrapped?
 Backhair has an EOF.
 
 
  Thanks,
  Jason
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of
  Jennifer
  Wheeler
  Sent: Wednesday, January 21, 2004 9:40 AM
  To: [EMAIL PROTECTED]
  Subject: [SAtalk] Popcorn  Backhair have been combined into 1 Set
 
 
  Hello spam peeps
 
  Well I was going to hold off posting this until I had the time to
edit
  the page explaining the Rule Sets, but I got a spam this morning,
 tagged
  only by this updated Backhair Set. I was irked enough (thinking
these
  spams might be getting through on other machines) that I will go
ahead
  and at least announce the change.  [we all know that cd, I shant
  mention them]
 
  Adam Lopresto and I have recently begun working together on
 Chickenpox,
  and while working on that set, it occurred to him how to fix the
  limitations in Backhair, using similar ideas we're using in pox.
This
  change in essence combines Backhair  Popcorn.
 
  If you use this newest version of Backhair, you may delete the
Popcorn
  Set. It covers the whole!silly obfu taggamut.
 
  I will update the page when I get some free time in the hopes of
 making
  this change more clear.  I left Popcorn on there for now, but like I
  said, if you use Backhair version 1.1 (just posted it) you no longer
  (sniff sniff...) need Popcorn...
 
  ..That makes me very sad  :'(  Popcorn was my first ruleset.
 
  http://www.emtinc.net/spamhammers.htm
 
  Jenn/ifer -- 44 on new Backhair set ;)   ...oooh the urge to say
 it!
  B..(cough cough) (cough cough cough) nah, best not to.
 
 
 
 
  ---
  The SF.Net email is sponsored by EclipseCon 2004
  Premiere Conference on Open Tools Development and Integration
  See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
  http://www.eclipsecon.org/osdn
  ___
  Spamassassin-talk mailing list
  [EMAIL PROTECTED]
  https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
 
 
 
  ---
  The SF.Net email is sponsored by EclipseCon 2004
  Premiere Conference on Open Tools Development and Integration
  See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
  http://www.eclipsecon.org/osdn
  ___
  Spamassassin-talk mailing list
  [EMAIL PROTECTED]
  https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
 
 
 
 ---
 The SF.Net email is sponsored by EclipseCon 2004
 Premiere Conference on Open Tools Development and Integration
 See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
 http://www.eclipsecon.org/osdn
 ___
 Spamassassin-talk mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
 
 
 
 ---
 The SF.Net email is sponsored by EclipseCon 2004
 Premiere Conference

RE: [SAtalk] Popcorn Backhair have been combined into 1 Set

2004-01-21 Thread Jennifer Wheeler 
  this change more clear.  I left Popcorn on there for now, but like I
  said, if you use Backhair version 1.1 (just posted it) you no longer
  (sniff sniff...) need Popcorn...
 
 So if I grab Jennifer's backhair I don't need any popcorn?  There must
 be some hidden meaning there.

As hairy as my Backhair is getting, no telling what is in there any
more!  I can tell you the popcorn is in there...  (thinking I should get
a monkey)

Jennifer

 
 
 
 I've removed popcorn from the default list of thinggies to snag in
 RulesDeJour.
 
 --
 Chris Thielen
 
 Easily generate SpamAssassin rules to catch obfuscated spam phrases
 (0BFU$C/\TED SPA/\/\ P|-|RA$ES):
 http://www.sandgnat.com/cmos/
 
 
 
 ---
 The SF.Net email is sponsored by EclipseCon 2004
 Premiere Conference on Open Tools Development and Integration
 See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
 http://www.eclipsecon.org/osdn
 ___
 Spamassassin-talk mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] [RD]FP Backhair - minor change

2004-01-21 Thread Jennifer Wheeler 
Added another more obscure tag.  Thanks Kelson.  Version 1.3

Jennifer



---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: blackhair problem (Re: RE: [WL] [SAtalk] Yikes.. rules_du_jour)

2004-01-19 Thread Jennifer Wheeler 
 Hi,
 
  Correct.  The only set going through frequent revisions right now is
  Chickenpox.  I think I'm about to post a revision on
Backhair/Popcorn,
  but that will be the first change in months.  Still, they will not
go
 
 i've found a major problem with blachhair set today: it catches most
of
 the mails set using pegasus mail and using attachment in UUEncoding
 (its default setting):

That's a big hit.  

I talked to Fred who says that this shouldn't be a problem with SA 2.7,
which will know to skip attachments.  Until then, you could try this as
a fix to avoid that.  It's not tested, I am only guessing the problem is
with [^], which says anything but , and I would also guess it's
pretty serious about the anything part, so if you changed that set (in
each rule) to what you want to match, like [\w\s] that should fix the
problem.  Add more characters into that set if you want.  And test.  :)

I could post an alternate set if you want, but I would like to make sure
my thinking is straight first.

Someone steer me right if I'm talkin' outta me bum.  

Jennifer

 
 ...
 X-mailer: Pegasus Mail for Windows (v3.01b)
 
  * This message contains the file 'isdf6e~1.jpg', which has been
  * uuencoded. If you are using Pegasus Mail, then you can use
  * the browser's eXtract function to lift the original contents
  * out to a file, otherwise you will have to extract the message
  * and uudecode it manually.





---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [WL] [SAtalk] Yikes.. rules_du_jour

2004-01-18 Thread Jennifer Wheeler 
(Didn't mean to go offlist with my reply.  Here it is again)

 On Sat, 17 Jan 2004, Jonathan Nichols wrote:
  rules_du_jour is kind of neat, but I hope it's not going to drive up
  Chris  Jennifer's bandwidth bills or som 'em over a quota. :P
 
 A thought, and a suggestion:
 
 Thought: Some of the rules in 'rules du jour' look like they are
fairly
 'stable'. There is no reason to be downloading 'backhair' or 'weeds'
 everyday, is there?

Correct.  The only set going through frequent revisions right now is
Chickenpox.  I think I'm about to post a revision on Backhair/Popcorn,
but that will be the first change in months.  Still, they will not go
through frequent edits like pox.

Jennifer

 
 Suggestion: For frequent changers, like 'evilrules', how about setting
up
 a flag system where, for example, a single file is accessed for a
 timestamp, and only if the timestamp is 'new' does the script perform
the
 various downloads. This way, most nights, there is ONE HTTP access, to
get
 the timestamp, and its a small file, rather than several big ones.
 
 This might require a 'central' site to keep the timestamp. But this
would
 work for all of Jennifer's rules, at least.
 
 - Charles
 
 
 
 ---
 The SF.Net email is sponsored by EclipseCon 2004
 Premiere Conference on Open Tools Development and Integration
 See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
 http://www.eclipsecon.org/osdn
 ___
 Spamassassin-talk mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/spamassassin-talk




---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Yikes.. rules_du_jour

2004-01-17 Thread Jennifer Wheeler 
 
 rules_du_jour is kind of neat, but I hope it's not going to drive up
 Chris  Jennifer's bandwidth bills or som 'em over a quota. :P
 
 Would it be possible to add a mirror or two? I've got a fairly empty
T1
 that could help out..

I think mine _should_ be okay, especially if it's staggered.  We'll
watch and see how things go, but you're right, mirrors might be a good
idea.  I do like Chris' idea though, because I hate bugging everyone
with update!  Update!  I feel like a glow worm salesman on the fourth
of july, especially with all the tweaks on pox.  I'll watch things and
let you know if I start to see a problem.

Some good stuff is going on  :)  I'm pretty excited about it, I shall
let you know soon.

Jennifer
 
 -Jonathan
 
 
 ---
 The SF.Net email is sponsored by EclipseCon 2004
 Premiere Conference on Open Tools Development and Integration
 See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
 http://www.eclipsecon.org/osdn
 ___
 Spamassassin-talk mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/spamassassin-talk




---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Pox Update

2004-01-15 Thread Jennifer Wheeler 
Oy...  I'm having a really bad day.  :)  either you will get three of
these update notices, or the good people who moderate will see that I
keep posting from the wrong account and pull those.  Third time is a
charm, and I've changed my default email.  Sincere apologies!!

Newest Chickenpox vaccination here...

http://www.emtinc.net/spamhammers.htm  

~or~ at Chris (Spam me now!!) Santerre's site

http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm  

Let me know if the numbers prove troublesome, and like I said, you might
want to lower the scores to 0.6 ish to start with.  (Robert M. gave me
some great scoring recommendations based on his tests, but I just
haven't gotten around to putting those into the mix just yet.)  

If you're worried about including the numbers in the punctuation set,
just remove them.  There are other fixes with the regex as well, so if
you use the set, I'd grab these and just pull out the numbers if they
worry you.  Bill Landry suggested adding 0 and 1, which are working out
well for both of us. Today I added in a few more that I see quite often,
but haven't watched them much.

Jennifer (double checking her sent by) Wheeler




---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Pox Update

2004-01-15 Thread Jennifer Wheeler 
Top posting :/

31  41 need a t in the regex toward the end like so...  

(?:['`]{1}[dst]{1})

Sorry about that. I realized it when I saw too many of them hitting.
It's fixed on the spamhammer page.  I also let Chris know.

I also have started putting version numbers on the sets per request. I
set them all to 1.0 even though they've gone through several edits thus
far.  Sorry for the confusion.

Jennifer

Woo...  do a grep for sorry will ya!  I'll shhsh

 -Original Message-
 From: [EMAIL PROTECTED]
[mailto:spamassassin-
 [EMAIL PROTECTED] On Behalf Of Jennifer Wheeler
 Sent: Thursday, January 15, 2004 12:20 PM
 To: [EMAIL PROTECTED]
 Subject: [SAtalk] Pox Update
 
 Oy...  I'm having a really bad day.  :)  either you will get three of
 these update notices, or the good people who moderate will see that I
 keep posting from the wrong account and pull those.  Third time is a
 charm, and I've changed my default email.  Sincere apologies!!
 
 Newest Chickenpox vaccination here...
 
 http://www.emtinc.net/spamhammers.htm
 
 ~or~ at Chris (Spam me now!!) Santerre's site
 
 http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm
 
 Let me know if the numbers prove troublesome, and like I said, you
might
 want to lower the scores to 0.6 ish to start with.  (Robert M. gave me
 some great scoring recommendations based on his tests, but I just
 haven't gotten around to putting those into the mix just yet.)
 
 If you're worried about including the numbers in the punctuation
set,
 just remove them.  There are other fixes with the regex as well, so if
 you use the set, I'd grab these and just pull out the numbers if they
 worry you.  Bill Landry suggested adding 0 and 1, which are working
out
 well for both of us. Today I added in a few more that I see quite
often,
 but haven't watched them much.
 
 Jennifer (double checking her sent by) Wheeler
 
 
 
 
 ---
 The SF.Net email is sponsored by EclipseCon 2004
 Premiere Conference on Open Tools Development and Integration
 See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
 http://www.eclipsecon.org/osdn
 ___
 Spamassassin-talk mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/spamassassin-talk




---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Pox 1.2

2004-01-15 Thread Jennifer Wheeler 
Adam has gone through the set and 'graded my paper'.

- the ' was missing in rules ending in {2}
- added d to higher up rules ending in {1} (proper names...doh)
- he pointed out some extraneous 'code'
- on an earlier edit (not announced) he explained the need for speed
using ?: in the capturing (), so I fixed those.

I put the rules at sort of a midway score.  I know you can (and should
at least to start) change them, but I can't quite decide where to start
them in the file.  I think, as I believe someone said earlier, maybe
chris, with any rules you're trying out that someone else wrote, you
should score them low until you see how they do, then adjust them based
on your needs.  We all have good intentions, but this isn't easy stuff
and we're bound to make mistakes or have oversights.  ...which is the
whole point of this list and doing this as a team.  :)

Thank you again Adam, and to everyone else who has given such good
suggestions!  It's getting there.

Jennifer




---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Pox 1.2

2004-01-15 Thread Jennifer Wheeler 

Hi Jennifer!  ...a link would be _helpful_!

Thanks!

http://www.emtinc.net/spamhammers.htm

apologies,
Jennifer

 -Original Message-
 From: [EMAIL PROTECTED]
[mailto:spamassassin-
 [EMAIL PROTECTED] On Behalf Of Jennifer Wheeler
 Sent: Thursday, January 15, 2004 8:55 PM
 To: [EMAIL PROTECTED]
 Subject: [SAtalk] Pox 1.2
 
 Adam has gone through the set and 'graded my paper'.
 
 - the ' was missing in rules ending in {2}
 - added d to higher up rules ending in {1} (proper names...doh)
 - he pointed out some extraneous 'code'
 - on an earlier edit (not announced) he explained the need for speed
 using ?: in the capturing (), so I fixed those.
 
 I put the rules at sort of a midway score.  I know you can (and should
 at least to start) change them, but I can't quite decide where to
start
 them in the file.  I think, as I believe someone said earlier, maybe
 chris, with any rules you're trying out that someone else wrote, you
 should score them low until you see how they do, then adjust them
based
 on your needs.  We all have good intentions, but this isn't easy stuff
 and we're bound to make mistakes or have oversights.  ...which is the
 whole point of this list and doing this as a team.  :)
 
 Thank you again Adam, and to everyone else who has given such good
 suggestions!  It's getting there.
 
 Jennifer
 
 
 
 
 ---
 The SF.Net email is sponsored by EclipseCon 2004
 Premiere Conference on Open Tools Development and Integration
 See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
 http://www.eclipsecon.org/osdn
 ___
 Spamassassin-talk mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/spamassassin-talk




---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] [RD] Chickenpox Update

2004-01-08 Thread Jennifer Wheeler 
Edited Chickenpox Set is now available.  Please read the notes on the
site before using the set!  I love the set, but I have them scored
higher than you might like.  I would set the scores lower to test and
then score them per your tastes/spam threshold.  If you would like to
wait for testing results, I believe Bob M. will be testing this newest
set against his corpus when he gets some time. 

http://www.emtinc.net/spamhammers.htm

Thank you to Adam L. who has given me *great* regex instruction with
this set!  

Please give me feedback, I anticipate needing to write in more
exclusions to make them even safer to use.

Thanks!
Jennifer



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Silly spam

2004-01-07 Thread Jennifer Wheeler 
http://www.emtinc.net/spamhammers.htm

i'll probably have an update to the chickenpox set by the end of the week.

and i see someone already pointed you to chris' site.  There is also the
wiki, i believe there is a link from rulesemporium.

jennifer

 On Wed, 7 Jan 2004, Kurt Buff wrote:

 Several instances of the attached message got through, and I'm wondering
 what might catch this - we're running v2.60, with popcorn, backhair,
 weeds,
 smallpox, nov2rules and bigevil, plus a couple of minor custom rules.

 Hi, i'm a newbie to the list, is there are URL which has the rules
 for the above custom rules you mentioned above?




 ---
 This SF.net email is sponsored by: Perforce Software.
 Perforce is the Fast Software Configuration Management System offering
 advanced branching capabilities and atomic changes on 50+ platforms.
 Free Eval! http://www.perforce.com/perforce/loadprog.html
 ___
 Spamassassin-talk mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/spamassassin-talk




---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Bizarre spam

2004-01-06 Thread Jennifer Wheeler 
I got several of those in December, but none recently.  None of them
were tagged.  I probably wrote a simple rule for it.  Seems I remember
something about ev2 in the headers??

Jennifer

 -Original Message-
 From: [EMAIL PROTECTED]
[mailto:spamassassin-
 [EMAIL PROTECTED] On Behalf Of Christopher Kunz
 Sent: Tuesday, January 06, 2004 2:22 PM
 To: [EMAIL PROTECTED]
 Subject: [SAtalk] Bizarre spam
 
 Hi,
 
 I received this here just some minutes ago. It went to a role account
 and through a ticketing system so there's no usable headers (it wasn't
 scanned by SA either), but the content speaks for itself... Looks like
 pure bayes poison.
 
 Did anyone else receive this and can tell me if it's correctly caught?
I
 can't imagine what content-based rules could catch this bastard...
 
 -- SNIP --
 html
 pre
 To: Juror #3, Van Nuys Superior Court, Dept E, Los Angeles,
 CA, excused on November 13.
 
 This is Juror #4 and I would really like to say Hi
 and continue our conversation.
 You can reply to this email or call 818-831-1492.
 
 DO YOU KNOW JUROR #3?
 
 She is WF, 30's, 5'5, slender build, short light brown hair.
 She served on jury duty November 12  13, Van Nuys Superior Court in
the
 San Fernando Valley, Los Angeles, CA.
 
 Contact me or please pass this message along to her.pThanks, and
Happy
 Holidays!pa href=http://kcfv2yh0cq.eivww.com;/prep/a/html
 -- SNAP --
 
 --ck
 
 
 
 ---
 This SF.net email is sponsored by: IBM Linux Tutorials.
 Become an expert in LINUX or just sharpen your skills.  Sign up for
IBM's
 Free Linux Tutorials.  Learn everything from the bash shell to sys
admin.
 Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
 ___
 Spamassassin-talk mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Rule to block Paris Hilton spam

2003-12-31 Thread Jennifer Wheeler 
Eureka!  :)  believe this works, yes??  At least I think this is what
you are going for?  Sorry for the wrap.

rawbody hilton_b64
/(aGV5IENvbWUgY2hlY2sgb3V0|PGh0bWw+DQo8Ym9keT4NCjxwP(khl|jxr)|aGV5DQoNCk
NvbWUgY2hlY2sgb3V0|\n)/
describe hilton_b64 Base 64 encoded paris hilton spam
score hilton_b64 .03

good goin peeps!  :)
Jennifer

 -Original Message-
 From: [EMAIL PROTECTED]
[mailto:spamassassin-
 [EMAIL PROTECTED] On Behalf Of Chris Santerre
 Sent: Wednesday, December 31, 2003 11:34 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [SAtalk] Rule to block Paris Hilton spam
 
 OK, per a suggestion I tried this rule as full. Nope still didn't see
the
 raw code. What am I missing? Is it possible to look for raw base64
code in
 SA?
 
  -Original Message-
  From: Chris Santerre [mailto:[EMAIL PROTECTED]
  Sent: Tuesday, December 30, 2003 9:35 AM
  To: 'Stephane Lentz'
  Cc: [EMAIL PROTECTED]
  Subject: RE: [SAtalk] Rule to block Paris Hilton spam
 
 
  Ok, this didn't work overnight. However I did receive spam
  with the exact
  first base64 pattern in it. So I think it is just a problem
  with rawbody
  So what rule type do we use to catch this raw pattern??
 
  rawbody hilton_b64 raw:/base64code/
 
  would that work?
 
  --Chris
 
 
   -Original Message-
   From: Chris Santerre [mailto:[EMAIL PROTECTED]
   Sent: Monday, December 29, 2003 5:27 PM
   To: 'Stephane Lentz'; Chris Thielen
   Cc: [EMAIL PROTECTED]
   Subject: RE: [SAtalk] Rule to block Paris Hilton spam
  
  
   I offer this in UNTESTED form. TEsting overnight ;)
  
   Your email viewer will wrap these lines. SHould be 3 lines:
  
   rawbody hilton_b64
   /(?:aGV5IENvbWUgY2hlY2sgb3V0|PGh0bWw+DQo8Ym9keT4NCjxwP(?:khl|j
   xr)|aGV5DQoNCk
   NvbWUgY2hlY2sgb3V0)/
   describe hilton_b64 Base 64 encoded paris hilton spam
   score hilton_b64 .01
  
  
  
-Original Message-
From: Stephane Lentz [mailto:[EMAIL PROTECTED]
Sent: Monday, December 29, 2003 5:14 PM
To: Chris Thielen
Cc: [EMAIL PROTECTED]
Subject: Re: [SAtalk] Rule to block Paris Hilton spam
   
   
Hi again,
   
On Mon, Dec 29, 2003 at 01:41:17PM -0600, Chris Thielen wrote:
 Stephane Lentz said:
  = Thanks for the info. Two samples of such spam are now
available at
  http://milter.free.fr/spam/ (hilton-sample1.txt 
hilton-sample2.txt
  files)

 Stephane,

 I glanced at the spamassassin source just now.  I may be
wrong, but it
 appears that the URI tests only matches on attributes of
background,
 href, src, action. The URL in the spam was html text
and not a link
 of sorts.  You may consider changing your rule to a BODY
rule instead of a
 URI rule.
   
= The URI rule works in some cases (no splitting of base64
representation
of the URL).
I think I understand the problem better now after some
   further tests .
Test messages :
- Content-Transfer-Encoding: base64
- just include  http://special-selections.com URL (base64
encoded) as body
   
The problem is really related to base64 decoding  URI matching.
   
The rule uri LOCAL_HILTON  /special-selections\.com/ :
   
- gets triggered if the base64 string (in the body) is in
  one line :
aHR0cDovL3NwZWNpYWwtc2VsZWN0aW9ucy5jb20K
- does not match if the base64 string is splitted accross
several
lines
aHR0cDovL3NwZWNpYWwtc2VsZWN0aW9ucy5
jb20K
   
or
   
aHR0cDovL3NwZWNpYWwtc2VsZWN
0aW9ucy5jb20K
   
Is it a new spammer trick (base64 body with URL base64
   representation
splitted  across several lines) ?
I guess the work-around is a rawbody rule (right ?)
I got no success with a body rule.
   
 
  = Thanks for the link. i will check it out. I was
willing to avoid the
  matching Paris Hilton if possible as I live in Paris
and some of my
  colleagues may book some rooms in Hilton hotels (one
never knows) 

 I'm not quite sure how to interpret your statement about
being willing to
 avoid the matching ... so I will expclicitly state what
the link does.  I
 understand you do not wish to match the unobfuscated paris
hilton.  The
 rules generated by the link above will match *ONLY*
obfuscated paris
 hilton.  It will not match Paris Hilton or any case
permutations such
 as PARIS hilton.  It *will* match obfuscated versions
such as PAR1S
 H1LTON (and a couple other permutations).

 Another possible way to attack this is to look for
obfuscated paris or
 obfuscated hilton only (removing the quotes will generate 4
rules instead
 of 2).  See:
  http://sandgnat.com/cmos/cmos.jsp?words=paris+hilton .
   
--
   = Thanks for the clarifications.
  
   regards,
  
   SL/
  
  
   ---
   This SF.net email is sponsored by: IBM Linux Tutorials.
   Become an expert in LINUX or just

RE: [SAtalk] Rule to block Paris Hilton spam

2003-12-31 Thread Jennifer Wheeler 
Oops  :)  my bad...  I actually forgot I had that in there...  that was
the start to another attempt, and midway through I got a second thought,
tried it, and forgot I did that.  Haste to get my sub and powerball
ticket!

I shall get back on it  ;)  thx

Jen

 -Original Message-
 From: Brian Sneddon [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, December 31, 2003 12:14 PM
 To: 'Jennifer Wheeler'; 'Chris Santerre'
 Cc: [EMAIL PROTECTED]
 Subject: RE: [SAtalk] Rule to block Paris Hilton spam
 
 Wont that \n at the end of the regex match virtually ALL mail?
 
 Brian
 
 -Original Message-
 From: Jennifer Wheeler [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, December 31, 2003 12:06 PM
 To: 'Chris Santerre'; [EMAIL PROTECTED]
 Subject: RE: [SAtalk] Rule to block Paris Hilton spam
 
 Eureka!  :)  believe this works, yes??  At least I think this is what
 you are going for?  Sorry for the wrap.
 
 rawbody hilton_b64

/(aGV5IENvbWUgY2hlY2sgb3V0|PGh0bWw+DQo8Ym9keT4NCjxwP(khl|jxr)|aGV5DQoNCk
 NvbWUgY2hlY2sgb3V0|\n)/
 describe hilton_b64 Base 64 encoded paris hilton spam
 score hilton_b64 .03
 
 good goin peeps!  :)
 Jennifer
 
  -Original Message-
  From: [EMAIL PROTECTED]
 [mailto:spamassassin-
  [EMAIL PROTECTED] On Behalf Of Chris Santerre
  Sent: Wednesday, December 31, 2003 11:34 AM
  To: [EMAIL PROTECTED]
  Subject: RE: [SAtalk] Rule to block Paris Hilton spam
 
  OK, per a suggestion I tried this rule as full. Nope still didn't
see
 the
  raw code. What am I missing? Is it possible to look for raw base64
 code in
  SA?
 
   -Original Message-
   From: Chris Santerre [mailto:[EMAIL PROTECTED]
   Sent: Tuesday, December 30, 2003 9:35 AM
   To: 'Stephane Lentz'
   Cc: [EMAIL PROTECTED]
   Subject: RE: [SAtalk] Rule to block Paris Hilton spam
  
  
   Ok, this didn't work overnight. However I did receive spam
   with the exact
   first base64 pattern in it. So I think it is just a problem
   with rawbody
   So what rule type do we use to catch this raw pattern??
  
   rawbody hilton_b64 raw:/base64code/
  
   would that work?
  
   --Chris
  
  
-Original Message-
From: Chris Santerre [mailto:[EMAIL PROTECTED]
Sent: Monday, December 29, 2003 5:27 PM
To: 'Stephane Lentz'; Chris Thielen
Cc: [EMAIL PROTECTED]
Subject: RE: [SAtalk] Rule to block Paris Hilton spam
   
   
I offer this in UNTESTED form. TEsting overnight ;)
   
Your email viewer will wrap these lines. SHould be 3 lines:
   
rawbody hilton_b64
/(?:aGV5IENvbWUgY2hlY2sgb3V0|PGh0bWw+DQo8Ym9keT4NCjxwP(?:khl|j
xr)|aGV5DQoNCk
NvbWUgY2hlY2sgb3V0)/
describe hilton_b64 Base 64 encoded paris hilton spam
score hilton_b64 .01
   
   
   
 -Original Message-
 From: Stephane Lentz [mailto:[EMAIL PROTECTED]
 Sent: Monday, December 29, 2003 5:14 PM
 To: Chris Thielen
 Cc: [EMAIL PROTECTED]
 Subject: Re: [SAtalk] Rule to block Paris Hilton spam


 Hi again,

 On Mon, Dec 29, 2003 at 01:41:17PM -0600, Chris Thielen wrote:
  Stephane Lentz said:
   = Thanks for the info. Two samples of such spam are now
 available at
   http://milter.free.fr/spam/ (hilton-sample1.txt 
 hilton-sample2.txt
   files)
 
  Stephane,
 
  I glanced at the spamassassin source just now.  I may be
 wrong, but it
  appears that the URI tests only matches on attributes of
 background,
  href, src, action. The URL in the spam was html text
 and not a link
  of sorts.  You may consider changing your rule to a BODY
 rule instead of a
  URI rule.

 = The URI rule works in some cases (no splitting of base64
 representation
 of the URL).
 I think I understand the problem better now after some
further tests .
 Test messages :
 - Content-Transfer-Encoding: base64
 - just include  http://special-selections.com URL (base64
 encoded) as body

 The problem is really related to base64 decoding  URI
matching.

 The rule uri LOCAL_HILTON  /special-selections\.com/ :

 - gets triggered if the base64 string (in the body) is in
   one line :
 aHR0cDovL3NwZWNpYWwtc2VsZWN0aW9ucy5jb20K
 - does not match if the base64 string is splitted accross
 several
 lines
 aHR0cDovL3NwZWNpYWwtc2VsZWN0aW9ucy5
 jb20K

 or

 aHR0cDovL3NwZWNpYWwtc2VsZWN
 0aW9ucy5jb20K

 Is it a new spammer trick (base64 body with URL base64
representation
 splitted  across several lines) ?
 I guess the work-around is a rawbody rule (right ?)
 I got no success with a body rule.

  
   = Thanks for the link. i will check it out. I was
 willing to avoid the
   matching Paris Hilton if possible as I live in Paris
 and some of my
   colleagues may book some rooms in Hilton hotels (one
 never knows) 
 
  I'm not quite sure how to interpret your statement about

RE: [SAtalk] Spell Checking the Subject Header (RESULTS)

2003-12-31 Thread Jennifer Wheeler 
 On 12/31/03, Casper Gasper wrote:
 
 Things like, '4 consonants in a row are not an English word'.
 
 Shortstop?  Matchstick?  :)
 
 Seriously, though, looking for patterns is an interesting idea.  For
 instance, English simply does not allow you to begin a word with vt
or
 bs.  Looking for word beginnings might be more useful than looking
 within words.  I bet that with a few minutes fiddling with perl and a
 dictionary file, I could generate a list of forbidden word-initial
 letter pairs.
 
 Adam Schneider
 http://adamschneider.net/

I've been using these for several months  I like them. Maybe these are
at least in the ballpark of what you're talking about / trying to catch.
I didn't read the whole thread.

Howev-ah...  what Chris said  :)  

Jennifer
 
 
 
 
 
 
 ---
 This SF.net email is sponsored by: IBM Linux Tutorials.
 Become an expert in LINUX or just sharpen your skills.  Sign up for
IBM's
 Free Linux Tutorials.  Learn everything from the bash shell to sys
admin.
 Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
 ___
 Spamassassin-talk mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/spamassassin-talk


LWTsets.cf
Description: Binary data

[SAtalk] Chickenpox Update

2003-12-30 Thread Jennifer Wheeler 
I added several filename extensions and fixed oversights in 3 rules.
Thanks Scott for the input!

http://www.emtinc.net/includes/chickenpox.cf

Jennifer



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Re: False positives

2003-12-29 Thread Jennifer Wheeler 


 -Original Message-
 From: [EMAIL PROTECTED]
[mailto:spamassassin-
 [EMAIL PROTECTED] On Behalf Of Bob George
 Sent: Monday, December 29, 2003 4:20 PM
 To: [EMAIL PROTECTED]
 Subject: [SAtalk] Re: False positives
 
 John Beamon [EMAIL PROTECTED] wrote:
  [...] (I particularly like seeing the * 0.5 -- BODY: Possible porn
-
 Hot,
  Nasty, Wild, Young rating on a children's autism mailing list...)
 
 Having read through the web page (apparently the email was the SAME
HTML
 page -- argh!), I do wonder what flagged that particular match.
 
 That said, if you think THAT is fun, you should try running a Section
508
 (accessibility) validator against his page. Talk about ADA
non-compliance!
 :)
 
 My take is that Lenny's just a dedicated volunteer devoted to his
cause
 who
 forgot that other dedicated volunteers are equally dedicated to
theirs. In
 his
 reply to me, he mentioned he's not a web developer, nor particularly
 technical.
 I don't think he's guilty of much more than poor manners and a bit of
 self-righteousness.

Yep.  I googled him and he's the father of an autistic child who is very
active in promoting awareness and research.  Easy to see where the
hyperdrive comes from.  Still... mix in a compassion sandwich in other
areas of your life will ya, Len!?  ;)  I know...  not here, quake
server, etc.  :)

Jennifer


 
 I can imagnine the frustration of a non-technical, legitimate mailing
list
 owner trying desperately to get (what they deem) important messages
out,
 without having to become expert in spam-fighting techniques. Those
folks
 are
 victims of spam too.
 
 - Bob
 
 
 
 ---
 This SF.net email is sponsored by: IBM Linux Tutorials.
 Become an expert in LINUX or just sharpen your skills.  Sign up for
IBM's
 Free Linux Tutorials.  Learn everything from the bash shell to sys
admin.
 Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
 ___
 Spamassassin-talk mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Image-only spam

2003-12-24 Thread Jennifer Wheeler 
Hi Barry,
This will also snag a few of those if you want to use them.  You could
write them to hit the body as well if you wanted, i just use a subject
rule for now.

describe J_PARISobfu paris
header   J_PARISSubject =~
/[EMAIL PROTECTED]|1\!][sz5\$](?!(?:paris))/i
scoreJ_PARIS1.0

describe J_HILTON   obfu hilton
header   J_HILTON   Subject =~
/h[iíl\|1\!][l1\!\|][t7\+][o0u]n(?!(?:hilton))/i
scoreJ_HILTON   1.0

Jennifer

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On 
 Behalf Of Barry Callahan
 Sent: Wednesday, December 24, 2003 9:13 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [SAtalk] Image-only spam
 
 
 Heh.
 
 Went to http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 
 and installed the following rulesets:
 
 bigevil.cf
 nov2rules.cf
 popcornonly.cf
 weedsonly.cf
 backhair.cf
 
 I've got SpamAssassin monitoring a handful of addresses where 98% of 
 all traffic is spam.  So far, I've had one spam squeak through with a 
 score of 4.8...  A snippet follows:
 
 *SNIPPET*
 X-Spam-Status: No, hits=4.8 required=5.0 
 tests=BIZ_TLD,BigEvilList_184,
   OACYS_CONS_6 autolearn=no version=2.61
 X-Spam-Level: 
 X-Spam-Checker-Version: SpamAssassin 2.61 
 (1.212.2.1-2003-12-09-exp) on
   s3.lakotacreations.com
 
 Download the Parls HlLton stolen s-e-x video!
 
 This is the original private Parls HlLton sex video that 
 Paris and Rick 
 Soloman made that has been leaked out,
 and is now available for you to download.
 Get it while you can, the HiIton's family lawyers are doing 
 everything 
 they can to stop re-distribution of this video
 
http://www.crockolate.biz/paris/paris.html



rGzmj0jwTA
*/SNIPPET*

To catch these in the future, I added the pattern s-e-x to the 
DISGUISE_PORN rule in 20_porn.cf

Now to start looking at some real email and see if I have any problems 
with false positives. :)

barryc wrote:
 After replacing the RPM I got from RedHat (2.44) with the RPMs found 
 on the
 SpamAssassin website (2.61) it's now catching 2/3 of the spam.
 
 The image-only spam I'm getting is now being tagged at 2.0 - 3.6.
 
 Now that I'm running a modern release of SpamAssassin, I'll take a 
 look at DCC
 and Razor, and I'll look into setting up a Bayesian database.




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for
IBM's Free Linux Tutorials.  Learn everything from the bash shell to sys
admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] sa-learn from Exchange 2000

2003-12-24 Thread Jennifer Wheeler 
Hello there Rubin
 
 The ruleset name _was_ her idea 8^)
 
 I can see that my post could seem a little odd taken out of 
 context, so let me clarify: Jenn's Backhair *ruleset* will 
 help with the bogus html tags.  I know nothing about Jenn's 
 backhair. I must confess that I do, however, occasionally 
 find myself pondering (amongst other less trivial matters, 
 like 42) where the hell she came up with that name!
 
 Happy holidays all!
 
 Rubin

I actually was asked this once before  :)  ..i answered it when i was a
bit punchy, but here ya go. (yes, it's slow here today and i have
nothing better to do than go digging through the archives!)

http://sourceforge.net/mailarchive/message.php?msg_id=6503883

btw 42???  what did you mean by that.  that was very creepy to see,
because i've tried to convince my brother from an early age, that the
number 42 *haunts* me and turns up *everywhere*!  that'll either be a
very good year for me, or that's the year i'll buy the farm per se!
Either way, i'm forwarding your email to my brother for yet *more*
proof. ;)

Jennifer

ps...  Lukreme...still waiting for filgret rules!  if you dont hurry,
i'm stealing that name for my next rule! ;)

 
 On Tue, 2003-12-23 at 18:25, Evan Platt wrote:
  --On Tuesday, December 23, 2003 5:56 PM -0500 Rubin Bennett 
  [EMAIL PROTECTED] wrote:
  
   Jennifer's Backhair rules.
  
  That sentence could be taken the wrong way... :)
  
  Evan
  
  
  ---
  This SF.net email is sponsored by: IBM Linux Tutorials. Become an 
  expert in LINUX or just sharpen your skills.  Sign up for 
 IBM's Free 
  Linux Tutorials.  Learn everything from the bash shell to 
 sys admin. 
  Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
  ___
  Spamassassin-talk mailing list 
 [EMAIL PROTECTED]
  https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
 -- 
 Rubin Bennett [EMAIL PROTECTED]
 RB Technologies
 



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] sa-learn from Exchange 2000

2003-12-24 Thread Jennifer Wheeler 

  btw 42???  what did you mean by that.  that was very
  creepy to see,
  because i've tried to convince my brother from an early 
 age, that the
  number 42 *haunts* me and turns up *everywhere*!  that'll 
 either be a
  very good year for me, or that's the year i'll buy the farm per se!
 
http://en2.wikipedia.org/wiki/The_Answer_to_Life,_the_Universe,_and_Ever
ything


okay... even creepier  :)  thanks, Mike!  ...think i'll be going home
about now.



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] tags in text

2003-12-23 Thread Jennifer Wheeler 
Hi again Sam
[snip and paste...reordering your original post]
 So to restate the second part of my original request,
 Is there a method to modify the score as a function
 of the number of hits of the same rule?

Easier to answer this way.  Sorry, I wasn't feeling wordy yesterday and
thought the site would explain this.

Actually, there may be some other way to accomplish what you are asking,
but the rules I pointed you to actually do what you say in a roundabout
way.  I explained this in a much earlier post, but I'll do so again.

The set is written to catch a pattern of obfuscation, you're right.
When spammers include meaningblahbitty blah blahless tags in a spam
(in order to either disquise a spammy word or some other goal..) they
generally do so throughout the spam.  That gives you something to look
for other than a spammy word.  You can now look for many spammy
patterns, making the set, in essence, additive. (though maybe not in the
common meaning of the word additive in the world of programming...i'm
not a programmer so I could be talking out of my bum here)

More below...

 
 From: Jennifer Wheeler [EMAIL PROTECTED]
 Date: Mon, 22 Dec 2003 15:01:25 -0500
 
 http://www.emtinc.net/spamhammers.htm
 
 Indeed, yours was one of the places I *had* looked.
 Forgive me if I'm confused, but it seems that your
 rules are looking for a variety of tag patterns.
 E.g. frobnozflibberdigibbet and mumblefrapnuts
 are two separate matches.
 
 Did you find that a more general pattern missed too
 much spam or hit too much ham?

No, I never made a more general rule.  I saw a spam come through that
looked like an extremely blatant in your face use of spammy lingo.  I
was all, wtf.., and I looked in the source, and saw thoarieghat
twiouebhvhey had broken it aaoeribhll up with meaningless tags.
Temporary defeatist attitude took me to the couch to watch tv.  I
thought about how to catch those, and realized that writing to catch the
pattern would be the same thing as looking for a big number of spammy
words.  Just the occurrence of that tag bracketed by words is a spam
flag.  New spammy terms, and you just have to tell the computer how to
read the new words.

If you don't like the set, write a general rule that looks for the
embedded tag with a random number of letters to the right and left of
the tag, bracketed by some sort of stopper to keep it from matching too
much, and give it a whopping score.  I just think it's better to edge
emails up towards spam thresholds with more rules to try and reduce
false positives.

 
 I had originally considered / .+\.*\.* / ,but was
 concerned about inadvertently catching everything by
 accident.

Looking at that rule, I believe the second . would match a closing
bracket..  so you might actually end up hitting something that
matches a legit tag, then keeps looking in the rest of the email until
it matches the end of the regex.  Sorry I can't give an example, that is
just a suspicion and I'm no regex pro.  Try it, give it a score of .1,
and see what it does hit.

Hope I answered what you are asking.  It's early, so if not, and after a
few cokes, I'll give it another stab.

Jennifer
 
 I'm hoping that doing this without explicit text
 strings combined with additive scoring will be
 enough to get these auto-learned.

[snipped to above]
 
 
 CHeers!
 -sam
 
 
 
 
 ---
 This SF.net email is sponsored by: IBM Linux Tutorials.
 Become an expert in LINUX or just sharpen your skills.  Sign up for
IBM's
 Free Linux Tutorials.  Learn everything from the bash shell to sys
admin.
 Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
 ___
 Spamassassin-talk mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] tags in text

2003-12-22 Thread Jennifer Wheeler 
Hi Sam,
 
 Probably haven't look hard enough, but has anyone
 used a rule to detect (real or pseudo) HTML tags
 embedded in text.  Ostensibly they're there to
 throw off bayes and other pattern matchers.
 
 I just put up:
 
 rawbody   TAG_IN_TEXT   /[a-zA-Z0-9]+\\/*[a-zA-Z0-9]*\[a-zA-Z0-9]+/
 describe  TAG_IN_TEXT
 score TAG_IN_TEXT   1.0
 
 on my test mailer, and it is hitting OK on what I *think* I'm
 looking for.

http://www.emtinc.net/spamhammers.htm

Jennifer

 
 Are there any legitimate uses for tetagsxt?
  If so, I'd like
 to score each one individually.  Is there a method for incrementing
 the score for each match within a message?
 
 Cheers!
 -sam
 
 
 ---
 This SF.net email is sponsored by: IBM Linux Tutorials.
 Become an expert in LINUX or just sharpen your skills.  Sign up for
IBM's
 Free Linux Tutorials.  Learn everything from the bash shell to sys
admin.
 Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
 ___
 Spamassassin-talk mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Possible FP on big evil list

2003-12-11 Thread Jennifer Wheeler 
Helloo.
  
FP Notice.

FP forwarded to me this morning on an ebay Bid Confirmed notice.

BigEvilList_133 contains pics.ebaystatic.com which is in the source of
the bid confirmed emails from ebay auctions.  It pushed it to 8.34; we
tag at 7.0. Other custom rules contributed 0.7 to the score, default
rules SA 2.61 gave the email 4.8.  (Just to help you determine whether
or not you want to remove this from your file) 

Here is the little bugger in the source..

snip
tr
tda href=http://www.ebay.com/;img
src=http://pics.ebaystatic.com/aw/pics/email/eBayLogo.gif; border=0
align=right/afont size=4 face=Verdana
You Are the Current High Bidder
/font
snip

Jennifer



 -Original Message-
 From: [EMAIL PROTECTED]
[mailto:spamassassin-
 [EMAIL PROTECTED] On Behalf Of Chris Santerre
 Sent: Thursday, December 04, 2003 11:59 AM
 To: 'Rich Puhek'
 Cc: Spamassassin-Talk (E-mail)
 Subject: [SAtalk] Possible FP on big evil list
 
 CC'd to list for opinions.
 
 OK, this one actually bothers me. The URIs hitting are Pull\.xmr3\.com
and
 xmr3\.com . Googleing on these shows many people blocking this domain.
Has
 this person signed up for this Sams Club newsletter? Is it UCE not
spam?
 (That is a loaded/large debate quetion right there!) I'm hesitant to
 remove
 this one. This domain might be used by spammers and legit. Argh!
 
 Again, checking openrbl.org doesn't help much. I'm looking for spam
hosts,
 not senders.
 
 Now I know why the dynablock guy went mad and retired ;)
 
 --Chris (Off to grep the copri.again!) Santerre
 
  -Original Message-
  From: Rich Puhek [mailto:[EMAIL PROTECTED]
  Sent: Wednesday, December 03, 2003 5:02 PM
  To: [EMAIL PROTECTED]
  Subject: *SPAM* Possible FP on big evil list
 
 
  We've received a couple of complaints for the following
  email. I haven't
  confirmed if the email itself is legit. It hits
  BigEvilList_138 and _175.
 
  Looks like I was running version 1.52 at the time the email
  came through
  to them... although it's also possible I was running 1.5
  (changed late
  this morning).
 
  Thanks!
 
  --Rich
 
 *snip*
 
 
 
 ---
 This SF.net email is sponsored by: IBM Linux Tutorials.
 Become an expert in LINUX or just sharpen your skills.  Sign up for
IBM's
 Free Linux Tutorials.  Learn everything from the bash shell to sys
admin.
 Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
 ___
 Spamassassin-talk mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Spammer with dot in the mail from header

2003-12-03 Thread Jennifer Wheeler 
HI there

 -Original Message-
 From: [EMAIL PROTECTED]
[mailto:spamassassin-
 [EMAIL PROTECTED] On Behalf Of Chris Thielen
 Sent: Wednesday, December 03, 2003 12:26 PM
 To: Spamassassin-Talk
 Cc: Idan Lerer
 Subject: Re: [SAtalk] Spammer with dot in the mail from header
 
 Idan Lerer said:
  I would like to block spammer that sends me emails with mail from
  [EMAIL PROTECTED]
 snip
  header LOCAL_SAPM_FROM_WALLA   ALL =~ /\abcd.\w{0,[EMAIL PROTECTED]/i
 
 Idan,
 
 quote the dot \.:
 header LOCAL_SAPM_FROM_WALLA   ALL =~ /abcd\.\w{0,[EMAIL PROTECTED]/i

oops..  missed the second dot
header LOCAL_SAPM_FROM_WALLA   ALL =~ /abcd\.\w{0,[EMAIL PROTECTED]/i

Jennifer

 
 --
 Chris Thielen
 
 Easily generate SpamAssassin rules to catch obfuscated spam phrases:
 http://www.sandgnat.com/cmos/
 
 
 ---
 This SF.net email is sponsored by OSDN's Audience Survey.
 Help shape OSDN's sites and tell us what you think. Take this
 five minute survey and you could win a $250 Gift Certificate.
 http://www.wrgsurveys.com/2003/osdntech03.php?site=8
 ___
 Spamassassin-talk mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] BIG HUGE EVIL RULE NEWS!!!!

2003-12-03 Thread Jennifer Wheeler 
snip
 You could always lower the score. Only 178 to change :)
 (Hey that is nothing compared to how many times I had to hit ' | ,
DELETE,
 END ' because I was in a hurry to get done!)

Hi Chris,
You should grab multiedit.  Rockage.  You can do your edits with little
macros.
Jennifer

 
 --Chris Santerre
 
 
  -Original Message-
  From: Adam Denenberg [mailto:[EMAIL PROTECTED]
  Sent: Wednesday, December 03, 2003 11:57 AM
  To: 'Spamassassin-Talk (E-mail)'
  Subject: RE: [SAtalk] BIG HUGE EVIL RULE NEWS
 
 
  how agressive are these rules?  I am hearing great things
  about them but
  dont want to produce FP's on my production system.
 
  Any feedback?
 
  thanks
  adam
 
  On Wed, 2003-12-03 at 11:42, Chris Santerre wrote:
   latest is 1.52. Fixed 2 typos and 3 domains. An SF
   project..Hm... :)
  
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Wednesday, December 03, 2003 11:32 AM
To: Chris Santerre
Cc: 'Spamassassin-Talk (E-mail)'
Subject: Re: [SAtalk] BIG HUGE EVIL RULE NEWS
   
   
On 2003/12/03 09:31:24 -0500, Chris Santerre wrote:
   
 What version of Bigevil do you have? 1.51 has fixed 2 typos
in 141 and 153.
 I had
 '.com||somedome'

 empty pipes. site updated within minutes. You got version
1.5 I expect :)

   
The first few lines of:
   
http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf
   
are:
   
# BigEvilList Beta version 1.5 !
# Chris Santerre
# All Evilrule files combined into one!
# 2622 domains reduced to 178 rules
   
Am I using the wrong link?  Should that say something other
than 1.5?
   
p.s. Kudos, these rules have made a dramatic improvement on
my servers.
   
p.p.s. I may have missed it, but I suggest that the evil
  rules be made
into a sourceforge project, or something like it.  A
  little version
control goes a long way!
   
   
  
  
   ---
   This SF.net email is sponsored by OSDN's Audience Survey.
   Help shape OSDN's sites and tell us what you think. Take this
   five minute survey and you could win a $250 Gift Certificate.
   http://www.wrgsurveys.com/2003/osdntech03.php?site=8
   ___
   Spamassassin-talk mailing list
   [EMAIL PROTECTED]
   https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
  
 
 
 
  ---
  This SF.net email is sponsored by OSDN's Audience Survey.
  Help shape OSDN's sites and tell us what you think. Take this
  five minute survey and you could win a $250 Gift Certificate.
  http://www.wrgsurveys.com/2003/osdntech03.php?site=8
  ___
  Spamassassin-talk mailing list
  [EMAIL PROTECTED]
  https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
 
 
 
 ---
 This SF.net email is sponsored by OSDN's Audience Survey.
 Help shape OSDN's sites and tell us what you think. Take this
 five minute survey and you could win a $250 Gift Certificate.
 http://www.wrgsurveys.com/2003/osdntech03.php?site=8
 ___
 Spamassassin-talk mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Bigevil domain hat-check help

2003-12-03 Thread Jennifer Wheeler 


 -Original Message-
 From: [EMAIL PROTECTED]
[mailto:spamassassin-
 [EMAIL PROTECTED] On Behalf Of Chris Santerre
 Sent: Wednesday, December 03, 2003 1:08 PM
 To: Spamassassin-Talk (E-mail)
 Subject: [SAtalk] Bigevil domain hat-check help
 
 I've got a domain listed in Bigevil that could be legit. I need a
hatcheck
 on this one. It is not that obvious.  Can someone give me info on:
 
 as1.emv2.com
 
 or the emv2.com domain in general?  (not WHOIS, I can do that!)

http://www.google.com/groups?as_q=emv2.comas_oq=spam%20uce%20ubesafe=i
magesie=UTF-8oe=UTF-8lr=num=100as_scoring=dhl=en

they look a little suspect to me  ;)

Jennifer

 
 *sigh* 1.54 is up. This domain IS still listed in it.
 
 Chris Santerre
 System Admin and SA Custom Rules Emporium keeper
 http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm
 A little nonsense now and then, is relished by the wisest men. -
Willy
 Wonka
 
 
 ---
 This SF.net email is sponsored by OSDN's Audience Survey.
 Help shape OSDN's sites and tell us what you think. Take this
 five minute survey and you could win a $250 Gift Certificate.
 http://www.wrgsurveys.com/2003/osdntech03.php?site=8
 ___
 Spamassassin-talk mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] BIG HUGE EVIL RULE NEWS!!!!

2003-12-02 Thread Jennifer Wheeler 
Chris Santerre.  I genuflect!  Thanks for the effort.  I must
decline the hockey game; I live in the middle of basketball country and
would have to make quite a pilgrimage to get to a game of any caliber.
Would you settle for my switching from cokes to hot chocolates with
coffee mate for a week?

Jennifer

 -Original Message-
 From: [EMAIL PROTECTED]
[mailto:spamassassin-
 [EMAIL PROTECTED] On Behalf Of Chris Santerre
 Sent: Tuesday, December 02, 2003 3:56 PM
 To: Spamassassin-Talk (E-mail)
 Subject: [SAtalk] BIG HUGE EVIL RULE NEWS
 
 BIG HUGE NEWS
 
 A major breakthrough has taken place
 
 ALL EVILRULES FILES HAVE BEEN COMBINED!! 2622 domains into 178
rules!!!
 Ramdon/tracking hosts tags removed!
 
 They only increase spamd memory by 1 meg!!! 1 meg!
 
 You read correctly! Every evil domain since august has been added!
Remove
 all you old evilrules files. Grab BigEvil.cf and place it in either
your
 /etc/mail/spamassassin dir and restart spamd; or into your
 $home/.spamassassin dir.
 
 I plan to just keep adding to this file!!!
 
 http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf
 
 Mike Kuentz, you are no longer allowed to put ideas into my head :) My
 fingers now hurt! Thanks for lighting the spark!
 
 Payment for use of this has to be more then the old evilrules. All
users
 are
 now required to see at least 2 NHL games live! (and NY Islanders don't
 count!)
 
 ENJOY!
 
 Chris Santerre
 System Admin and SA Custom Rules Emporium keeper
 http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm
 A little nonsense now and then, is relished by the wisest men. -
Willy
 Wonka
 
 
 ---
 This SF.net email is sponsored by OSDN's Audience Survey.
 Help shape OSDN's sites and tell us what you think. Take this
 five minute survey and you could win a $250 Gift Certificate.
 http://www.wrgsurveys.com/2003/osdntech03.php?site=8
 ___
 Spamassassin-talk mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] New to Spamassassin

2003-11-26 Thread Jennifer Wheeler 


 -Original Message-
 From: [EMAIL PROTECTED]
[mailto:spamassassin-
 [EMAIL PROTECTED] On Behalf Of McWhirter,Julia
 Sent: Wednesday, November 26, 2003 9:46 AM
 To: Gilson, Larry; Marvin Raab
 Cc: [EMAIL PROTECTED]
 Subject: RE: [SAtalk] New to Spamassassin
 
 Yes so I found out, but too be fair he did say it might be too
 restrictive and in my case it is.  I am now looking at enabling bayes
 unless anyone has any other suggestions.
 

I could be missing something here.  I thought I cc'ed you on this but
maybe I messed up.  Is this not what you were looking for?  Or did you
see a problem with them?  

http://www.emtinc.net/spamhammers.htm 

http://www.emtinc.net/includes/chickenpox.cf 

twilight zone morning here so I could be floating in a hot air balloon
over saskatchewan for all I know.

Jennifer

One more disclaimer, start low, see what they do, and put scores that
work best.  Add domain extensions or whatever other potential problems
you see in the lookbehinds, but make them the same number of characters
as the others in the sets.  (biz|com|org) not (biz|com|html)

 Regards
 Julia McWhirter
 IT Manager
 
 SuperH (UK) Ltd
 Network House
 2410 Aztec West
 Almondsbury
 Bristol
 BS32 4QX
 
 Tel : 01454 465661
 Fax : 01454 465601
 Mobile : 07979 913494
 Email : [EMAIL PROTECTED]
 Web : www.superh.com
 




---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] paris hilton

2003-11-25 Thread Jennifer Wheeler 
Hi Ian

 -Original Message-
 From: [EMAIL PROTECTED]
[mailto:spamassassin-
 [EMAIL PROTECTED] On Behalf Of ian douglas
 Sent: Monday, November 24, 2003 8:42 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [SAtalk] paris hilton
 
  Haven't seen the spam but one of these should work if your
  example text is always the same:
 
 No, it's different... started out being non-obfuscated, but has
gradually
 gotten more and more l337.

I just wrote this, It linted fine, and I tested it only two times.
1.  They did not hit on a subject of paris Hilton
2.  They did hit on the subject p4ris h1lton

Based on that, I would guess this would work.  Choose your own score,
watch it for awhile, and if it looks okay, jack it up to the score you
need.

Someone who knows regex may want to clean my hackestry up  ;) or point
out any potential problems.

describe J_PARISobfu paris
header   J_PARISSubject =~ /p[a4]r[iíl\|1][s5z](?!(?:paris))/i
scoreJ_PARIS1.0

describe J_HILTON   obfu hilton
header   J_HILTON   Subject =~
/h[iíl\|1][l1\|][t7\+][o0]n(?!(?:hilton))/i
scoreJ_HILTON   1.0


Jennifer

 
 -id
 
 
 
 
 ---
 This SF.net email is sponsored by: SF.net Giveback Program.
 Does SourceForge.net help you be more productive?  Does it
 help you create better code?  SHARE THE LOVE, and help us help
 YOU!  Click Here: http://sourceforge.net/donate/
 ___
 Spamassassin-talk mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Ideas

2003-11-25 Thread Jennifer Wheeler 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony
Bunce
Sent: Tuesday, November 25, 2003 1:23 PM
To: [EMAIL PROTECTED]
Subject: [SAtalk] Ideas

I have been seeing lots of spam like this getting through recently
 
Anyone have any ideas how to reduce this type of spam from getting
through?
 
Thanks,
Tony B, CCNA, Network+
Systems Administration
GO Concepts, Inc. / www.go-concepts.com
Are you on the GO yet?
What about those you know, are they on the GO?
513.934.2800
1.888.ON.GO.YET

Well I have been debating whether or not I should put this set out
there, but oh well.  Here it is. (seems the technique is picking up a
bit lately, and two requests for something today)  I've been playing
around with this set for several weeks, and I personally have been
pretty happy with it.  I gave them to Bob to test against his corpus,
and they didn't do as well as I had hoped.  I still think they are worth
a look if you keep them low for starters, then adjust your scoring as
needed.  There also may be some good ideas from some brain other than
the matter that I'm using.  Ever seen A Christmas Story?  ...just be
careful you don’t put your eye out.

Maybe the best way to continue to grow this set is to test them 'real
world' outside our mail environment and see what sorts of tweaks they
may need.

http://www.emtinc.net/spamhammers.htm

http://www.emtinc.net/includes/chickenpox.cf

...well at least it's better than freckle, I got so sick of that word
I had to change the name.

hope they work, don’t put your eye out, suggest away
Jennifer



---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] [RD] Backhair Update

2003-11-13 Thread Jennifer Wheeler 
Backhair set modification similar to the last popcorn update. (a
waxing??) More flexible in the hidden tag to include more garbage.

http://spamhammers.nxtek.net 

Jennifer



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Filtering.

2003-11-11 Thread Jennifer Wheeler 

Hi Rajdeep,

 I have successfully installed the SA. but I am not able to filer the
 content. Any stuff which I want to filter in there in the rules
directory
 but not getting filter. What I have to do with this?
 For e.g I have to filter the vulgar stuff. But it does not filterit.
My
 local.cf is as follows:-

Are you asking why SA is not tagging spams?  Or do you mean that the
default SA rules don't seem to be running?  Or do you mean that there
are emails still coming through containing content you would like to
filter that is not covered by the default rules??  I'm pretty unclear
what your question is.  Maybe try asking it another way.  I probably
wont be the one that will be able to answer you  :)  but I think the
question may be a little unclear.  I would ask what seems too obvious;
did you restart after you made your changes to the local file?

Jennifer

 # SpamAssassin config file for version 2.5x
 # generated by http://www.yrex.com/spam/spamconfig.php (version 1.01)
 
 # How many hits before a message is considered spam.
 required_hits   2.0
 
 # Whether to change the subject of suspected spam
 rewrite_subject 1
 
 # Text to prepend to subject if rewrite_subject is used
 subject_tag *SPAM*
 
 # Encapsulate spam in an attachment
 report_safe 2
 
 # Use terse version of the spam report
 use_terse_report0
 
 # Enable the Bayes system
 use_bayes   1
 
 # Enable Bayes auto-learning
 auto_learn  1
 
 # Enable or disable network checks
 skip_rbl_checks 0
 use_razor2  1
 use_dcc 1
 use_pyzor   1
 
 # Mail using languages used in these country codes will not be marked
 # as being possibly spam in a foreign language.
 ok_languagesall
 
 # Mail using locales used in these country codes will not be marked
 # as being possibly spam in a foreign language.
 ok_locales  all
 
 
 Help!!!
 
 
 
 ---
 This SF.Net email sponsored by: ApacheCon 2003,
 16-19 November in Las Vegas. Learn firsthand the latest
 developments in Apache, PHP, Perl, XML, Java, MySQL,
 WebDAV, and more! http://www.apachecon.com/
 ___
 Spamassassin-talk mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] [RD] Updated Corn

2003-11-11 Thread Jennifer Wheeler 
Hi Guenther,

  Fresh popcorn if you would like some.  I had one come through today
  (which I actually had anticipated, just had to figure out how to
write
  the rule.) If you use this set, I'd update.  It catches quite a lot
more
  in the tag.
 
 Thanks for the update. :)

My Pleasure!

 
  http://spamhammers.nxtek.net
 
 How are those files organized on that site? I couldn't find a link to
 the .cf files, so I just tried. Found popcorn.cf and weeds.cf but
 backhair.cf doesn't exist...

I only linked the popcorn.cf on the site (as a temp download until Chris
S. is able to get it on his rules emporium.)  I'll leave them on there
from now on as well as giving them to chris.  The weeds you located were
on there just as 'storage'...  I'm editing those.  ;)  sneak peek.
Those are still in testing mode. still need to do a few tweaks when I
get time, but they do work. ...still, you might grab the other Weeds set
since I'm not exactly sure what was up there. (I replaced the set you
got from the site with the current weeds.)  I've put all three sets up
for download.  They're the most recent versions and match what you see
in the 'showcase area'.  Please let me know if you have any problems, I
put them up in haste.  ;)  wget away!

Popcorn Only - http://spamhammers.nxtek.net/popcorn.cf
Backhair Only - http://spamhammers.nxtek.net/backhair.cf
Weeds Only - http://spamhammers.nxtek.net/weeds.cf
PBW Gift Basket - http://spamhammers.nxtek.net/pbw.cf

(I had the popcorn link above the rules, but it was a little hard to
see)

Jennifer

 
 Also I was wondering, which are the most recent files. The .cf files
 itself or the version mentioned in index.html?
 
 Would be cool to just wget those files...
 
 ...guenther
 
 
 --
 char

*t=[EMAIL PROTECTED];
 main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8?
 c=1:
 (c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){
putchar(t[s]);h=m;s=0;
 }}}
 
 
 
 ---
 This SF.Net email sponsored by: ApacheCon 2003,
 16-19 November in Las Vegas. Learn firsthand the latest
 developments in Apache, PHP, Perl, XML, Java, MySQL,
 WebDAV, and more! http://www.apachecon.com/
 ___
 Spamassassin-talk mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] [RD] Updated Corn

2003-11-11 Thread Jennifer Wheeler 
Darn it!!! Wget again Guenther.  I'm sorry.  I STILL didn't have the
right Weeds set up there.  It is right now.

Wow... time to call it a day I think.  :)  Sorry for the trouble.

 -Original Message-
 From: guenther [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, November 11, 2003 4:14 PM
 To: Jennifer Wheeler
 Cc: [EMAIL PROTECTED]
 Subject: RE: [SAtalk] [RD] Updated Corn
 
 
http://spamhammers.nxtek.net
  
   How are those files organized on that site? I couldn't find a link
to
   the .cf files, so I just tried. Found popcorn.cf and weeds.cf but
   backhair.cf doesn't exist...
 
  I only linked the popcorn.cf on the site (as a temp download until
Chris
  S. is able to get it on his rules emporium.)  I'll leave them on
there
  from now on as well as giving them to chris.  The weeds you located
were
  on there just as 'storage'...  I'm editing those.  ;)  sneak peek.
  Those are still in testing mode. still need to do a few tweaks when
I
  get time, but they do work. ...still, you might grab the other Weeds
set
  since I'm not exactly sure what was up there. (I replaced the set
you
  got from the site with the current weeds.)  I've put all three sets
up
  for download.
 
 Thanks, just grabbed them. (As I wondered about those files I cowardly
 refused to put them in production mode before. ;-)
 
 
  They're the most recent versions and match what you see
  in the 'showcase area'.  Please let me know if you have any
problems, I
  put them up in haste.  ;)  wget away!
 
 # spamassassin --lint
 Failed to compile full SpamAssassin tests, skipping:
 (Unmatched [ in regex; marked by -- HERE in
 m/[\w\s;]\#(?:0*(?:90|122)|x0*[57]A);[ -- HERE ^]/ at
 /etc/mail/spamassassin/weeds.cf, rule J_WEEDS_Z, line 1.
 
 Obvious, a negated char class without any char... ;)
 
 full J_WEEDS_Y
 /[\w\s;]\\#(?:0*(?:89|121)|x0*[57]9);[\w\s\.\!\?]/i
 full J_WEEDS_Z  /[\w\s;]\\#(?:0*(?:90|122)|x0*[57]A);[^]/i
 
 
  (I had the popcorn link above the rules, but it was a little hard to
  see)
 
 Doh! My bad. Yep, that is hard to see...
 
 ...guenther
 
 
 --
 char

*t=[EMAIL PROTECTED];
 main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8?
 c=1:
 (c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){
putchar(t[s]);h=m;s=0;
 }}}



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Re: Updated Corn

2003-11-11 Thread Jennifer Wheeler 
 On 11 Nov 2003, at 13:52, Jennifer Wheeler wrote:
 Popcorn Only - http://spamhammers.nxtek.net/popcorn.cf
 Backhair Only - http://spamhammers.nxtek.net/backhair.cf
 Weeds Only - http://spamhammers.nxtek.net/weeds.cf

 Why Popcorn, Backhair, and Weeds??

 as opposed to snarkle, filgret, and ashcroft, for example...

Whew...  Finally, a question I'm able to answer on this list!...  unable
to decipher if you are being funny or sarcastic, ( i'll assume the former)
but i shall reply no less, maybe just because i can.  :)  I'll go along
with madness, but at least there is method.

Nutshell:  Started using spamassassin about 3 1/2 months ago.  I don't
know perl, learned (??heh) regex from writing spamassassin rules, and
I'm reading a book right now on qmail!...  but give me a 5 car highway
collision and i could triage that in my sleep.  Worked as a medic since i
was 18 (many years), and now I'm in web dabbling in etcetera.  I only tell
ya this because i never thought i would be sharing any of my rules with
anyone.  Not stingy, just never thought i'd come up with anything other
than the obvious /v[1\|[EMAIL PROTECTED](edit for the list)[a\a]/i.   So i named my
rules based on things they reminded me of and i could watch them to make
sure i wasn't destroying the mail system.  when i saw how effective they
were, i couldn't 'not share'.

Popcorn-random ridiculous tags exploging here and there and  blowing
normal spam words into the netherworld.  I underestimated their
sneakiness, they irritated me, and i came up with the set.

Backhair-unsightly tags here and there.  easy to figure out, especially if
you watch queer eye for the straight guy and the morbid back waxings they
put themselves through.  I've always found unwanted hair removal amusing
and confusing...

weeds-even more obvious if you look in the source.  I like my html to be
pretty.  So give me some Paxil and maybe I'd see that one differently.  i
suppose then i might have called it confetti.  just looked like weeds in
the source to me.

point bein'...i named them for me to remember, and knowing nobody else
would be naming rules similar to mine, so adding rules would not be a
problem.  When i saw they were fairly lethal, and spammers started being
even more blatant with what they did or said in emails (thinking they
could taunt us and get through no matter what), i decided to share the
wealth.  and because i was so fond of the work they did to so many
spamsi grew attached to the names.  i think and remember things in odd
ways, so why change when peeps can rename.

you may feel free to rename your sets, your names are cute and catchy.  I
hope you learn to love them as much as i have, and name 'em with whatever
moves ya.  :)  I suppose after what i've seen, it's hard to take a lot of
things too darned seriously. Maybe had i known these would be posted, i
would have come up with some very logical techy term  :)  just having a
bit of a time making the transition even after being away from the
'streets' for awhile now.

I'm sure you didn't really want an answer  :)
Enjoy the carnage.  the last corn is good,
Jennifer
 --
 RTFM replies are great, but please specify exactly which FM to R




---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Rule Emporium Update!

2003-11-05 Thread Jennifer Wheeler 
snip
I scored them super high in a fit of rage.

...that makes me smile.  I can picture you leaning back in your chair,
watching the next one come through with a score of 790, laughing
maniacally and flutter kicking your feet in the air.  :)

/My dog is very promiscuous\./

...while enigmatic, this could very well hit quite a few porn spams!

Jennifer

 You may
 want to adjust scores so they are not so drastic.  They have worked
great
 for me in the past few days to catch a handful of messages that would
have
 slipped through otherwise.
 
 YMMV but enjoy. And by all means: I know about this much || about
regex so
 all suggestions are MORE than welcomed. I don't even know if I escaped
the
 right characters.
 
 cheers,
 Colin
 
 Colin A. Bartlett
 Kinetic Web Solutions
 www.kineticweb.biz




---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] [RD] Weeds changes

2003-11-04 Thread Jennifer Wheeler 
Hi Scott

I was going to post a change, but you beat me out of the gates.  Last
night the topiary king showed me a way to do that pruning.  If you would
like, you can write those this way.

/\\#(?:0*(?:65|97)|x0*[46]1);/i

I made the changes on the site if you want to grab them
http://spamhammers.nxtek.net

you might want to skim through the set and make sure I edited them all
correctly.  They linted fine.

I'll also be sending the set to chris s. today, so I imagine he'll
update the .cf he has for download on the emporium when he gets the
time.  Thanks again for the great addition, and thanks, Adam (if you're
reading) for the lesson!

Jennifer

Oh..  I believe you're right about ;, I don't have them escaped.  I
did leave the  escaped, I don't know about that one.

 -Original Message-
 From: [EMAIL PROTECTED]
[mailto:spamassassin-
 [EMAIL PROTECTED] On Behalf Of Scott Sprunger
 Sent: Tuesday, November 04, 2003 10:02 AM
 To: 'jennifer'; [EMAIL PROTECTED]
 Subject: RE: [SAtalk] [RD] Weeds changes
 
 I'm not sure that this is any better, but here are two alternatives
(using
 [Aa] for example).  Note in these that I don't think that the  and
;
 need to be escaped since they ran through --lint ok.
 
 /\#(0*65|0*97|x0*41|x0*61);/i
 
 OR
 
 /\#(0*(65|97)|x0*(41|61));/i
 
 TO REPLACE
 
 /(\\#0*65\;|\\#0*97\;|\\#x0*41;|\\#x0*61;)/i
 
 -- Scott
 
 -Original Message-
 From: jennifer [mailto:[EMAIL PROTECTED]
 Sent: Monday, November 03, 2003 10:18 AM
 To: 'Scott Sprunger'; [EMAIL PROTECTED]
 Subject: RE: [SAtalk] [RD] Weeds changes
 
 
 Hi Scott,
 Thanks for the heads up.
 
 You wouldn't happen to have a sample of one of those spams would you?
 I'm curious about something.  I'm wondering if they were using decimal
 code for punctuation rather than hex code for letters??  #61; (or
 #00061;) is actually = not a.  So maybe you were seeing
punctuation
 mixed in? #33; being !.  If that is the case, we just need to tag
on
 all the punctuation. However, I didn't know about the zeros, and
you're
 right.  Thanks!  here is a cleaner way to write these, (thanks to a
very
 nice person for pointing that out, A.L.!)
 
 /\\#(?:65|97);/
 
 so adding the zeros it would be
 /\\#0*(?:65|97);/
 
 I'll make this change on the page, but I'll wait a bit to see if I'm
 'out in left' with my thinking.
 
 I'm realizing spammers are indirectly helping me out in my education,
 maybe I should say Thank You! to them as well.  ...nah.
 
 Jennifer
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On
  Behalf Of Scott Sprunger
  Sent: Monday, November 03, 2003 8:51 AM
  To: [EMAIL PROTECTED]
  Subject: [SAtalk] [RD] Weeds changes
 
 
  This past weekend a flood of new spam arrived which
  circumvented the weeds rules by using leading zeros and hex
  values (both legal from an HTML perspective).  I've updated
  my local rules as below.  Hope this is useful. BTW, Jennifer
  thanks for an incredible set of rules!
 
  -- Scott
 
  describe J_WEEDS_A  Decimal or Hex character encoding [Aa]
  full J_WEEDS_A
  /(\\#0*65\;|\\#0*97\;|\\#x0*41;|\\#x0*61;)/i
  scoreJ_WEEDS_A  0.5
 
  describe J_WEEDS_B  Decimal or Hex character encoding [Bb]
  full J_WEEDS_B
  /(\\#0*66\;|\\#0*98\;|\\#x0*42;|\\#x0*62;)/i
  scoreJ_WEEDS_B  0.5
 
  describe J_WEEDS_C  Decimal or Hex character encoding [Cc]
  full J_WEEDS_C
  /(\\#0*67\;|\\#0*99\;|\\#x0*43;|\\#x0*63;)/i
  scoreJ_WEEDS_C  0.5
 
  describe J_WEEDS_D  Decimal or Hex character encoding [Dd]
  full J_WEEDS_D
  /(\\#0*68\;|\\#0*100\;|\\#x0*44;|\\#x0*64;)/i
  scoreJ_WEEDS_D  0.5
 
  describe J_WEEDS_E  Decimal or Hex character encoding [Ee]
  full J_WEEDS_E
  /(\\#0*69\;|\\#0*101\;|\\#x0*45;|\\#x0*65;)/i
  scoreJ_WEEDS_E  0.5
 
  describe J_WEEDS_F  Decimal or Hex character encoding [Ff]
  full J_WEEDS_F
  /(\\#0*70\;|\\#0*102\;|\\#x0*46;|\\#x0*66;)/i
  scoreJ_WEEDS_F  0.5
 
  describe J_WEEDS_G  Decimal or Hex character encoding [Gg]
  full J_WEEDS_G
  /(\\#0*71\;|\\#0*103\;|\\#x0*47;|\\#x0*67;)/i
  scoreJ_WEEDS_G  0.5
 
  describe J_WEEDS_H  Decimal or Hex character encoding [Hh]
  full J_WEEDS_H
  /(\\#0*72\;|\\#0*104\;|\\#x0*48;|\\#x0*68;)/i
  scoreJ_WEEDS_H  0.5
 
  describe J_WEEDS_I  Decimal or Hex character encoding [Ii]
  full J_WEEDS_I
  /(\\#0*73\;|\\#0*105\;|\\#x0*49;|\\#x0*69;)/i
  scoreJ_WEEDS_I  0.5
 
  describe J_WEEDS_J  Decimal or Hex character encoding [Jj]
  full J_WEEDS_J
  /(\\#0*74\;|\\#0*106\;|\\#x0*4A;|\\#x0*6A;)/i
  scoreJ_WEEDS_J  0.5
 
  describe J_WEEDS_K  Decimal or Hex character encoding [Kk]
  full J_WEEDS_K
  /(\\#0*75\;|\\#0*107\;|\\#x0*4B;|\\#x0*6B;)/i
  scoreJ_WEEDS_K  0.5
 
  describe J_WEEDS_L  Decimal or Hex character encoding [Ll]
  full J_WEEDS_L
  /(\\#0*76\;|\\#0*108\;|\\#x0*4C;|\\#x0*6C;)/i
  scoreJ_WEEDS_L  0.5
 
  describe J_WEEDS_M

RE: [SAtalk] [RD] Open source is Naughty!!!

2003-10-30 Thread Jennifer Wheeler 


 -Original Message-
 From: [EMAIL PROTECTED]
[mailto:spamassassin-
 [EMAIL PROTECTED] On Behalf Of Chris Thielen
 Sent: Thursday, October 30, 2003 4:22 PM
 To: Spamassassin-Talk
 Subject: RE: [SAtalk] [RD] Open source is Naughty!!!
 
 I figure now might be a decent time to mention this:
 http://www.exit0.us/index.php/ChrissMediocreObfuScript 


Thingamabobbers  ...heh

woo this thing is cool Chris  :)  nice goin.  Big wrappage

# TEST
describe J_TEST_P   h
body LOCAL_OBFU_J_TEST_P/p[-_\*\.
]?(?:e|3|\*|\xC8|\xC9|\xCA|\xCB|\xE8|\xE9|\xEA|\xEB)[-_\*\.
]?(?:n|\xD1|\xF1)[-_\*\.
]?(?:i|l|1|\*|\xCC|\xCD|\xCE|\xCF|\xEC|\xED|\xEE|\xEF)[-_\*\.
]?(?:s|\$|\xA7)/
scoreLOCAL_OBFU_J_TEST_P350.0

WELL!  Guess that answers that huh??  :)

Thanks!

Jennifer



---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] [RD] Open source is Naughty!!!

2003-10-30 Thread Jennifer Wheeler 
hey Chris

 Glad you like it...

 By the way, notice that the script naively assumes the body definition
 always comes before the describe and/or score line?  If you move the
 describe line below the body line, it will then use the correct rule name
 (LOCAL_OBFU_J_TEST_P).

yeah i was wondering about that.  i grabbed it in the last few minutes i
was at work so i didn't have much time to play with muh new toy!!  thanks
for the tip.  :)

 Also, I think word boundaries at the start and end of the source word make
 for the most effective rule.

i've been gathering that from some of the posts, i think it was kai??,
checking against dictionaries... made me realize i had some editing to do.
 I was using them only when i felt like i needed to make a rule safer,
which should probably be always.  again, thanks for the tips and for the
nifty little thingamabobber.

Jennifer


 -Chris

 Jennifer Wheeler said:


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:spamassassin-
 [EMAIL PROTECTED] On Behalf Of Chris Thielen
 Sent: Thursday, October 30, 2003 4:22 PM
 To: Spamassassin-Talk
 Subject: RE: [SAtalk] [RD] Open source is Naughty!!!

 I figure now might be a decent time to mention this:
 http://www.exit0.us/index.php/ChrissMediocreObfuScript


 Thingamabobbers  ...heh

 woo this thing is cool Chris  :)  nice goin.  Big wrappage

 # TEST
 describe J_TEST_Ph
 body  LOCAL_OBFU_J_TEST_P/p[-_\*\.
 ]?(?:e|3|\*|\xC8|\xC9|\xCA|\xCB|\xE8|\xE9|\xEA|\xEB)[-_\*\.
 ]?(?:n|\xD1|\xF1)[-_\*\.
 ]?(?:i|l|1|\*|\xCC|\xCD|\xCE|\xCF|\xEC|\xED|\xEE|\xEF)[-_\*\.
 ]?(?:s|\$|\xA7)/
 score LOCAL_OBFU_J_TEST_P350.0

 WELL!  Guess that answers that huh??  :)

 Thanks!

 Jennifer






 ---
 This SF.net email is sponsored by: SF.net Giveback Program.
 Does SourceForge.net help you be more productive?  Does it
 help you create better code?   SHARE THE LOVE, and help us help
 YOU!  Click Here: http://sourceforge.net/donate/
 ___
 Spamassassin-talk mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/spamassassin-talk




---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Checking HTML garbage

2003-10-30 Thread Jennifer Wheeler 
Hi Jeremy

http://spamhammers.nxtek.net

The rules are also on Chris Santerre's site along with many other goodies.
http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm
in the popcorn link

Jennifer



 Hi,

 Is there anyway to have spamassasin check for this kind of HTML garbage.
 If so, I could get rid of nearly all my spam.

 !--vKXrcu--

 Thanks,
 Jeremy Hein




---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] [RD] 4c-2v-3c

2003-10-29 Thread Jennifer Wheeler 
Hi Larry

 I have had some very good success with a rawbody and subject test
which
 looks for
 
   4 or more consonants
   followed by 1 or 2 vowels
   followed by 3 or more consonants or digits
 
 This is the match:

/[0-9bcdfghjklmnpqrstvwxz]{4,}[aeiouy]{1,2}[0-9bcdfghjklmnpqrstvwxz]{3,}
/i

Looks interesting.  I'll try it out and let you know how it goes.
Thanks!  I believe you can change [0-9bcdfghjklmnpqrstvwxz] to [^aeiouy]
(Just to shorten it up a smidge.)

Jennifer



---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Exessive HTML Code

2003-10-29 Thread Jennifer Wheeler 


 Yes, this would be possible.
 
 describe MY_RBDY_EXSV_TAGMY: Excessive HTML Tags
 rawbody  MY_RBDY_EXSV_TAG/[bi]\/[bi]/i
 scoreMY_RBDY_EXSV_TAG4.0
 
 Backhair did not hit because the number of characters within the tag
is
 fewer than 6.  Creating rules to match fewer than 6 characters within
the
 tag delimiters creates false positives.  You will most certainly need
to
 score it how you want rather than the arbitrary number I supplied.
 
 --Larry

I've been using similar rules without havoc.  The font/font could be
much better, I was just lazy and wrote it just for the spam I had and
haven't gotten around to tweaking that one.  You could include some
more, I just threw these in.

rawbody  J_HTML_FNTFNT  /font color\=\#.{0,6}\/font/i
scoreJ_HTML_FNTFNT  1.0

rawbody  J_HTML_I_I /i\/i/i
scoreJ_HTML_I_I 1.0

rawbody  J_HTML_B_B /b\/b/i
scoreJ_HTML_B_B 1.0

rawbody  J_HTML_LI_LI   /li\/li/i
scoreJ_HTML_LI_LI   1.0

rawbody  J_HTML_UL_UL   /ul\/ul/i
scoreJ_HTML_UL_UL   1.0

rawbody  J_HTML_U_U /u\/u/i
score  J_HTML_U_U   1.0

But this was for obfuscating b/bphrases rather than words.  I did
several so I wouldn't have to score them as high.  They wouldn't do
diddly for the score in Mark's example, that's the first I've seen those
tags as 'popcorn' in the source. I figured it was coming based on the
other little evasive things they're doing. (many unsuccessful) The key
is keep doing secret tweaks to your PB as they change their style,
mustn't show all your cards. ;)  but a tweak on PB wouldn't be
practical in this case. (in my inexperienced opinion) Perhaps it's time
for a new set.  That would be an easy technique to stop them from using
lest they get tagged.  When I get some time, I'll play around.

Jennifer


 -Original Message-
 From: Mark Ritchie [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, October 29, 2003 8:14 AM
 To: [EMAIL PROTECTED]
 Subject: [SAtalk] Exessive HTML Code
 
 
 I've added the popcorn, blackhair, and weeds rules a while back, but
I've
 noticed that I'm still getting quite a few spams messages per day.  It
 always seems to be the most offensive porn and such that makes it
through.
 
 Here is an example of the source that get's through
 
 HTMLhtml
 body bgcolor=#FF
 p NOT mi/iatub/brei/i,
 ei/ixpei/irii/ienci/ied. NOT cheati/iing, on
 tb/bhe
 si/iii/ide. br
   b/bNOT flii/irtini/ig b/b- tb/bhi/iib/bs
is
 2003's finei/ist ai/ilb/btb/berb/bnab/btive
dating
 lifesb/btyli/ie b/bsoli/iuti/iioi/in
 wi/iiti/ih
   thoi/iui/isands oi/if hb/borb/bny
 housewiveb/bsi/i.br
   Ani/id i/iyob/bu, Yi/iES, Yb/bOi/iU,
i/ican
 gb/beb/bt ab/bccess to tb/bhi/ie
 b/bwhb/boi/ile di/iab/btab/bbai/ise of
 USA-b/blocb/bai/itei/id houi/isewib/bves
   whi/io'ri/ie in i/ifob/br
ab/bni/iytb/bhing
 -
 fb/bor onb/be bb/buckb/b!br
   HYLFb/b! Hb/bousewb/bivi/ies Youi/i'd Like
b/bto
 b/bFlb/birb/bt and Fi/iui/ick -
b/byeai/ih,
 b/byi/iou'd deb/bfinb/bii/itely wb/bant
   i/ito b/bdo thi/iat, i/iwhi/iy on Earb/bth
 i/iwoulb/bd you dab/bte, b/banywi/iays?/p
 p a
href=http://www.find-chat.com/cheating/wives.html;Clicb/bk
 here
 b/band pb/bab/by
   1$ tb/bo b/byb/bour ri/iow of gi/ilori/iious
 hob/busb/bei/iwife affairs!/a /p
 br
 br
 br
 br
 br
 br
 br
 br
 br
 pa href=http://www.a1hostingdirect.com/gone.html;b/bNo
 Morb/be
 Thanks/a/p
 /body
 /html/HTML
 
 Now, as you can see the trick here to fool spamassassin is the i and
b
 tags.  Would it be possible to make a rule or adjust the rules so the
 i/i scores high?  There is nothing inbetween and I'd have to say
 anyone
 sending messages like this is obviously a spammer.
 
 Mark
 
 
 
 ---
 This SF.net email is sponsored by: SF.net Giveback Program.
 Does SourceForge.net help you be more productive?  Does it
 help you create better code?   SHARE THE LOVE, and help us help
 YOU!  Click Here: http://sourceforge.net/donate/
 ___
 Spamassassin-talk mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] [RD] 4c-2v-3c

2003-10-29 Thread Jennifer Wheeler 
 Do you really want to match punctuation and whitespace,
 because both of those will match [^aeiouy]?

Nope he doesn't...  that was my big bad.  Wasn't thinking.  Thx

Jennifer





---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] [RD] Open source is Naughty!!!

2003-10-29 Thread Jennifer Wheeler 
Someone suggested a range to me awhile back when I asked about this,
sorry I cant give props to whoever it was.  

/\bp[e3]n[\xCC-\xCF\xEC-\xEF][sz52]\b/i

Jennifer

 -Original Message-
 From: [EMAIL PROTECTED]
[mailto:spamassassin-
 [EMAIL PROTECTED] On Behalf Of Martin Radford
 Sent: Wednesday, October 29, 2003 3:13 PM
 To: Antony Stone
 Cc: Spamassassin-Talk (E-mail)
 Subject: Re: [SAtalk] [RD] Open source is Naughty!!!
 
 At Wed Oct 29 19:33:00 2003, Antony Stone wrote:
 
  Rather than focusing on what you *don't* want to catch with this
  rule, how about concentrating on what you do want to catch?
 
  Obvious examples are covered by /pen[i1l]s/i - presumably not too
  many things need adding to the middle regex to match the strings
  you're interested in?
 
 There has been a lot of spam which matches this pattern:
 
   /\b[Pp]en\xEDs\b/
 
 \xED is a letter i with an acute accent, IIRC.
 
 Martin
 --
 Martin Radford  |   Only wimps use tape backup: _real_
 [EMAIL PROTECTED] | men just upload their important stuff
-o)
 Registered Linux user #9257 |  on ftp and let the rest of the world
/\\
 - see http://counter.li.org |   mirror it ;)  - Linus Torvalds
_\_V
 
 
 ---
 This SF.net email is sponsored by: SF.net Giveback Program.
 Does SourceForge.net help you be more productive?  Does it
 help you create better code?   SHARE THE LOVE, and help us help
 YOU!  Click Here: http://sourceforge.net/donate/
 ___
 Spamassassin-talk mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Moving SPAM to a separate Mailbox

2003-10-28 Thread Jennifer Wheeler 

 [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]

Sorry for the OT personal comment (sort of), but that *has* to be the
best email address I've ever seen!  Thanks for the smile.

Jennifer




---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Popcorn, Backhair, and Weeds

2003-10-15 Thread Jennifer Wheeler 
Ok, now I am in the light.  I think we are looking at this test from
different perspectives.

This is what I'm replying to here...

My original goal was to shorten the tests into fewer tests but I think
I found a way to shorten the tests into one test - bonus. :)

I am not in favor of reducing the rule set...  it was actually
intentional to have so many rules.  :)  I will explain why.  (you are
very welcome to change them, however, to best suits your needs.  I'm not
aruguing.)

I can't see a way to really shorten the test to one rule, without an
increased danger of hitting on real tags.  If it were just one rule,
then you would need to give it a very large score (because it would hit
just once in an email, although the entire source may be filled with
those tags)  Reducing the set to one rule takes away the power of the
set.

When I was thinking of an idea to bring down the new wave of spam filled
with these tags (aw lookie.  Someone wrote a new little spamming
program), I realized that since there are no longer any spammy words to
look for, and since there were not enough of the header rules violated
to score as sapm, these rules would have to match on patterns in the
source as if they were spammy words themselves.  So I intentionally made
the rules in a large set...idea being, look for many occurrences of
hidden garbage tags bracketed by the right pattern of
letters/spaces/...   to prevent fp-s and it it needs to occur many
times in order to give the thing a large score.

Now spammers only use the tag one time in an email, 
rem!-- missed me missed me --ove
...big deal.  There are enough other hits from words, phrases, methods
etc, to score it high, plus one more point from popcorn_33.  If they
litter the entire source with those tags, then it basically renders
useless most (if not all) of the looking-for-spammy-talk rules. In
this case, the popcorn, backhair or weeds set steps in and takes the
place of all the default or user defined rules that generally work in an
email written by the normal person.

With a mix of normally typed body/selectively inserted tags, the default
rules and the sets work together.  

I would think that one rule trying to accomplish the same could be
dangerous and would need a huge score to equal the scores popcorn (etc)
gives a spam, (making it even more dangerous.)  The Kung Fu comes from
the set, not just finding one of those tags.  The name, on a side note,
comes from those tags popping up randomly in the source and obliterating
identifiable spam lingo.

Just my opinion.  :)  

These rules are working so well, it would take a swat team to get me to
remove them from my config file.  (And even then I might go down with
the ship!)  I don't know if I would change them, other than what you and
keith have pointed out could be pared from the expression without
changing the meaning.

I would suggest using the rules as they are. (unless you are having a
problem with them in some way) Watch the source to see what adjustments
spammers make, because continuing 'as is' will buy their spam a massive
score.  We will need to add new but similar rules based on their next
move, which is why I compulsively read the source of every spam I can
get my hands on.  

I hope that clarifies my intent with those rules. :)
Jennifer

snip
 The rules you're working on look good to me.  I have a couple 
 questions though, I'm a little confused.  What score will you 
 be giving the rules? And are you just trying to reduce the 
 set to one rule?  Or are these suggestions for additional 
 rules to supplement the others?  I just would like a frame of 
 reference when I think about them.

I am starting by using 2 points per test.  My original goal was to
shorten
the tests into fewer tests but I think I found a way to shorten the
tests
into one test - bonus. :)  I have changed the test since my message.  I
had

  / \w{1,7}\/?[\w\W]{0,150}\w{1,7}/

This created some false positives in that it would literally catch
anything
between the first word and the last.  This would mean it would skip over
other legitimate tags until the test matched 'word'.  This was not
good.
So I changed it to:

  / \w{1,7}\/?[^]{0,150}\w{1,7}/

This one seems to be working well so far.  It will catch any normal and
funky stuff within the tags but makes sure it will not run over any
subsequent tags.

The second rule:

  /!?-?-? ?\w{7,} ?-?-?/

Is just pattern matching and really reinforces the above test in a
subset of
spam messages the the above will match.

snip





---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Popcorn, Backhair, and Weeds

2003-10-15 Thread Jennifer Wheeler 
(oops.  Sorry Mike, I replied off list)

Chris S. now has them on his site in a nice little file.  Midway down
the page.

http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm  

They are also still on http://spamhammers.nxtek.net  with a little
explanation, but you will need to copy paste there.  :)

Jennifer

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike
Schrauder
Sent: Wednesday, October 15, 2003 11:24 AM
To: [EMAIL PROTECTED]
Subject: RE: [SAtalk] Popcorn, Backhair, and Weeds

where do I get the most up-to-date copy of PBW?

Mike S


 -Original Message-
 From: Jennifer Wheeler [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, October 15, 2003 11:45 AM
 To: 'Larry Gilson'; [EMAIL PROTECTED]
 Subject: RE: [SAtalk] Popcorn, Backhair, and Weeds
 
 
 Ok, now I am in the light.  I think we are looking at this test from
 different perspectives.
 
 This is what I'm replying to here...
 
 My original goal was to shorten the tests into fewer tests 
 but I think
 I found a way to shorten the tests into one test - bonus. :)
 
 I am not in favor of reducing the rule set...  it was actually
 intentional to have so many rules.  :)  I will explain why.  (you are
 very welcome to change them, however, to best suits your 
 needs.  I'm not
 aruguing.)
 
 I can't see a way to really shorten the test to one rule, without an
 increased danger of hitting on real tags.  If it were just one rule,
 then you would need to give it a very large score (because it 
 would hit
 just once in an email, although the entire source may be filled with
 those tags)  Reducing the set to one rule takes away the power of the
 set.
 
 When I was thinking of an idea to bring down the new wave of 
 spam filled
 with these tags (aw lookie.  Someone wrote a new little spamming
 program), I realized that since there are no longer any 
 spammy words to
 look for, and since there were not enough of the header rules violated
 to score as sapm, these rules would have to match on patterns in the
 source as if they were spammy words themselves.  So I 
 intentionally made
 the rules in a large set...idea being, look for many occurrences of
 hidden garbage tags bracketed by the right pattern of
 letters/spaces/...   to prevent fp-s and it it needs to occur many
 times in order to give the thing a large score.
 
 Now spammers only use the tag one time in an email, 
 rem!-- missed me missed me --ove
 ...big deal.  There are enough other hits from words, phrases, methods
 etc, to score it high, plus one more point from popcorn_33.  If they
 litter the entire source with those tags, then it basically renders
 useless most (if not all) of the looking-for-spammy-talk rules. In
 this case, the popcorn, backhair or weeds set steps in and takes the
 place of all the default or user defined rules that generally 
 work in an
 email written by the normal person.
 
 With a mix of normally typed body/selectively inserted tags, 
 the default
 rules and the sets work together.  
 
 I would think that one rule trying to accomplish the same could be
 dangerous and would need a huge score to equal the scores 
 popcorn (etc)
 gives a spam, (making it even more dangerous.)  The Kung Fu comes from
 the set, not just finding one of those tags.  The name, on a 
 side note,
 comes from those tags popping up randomly in the source and 
 obliterating
 identifiable spam lingo.
 
 Just my opinion.  :)  
 
 These rules are working so well, it would take a swat team to 
 get me to
 remove them from my config file.  (And even then I might go down with
 the ship!)  I don't know if I would change them, other than 
 what you and
 keith have pointed out could be pared from the expression without
 changing the meaning.
 
 I would suggest using the rules as they are. (unless you are having a
 problem with them in some way) Watch the source to see what 
 adjustments
 spammers make, because continuing 'as is' will buy their spam 
 a massive
 score.  We will need to add new but similar rules based on their next
 move, which is why I compulsively read the source of every spam I can
 get my hands on.  
 
 I hope that clarifies my intent with those rules. :)
 Jennifer
 
 snip
  The rules you're working on look good to me.  I have a couple 
  questions though, I'm a little confused.  What score will you 
  be giving the rules? And are you just trying to reduce the 
  set to one rule?  Or are these suggestions for additional 
  rules to supplement the others?  I just would like a frame of 
  reference when I think about them.
 
 I am starting by using 2 points per test.  My original goal was to
 shorten
 the tests into fewer tests but I think I found a way to shorten the
 tests
 into one test - bonus. :)  I have changed the test since my 
 message.  I
 had
 
   / \w{1,7}\/?[\w\W]{0,150}\w{1,7}/
 
 This created some false positives in that it would literally catch
 anything
 between the first word and the last.  This would mean it 
 would

RE: [SAtalk] Popcorn, Backhair, and Weeds

2003-10-15 Thread Jennifer Wheeler 
I just noticed something else Chris  :)   ...sorry!  I believe you have
the rules on your site as they stood before Keith took out the garbage.
They still work as you have them... so don't panic!  I used them that
way for about a month.  The Tidied up version are still on
http://spamhammers.nxtek.net if you feel like changing the set you have.
Same rules, just cleaner.  (as if you haven't messed with the darned
things enough!!)

Did your day just go from worse to carnage?

I've noticed that, although these are still hitting like badgers, it
seems there is less use of this tag-in-the-middle game than when I first
started using them.

Jennifer


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Chris Santerre
Sent: Wednesday, October 15, 2003 3:17 PM
To: 'Larry Rosenman'
Cc: Spamassassin-Talk (E-mail)
Subject: RE: [SAtalk] Popcorn, Backhair, and Weeds

Oh then I do have it right. I saved them ANSI + UNIX and just dropped
them
into the ftp. However popcorn wasn't resaved until around 3 pm EST
today. 

but wget and lynx -source seem to work best for others. 

Thanks for helping! 

 -Original Message-
 From: Larry Rosenman [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, October 15, 2003 3:58 PM
 To: Chris Santerre
 Cc: Spamassassin-Talk (E-mail)
 Subject: RE: [SAtalk] Popcorn, Backhair, and Weeds
 
 
 the others were fine.
 
 should ascii, with unix line-ends.
 
 If you are doing FTP, type ASCII as the type if you
 are coming from a M$ environment.
 
 LER
 
 
 --On Wednesday, October 15, 2003 15:46:53 -0400 Chris Santerre 
 [EMAIL PROTECTED] wrote:
 
  ARGH What should the encoding be: ANSI, DOS, or UTF-8?
 
  IT could be the way I'm ftping it? WHy is something so simple so
  difficult. Oh wait, because I'm doing it! ;)
 
  Chris
 
 
  -Original Message-
  From: Larry Rosenman [mailto:[EMAIL PROTECTED]
  Sent: Wednesday, October 15, 2003 3:22 PM
  To: Chris Santerre
  Subject: RE: [SAtalk] Popcorn, Backhair, and Weeds
 
 
  FYI, the popcorn.cf file on your site has DOS linends.
 
  LER
 
 
  --On Wednesday, October 15, 2003 14:43:28 -0400 Chris Santerre
  [EMAIL PROTECTED] wrote:
 
  
  
   -Original Message-
   From: Ray Dzek [mailto:[EMAIL PROTECTED]
   Sent: Wednesday, October 15, 2003 1:58 PM
   To: [EMAIL PROTECTED]
   Subject: Re: [SAtalk] Popcorn, Backhair, and Weeds
  
  
   Okay .. silly question then...
  
   Do you just copy the evilrules.cf to /etc/mail/spamassassin
   and restart SA
   and then SA will just process whatever .cf files are in the
   folder?  Or do I
   cat that to the local.cf file?
  
  
   You just be able to place in the /etc/mail/spamassassin
  folder and restart
   spamd.
  
   ALWAYS run 'spamassassin -d --lint' before restarting. If
  you get no news,
   it is good news.
  
   Sometimes there may be word wraps or hidden characters.
  I've worked to
   resolve that. But apparently how you get the file also makes a
   difference. I never knew the lynx -dump put and newline after 80
   characters!!
  
   I just made sure popcorn rules were saved in UNIX format.
  
   HTH
  
   Chris Santerre
  
  
   ---
   This SF.net email is sponsored by: SF.net Giveback Program.
   SourceForge.net hosts over 70,000 Open Source Projects.
   See the people who have HELPED US provide better services:
   Click here: http://sourceforge.net/supporters.php
   ___
   Spamassassin-talk mailing list
   [EMAIL PROTECTED]
   https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
  
 
 
 
  --
  Larry Rosenman http://www.lerctr.org/~ler
  Phone: +1 972-414-9812 E-Mail: [EMAIL PROTECTED]
  US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749
 
 
 
 
 -- 
 Larry Rosenman http://www.lerctr.org/~ler
 Phone: +1 972-414-9812 E-Mail: [EMAIL PROTECTED]
 US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749
 


---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Fan Mail!!! LOL We shut one down!

2003-10-14 Thread Jennifer Wheeler 
I'm glad you like.  :)  I'm still a little taken aback by them.  They've
been almost too good to be true.  I'm working on a couple rules to fill
the holes.  I've already noticed a few changes they've made to their
technique (to no avail so far), and they seem to be working as I told
Larry.  I'll letcha know after I test them.  

No nasty letters here.  I just block and don't report spammers.  ...you
know...low profile and all  ;)

Jennifer
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Chris Santerre
Sent: Tuesday, October 14, 2003 10:19 AM
To: Spamassassin-Talk (E-mail)
Subject: [SAtalk] Fan Mail!!! LOL We shut one down!

Did anyone else get a nasty email this morning? I did! This weekend
ROCKED
for my SA config. Jennifer, if you were here I'd kiss you and the deaf
cat
;) Your rules bring a huge smile to my logs! Now check out this fan
mail:


---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Too many rules?

2003-10-14 Thread Jennifer Wheeler 
How much bandwidth / month does it average??

Jennifer

I don't have ftp running on the server. I was actually going to see if
anyone wanted to mirror my site, or just the files. I think
distributing the lists to another site is a good idea. Any takers for
mirroring?

--Chris

 -Original Message-
 From: Robert Leonard III [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, October 14, 2003 10:48 AM
 To: Chris Santerre
 Subject: Re: [SAtalk] Too many rules?
 
 
 Okay, well it must be something else then.. actually the 
 evilrules.cf are
 the ones that wont --lint and seem to cause the system to 
 freeze.. my guess
 is that they somehow get hidden characters when I save them 
 down.  My linux
 box only has 'lynx' so I visit your rules via http and then 
 Save to disk
 the rules.. I'll have to try and get them another way... do 
 you have ftp
 running with the current version anyplace?
 
 Thanks Chris!
 - Original Message - 
 From: Chris Santerre [EMAIL PROTECTED]
 To: 'Robert Leonard III' [EMAIL PROTECTED];
 [EMAIL PROTECTED]
 Sent: Tuesday, October 14, 2003 7:44 AM
 Subject: RE: [SAtalk] Too many rules?
 
 
  Well, all I can tell you is what I'm running. 266 mhz, 64 
 megs ram, and
  probably around 3000 rules. Yup, I'll get an exact count 
 later. But I test
  and run all the great rules people send me for the 
 emporium. I am using
  spamd and I think you will see a bug difference there.
 
  The system runs nothing else. Nothing. No telnetd, no ftp, 
 no local users,
  ect I have to get up off my butt and walk to the 
 computer room on all
 my
  servers. Nice and secure ;)
 
  I haven't had a single crash, but no load isn't that great.
 
  HTH
 
  Chris Santerre
 
   -Original Message-
   From: Robert Leonard III [mailto:[EMAIL PROTECTED]
   Sent: Saturday, October 11, 2003 11:09 PM
   To: [EMAIL PROTECTED]
   Subject: [SAtalk] Too many rules?
  
  
   I've been playing with and implementing a lot of the rules I
   have found that
   many of you have contributed.. They have worked wonders for
   my system..
   However When I implemented the gigantic evilrules.cf,
   they worked great
   for about an hour.. Then the whole server went into such a
   slow mode that I
   had to do a hard reboot just to get it back.. It wasn't dead,
   but just so
   bogged down that it couldn't function.  My SA box is NOT a
   superPC.. It's a
   leftover from the closet.. So..
  
   Can implementing too many rules, slow down the machine to the
   point of near
   stoppage?  Is this something that perhaps more RAM could
   help?  I'm not in a
   position to replace the whole PC yet, but I can, perhaps,
   beef up it's ram..
  
   Ahh.. If only I had all the time and money I needed :)
  
   Thanks again all!
  
  
  
  
   ---
   This SF.net email is sponsored by: SF.net Giveback Program.
   SourceForge.net hosts over 70,000 Open Source Projects.
   See the people who have HELPED US provide better services:
   Click here: http://sourceforge.net/supporters.php
   ___
   Spamassassin-talk mailing list
   [EMAIL PROTECTED]
   https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
  
 


---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Fan Mail!!! LOL We shut one down!

2003-10-14 Thread Jennifer Wheeler 
Yes  :)  http://spamhammers.nxtek.net  

They will be here until Chris does his site update, and then you can
find them on his Rule Emporium site.

Jennifer

-Original Message-
From: Terry Shows [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, October 14, 2003 11:59 AM
To: Jennifer Wheeler
Subject: RE: [SAtalk] Fan Mail!!! LOL We shut one down!

Jennifer,

Do you have your new rules posted anywhere so that we can pick them up
without having to search back through the emails?? From what I have been
reading, you seem to be on to something exciting!

Terry Shows


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
Jennifer Wheeler
Sent: Tuesday, October 14, 2003 11:40 AM
To: 'Chris Santerre'; 'Spamassassin-Talk (E-mail)'
Subject: RE: [SAtalk] Fan Mail!!! LOL We shut one down!


I'm glad you like.  :)  I'm still a little taken aback by them.  They've
been almost too good to be true.  I'm working on a couple rules to fill
the holes.  I've already noticed a few changes they've made to their
technique (to no avail so far), and they seem to be working as I told
Larry.  I'll letcha know after I test them.

No nasty letters here.  I just block and don't report spammers.  ...you
know...low profile and all  ;)

Jennifer
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Chris Santerre
Sent: Tuesday, October 14, 2003 10:19 AM
To: Spamassassin-Talk (E-mail)
Subject: [SAtalk] Fan Mail!!! LOL We shut one down!

Did anyone else get a nasty email this morning? I did! This weekend
ROCKED
for my SA config. Jennifer, if you were here I'd kiss you and the deaf
cat
;) Your rules bring a huge smile to my logs! Now check out this fan
mail:


---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Fan Mail!!! LOL We shut one down!

2003-10-14 Thread Jennifer Wheeler 
Congrats!  :)  ...I'm thinking now he wishes he hadn't written you the
Love Letter.  Your EEEee-vil rules are strong!

Jennifer

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Chris Santerre
Sent: Tuesday, October 14, 2003 2:01 PM
To: Spamassassin-Talk (E-mail)
Subject: RE: [SAtalk] Fan Mail!!! LOL We shut one down!

UPDATE! 

I just got off the phone with UPENN.edu! Apparently we have our boy. I
think
his name is Brian. He has had known issues from the past, and they were
already in the process of dealing with the older ones. However I don't
think
he will get what he deserves. Why wouldn't they have shut him off
already?
He obviously broke there Usage policy, I read it! 

Dave at UPENN ISC was quite nice to deal with. They also implemented SA
a
few months ago for the campus!!! Hoooray! Probably 2.55 b. :-) 

Unfortunetly, that is probably the last I'll here of it. Unless someone
on
this list goes to UPENN ;)

--Chris Happy dude Santerre


---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Popcorn, Backhair, and Weeds

2003-10-11 Thread Jennifer Wheeler 
I don't mind at all that you're scrutinizing the rules  :)  i would love
it if someone wants to improve them.

 Each of the words use \w{#}? So if you have \w{5}? You would be saying
either 0 or 5 occurrences of [a-zA-Z0-9_].

From what I understand, placing a ? after {n} does not mean match 0 or
more times in this format.  {n}? just increases the gravity of matching
something exactly n times, and stop trying to match.  So that segment
matches exactly 5 letters before the hidden tag.  Someone correct me if
I'm wrong.

 So is it possible that you would
encounter a situation in which you would find:

0 word - tag - 0 word

htmlbody bgcolor=#FFcenter
The match would be on center:

not that I've seen.  It's looking for  or space, then some letters ({n}?
exactly n) then tag, so that wont match.  It wont match on center
because the \w{5}? is matching {5 letters before a }!-- meaningless
letters to obscure a word like the v word --{ and 1-7 letters following}
the tag then space or period etc.

Each rule hits just one occurrence of an obscured word.  The reason I
split them up into so many rules is that I like to raise scores
cautiously.  I was just trying to avoid false positives by hitting many
occurrences with low scores rather than one large score.  Not sure if my
thinking is valid.

 I encountered a false positive (on a variant of your rules) as I tried to
reduce the number of tests down to one.  The result was as follows:
  /(\|\s)\w{0,7}\\/?\s?[\w\s]{6,75}\/?\s?\\w{0,7}(\s|\W|\)/

I think I need to change from \w{0,7} to \w{1,7}; ..

if you are only wanting to use one popcorn rule and give it a higher
score, then yes, you could change the range on both sides of the hidden
tag to \w{1,7} leaving the rest of the expression intact.  I didn't test
it but I think that should work.  In that case, you could probably just up
the obfu comment rule in default spamassassin.  I haven't looked at it to
see if it's looking for the same as these.  I just prefer smaller scores
for rules.  Your idea is good though, because there have been a few
occasions when they only use the hidden tag in the remove me link so that
would boost it nicely if it had a hefty score.  Up to this point, in those
cases, there was enough scoring from the rest of the rules in
spamassassin, these just boosted it higher.   In my case, i might just end
up leaving these rules low and boosting the default rule (i trust those
rules more than mine!)

 One last question.  Are any of the upper limits necessary?  Spammers may
just want to keep uping the limit.  Would it be beneficial to modify
[\w\s]{6,150} to [\w\s]{6,}; etc.?

Nah, the upper limits are not necessary... and you're probably right.  I
set them because I read that not setting an upper limit eats up more
memory. I don't know by how much, I was just being cautious and they were
working well in this range.  If they start increasing the amount of
garbage, you could up that range, or just do as you say and not set an
upper limit. {n,} or maybe even empty tag.

 Overall, the rules are a great addition and have been helping a
tremendously.  I hope you do not find me overbearing by picking at the
rules.  I think they are great and that is why I am spending some time
with them.  Thanks again!

Not at all!!  :)  Like I said, I'm new to this and I basically just work
these like a puzzle until they do what I want.  I feel a little awkward
answering questions when there are so many people on this list far more
qualified!!  Someone jump in if I'm on pluto!

I'm glad they're working out for you!  Let me know if you come up with
some killer variation.  I'm sure they'll need to be modified as spammers
vary their techniques.

Thanks for the input,
Jennifer


Regards,
Larry


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Larry
Gilson
Sent: Friday, October 10, 2003 1:41 PM
To: 'Spamassassin-Talk (E-mail)'
Subject: RE: [SAtalk] Popcorn, Backhair, and Weeds

Hi again Jennifer!  I have another question.  Both the BACKCHAIR and POPCORN
rules have the following format:

word - tag - word
/(\|\s)\w{5}?\\/?\s?[\w\s]{6,150}\/?\s?\\w{5}?(\s|\W|\)/

Each of the words use \w{#}? So if you have \w{5}? You would be saying
either 0 or 5 occurrences of [a-zA-Z0-9_].  So is it possible that you would
encounter a situation in which you would find:

0 word - tag - 0 word

If so, each rule could hit for only one occurrence.  I think the following
could produce this affect:

htmlbody bgcolor=#FFcenter
The match would be on center:
   /\\\w{6}\\s/
Or would [\n\r] be stripped?

   or

PCENTERSMALL
The match would be on center also:
   /\\\w{6}\\/


My thinking may be incorrect so please correct me if I am wrong.  I
encountered a false positive (on a variant of your rules) as I tried to
reduce the number of tests down to one.  The result was as follows:

/(\|\s)\w{0,7}\\/?\s?[\w\s]{6,75}\/?\s?\\w{0,7}(\s|\W|\)/

I think I need to change from \w{0,7} to \w{1,7}; or [\w\s]{6,75} to

RE: [SAtalk] Popcorn, Backhair, and Weeds

2003-10-11 Thread Jennifer Wheeler 
Hi Keith,

Au contraire.  That is exactly it.  That explanation was beautiful! ( I
long for your brain.  :)  )  Thank you for taking the time to make that so
clear!

The rules actually work, but I suspected they were filled with garbage. 
Thanks for cleaning them up!  I'll put your shorn version on the page. 
http://spamhammers.nxtek.net  Maybe you could peek at them and get a
better idea of what we're trying to do.  There are examples of what they
match (which is what you describe below other than the range larry
changed) ...littered hidden tags in the body.  And they add up in spam. 
The problem Larry is working on is one I couldn't figure out when I
wrote these abominations. Which is this...

I didn't know how to match '[\w\s]{,150}' ,the 'hidden junk tag obscuring
the word' and miss legitimate tags such as b,li or any other tag up
to 6 letters.  I was afraid of FPs if I didn't set that high enough.  As
it is, it hits on center but scores low enough that I settled on that
hit just to catch more occurrences.

A second question I have is how to include all the characters they mix
into the junk tag such as 'g$b', without breaking the rule.  I tried \S
in my ignorance, and realized it would hit on later hidden tags before it
stopped matching.  I only saw the rules hitting on spams (written that
way) but they were, in my opinion, out of control and I didn't wait to
find out if they hit ham as well. I changed them back and settled for what
I had.

Third and final... it seems to me that the two sets (popcorn and backhair)
could be combined into one ruleset by someone who understands this better
than I do, which is most likely any creature that has the ability to
manipulate a keyboard.  I tried to combine them, but decided to go ahead
and post them since they do work as is.  This doesn't matter to me really.
 I made the second set only because I couldn't figure out any other way to
match both examples in that link.

The rules work great, but I would love it if you or someone else could
tweak them to match smaller tags (like in the following) and miss real
tags.

No nek$hed tk^to dreak$tm...you can now bexkvpankv$dd
youk-lr johnkgson up tz*lo 3 inibchk$jek$as

And if not, that is okay too.  I'm satisfied with what they're giving me
now.  I only posted these at the urging of a friend and after seeing how
much they were helping out with a sudden boatload of spam breezing
through.

The link above may shed more light if I didn't make this clear and you
would like to see the set.

Thanks again for the great explanation!!  wow
Jennifer

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Keith
C. Ivey
Sent: Saturday, October 11, 2003 5:02 PM
To: [EMAIL PROTECTED]
Subject: RE: [SAtalk] Popcorn, Backhair, and Weeds

Larry Gilson [EMAIL PROTECTED] wrote:

 I had the following HTML tag OBFU rule (variant of yours):
   /(\|\s)\w{1,5}?\\/?\s?[\w\s]{6,150}\/?\s?\\w{1,7}?(\s|\W|\)/

There's a lot of clutter in that that makes it harder to
follow.  Let's try paring it down.  First, '' and '' are not
special on their own in regexes, so there's no need to
backslash them:

/(|\s)\w{1,5}?\/?\s?[\w\s]{6,150}\/?\s?\w{1,7}?(\s|\W|)/

When you have an alternation -- something like '(a|b|c)' --
where all the alternatives are single characters, it's better
to write it as a character class -- something like '[abc]'.
Also, '\s' and '' are both included in '\W', so that last
alternation is equivalent to just '\W':

/[\s]\w{1,5}?\/?\s?[\w\s]{6,150}\/?\s?\w{1,7}?\W/

Now, nongreedy matching serves no purpose when the thing
following it can't be matched by the thing being repeated.  In
this case you have '\w{1,5}?' followed by '', but '' can't
match '\w', so there's no difference between greedy and
nongreedy matching there.  The matching for the series of '\w'
characters has to go all the way to the '' -- it can't stop
short.  Similarly, the '\W' at the end can never match the '\w'
preceding it, so that '?' is also pointless:

/[\s]\w{1,5}\/?\s?[\w\s]{6,150}\/?\s?\w{1,7}\W/

That regex is equivalent to your original one, and may help you
see better why it's not matching as you expect.  It's looking
for

   a '' or whitespace character (space, tab, carriage return,
  line feed, form feed),
   followed by 1 to 5 word characters (letters, numbers, and
  underscores),
   followed by '',
   followed by an optional '/',
   followed by an optional single whitespace character,
   followed by 6 to 150 word or whitespace characters,
   followed by an optional '/',
   followed by an optional single whitespace character,
   followed by '',
   followed by 1 to 7 word characters,
   followed by a nonword character (anything other than
  letters, numbers, and underscore).

I'm not clear on what you want to match, but that's probably
not it.

-- 
Keith C. Ivey [EMAIL PROTECTED]
Washington, DC



---
This SF.net email is sponsored by: SF.net Giveback

RE: [SAtalk] Catching Lots of Remarks in HTML Messages

2003-10-10 Thread Jennifer Wheeler 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Robert Wagner
Sent: Thursday, October 09, 2003 9:15 AM
To: Spamassassin-Talk (E-mail)
Subject: [SAtalk] Catching Lots of Remarks in HTML Messages

We seem to be getting more messages like:
G!-- bereave --I!-- catechism --RL!-- increment --S T!--
firestone
--HA!-- arrowhead --T RE!-- nowaday --

I was curious if Spamassassin would catch these with a rule like:

body LOTS_REMARKS   /\b!-- /w+ --\b/i
describe LOTS_REMARKS   HTML Lots of Remarks !-- ###
--

The other question is- Are the rules additive?  Such that it would
score a
point for each remark.  So I can put the score low, and after 10 remarks
it
would pass the limit.

score LOTS_REMARKS   .5
_

These are additive if you don't like to crank up the scores on single
rules and prefer lots of smaller hits to bump spam up.  Sorry, I posted
them in a new thread and you might have missed them.

http://spamhammers.nxtek.net/ 

Jennifer
(chris has me all worried now about top and bottom posting!)

---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Phrases I have modified....

2003-10-09 Thread Jennifer Wheeler 
Summoning the hermit out of her cave huh?  ;)  yeah I'll give a hand.  

-Original Message-
From: Chris Santerre [mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 09, 2003 9:40 AM
To: 'VonEssen, John'; [EMAIL PROTECTED]
Subject: RE: [SAtalk] Phrases I have modified

I have some notes on these as well. I think it would be great to put on
the
wiki! Or maybe I'll just make a separate cf file on remove me phrases.
I'll try to get that started today. I am s far behind in work it
isn't
funny. However I did get to go to a great sushi bar in Manhattan
yesterday!
;)

The only problem is not tagging legit unsubscribe phrases. I have some
rules
on things like unsub.gif already. I haven't got a chance to update the
emporium in a while. 

Jen W. would you like to help me on these?

I've actually had a spam say no more of this shit as a phrase! 

--Chris Santerre

 -Original Message-
 From: VonEssen, John [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, October 08, 2003 2:13 PM
 To: [EMAIL PROTECTED]
 Subject: [SAtalk] Phrases I have modified
 
 
 Just food for thought for the next release...
 
 I have been seeing more and more spam using different phrases for
 remove me phrases.
 
 Some use the work cease:
 
 Cease offer(s)
 Cease update(s)
 Cease email
 Cease mailing(s)
 
 
 John
 



---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Popcorn, Backhair, and Weeds

2003-10-09 Thread Jennifer Wheeler 
Chris S. is going to be posting these on his site when he gets time, and
I believe he was also waiting on my tweaks.  I have tweaked to the best
of my ability, which is scarce.  :)  I will post these now since there
was some discussion on catching tidal waves of hidden tags obscuring
known spam words and phrases.  If you can improve on these, please let
me know.  I've been using these for about 3 weeks and they are kicking
boo-tay.

Thanks Chris for your input!

Sit back, tail your mail log, and watch the show.  :)  It's rather
humorous.

(wow I probably just bought a bucket load of spam.  Good material for
more rules!)

http://spamhammers.nxtek.net 

Jennifer



---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Help Unblacklisting RBL

2003-09-17 Thread Jennifer Wheeler 

 what am i doing wrong here?  I am trying to unblacklist an address
 getting tagged by Infinite-Monkeys.

***
1. unblacklist_from is used to de-blacklist a SpamAssassin blacklist
   (which is defined using the blacklist_from option)

I understand this now. Thank you.

2. If you don't want to use Monkeys...

I do want to continue to use Monkeys.

3. If you want to avoid marking a domain's messages as spam, regardless
   of why they are marked as spam, use whitelist_from.

This is what I did before I realized the spam tag came from monkeys
rather than score.  They didn't even break our threshold.  Here is the
section of the header.  

NxTek-MailScan-SpamCheck: spam, Infinite-Monkeys, 
SpamAssassin (score=-99.3,
required 6.4, NO_REAL_NAME 1.15, USER_IN_WHITELIST
-100.00,
X_AUTH_WARNING -0.40)

So whitelisting doesn't seem to be the answer in this case.

I shall read more and see if I can figure this thing out. Mayhaps the
person who requested this can live with the spam tag. I appreciate your
help though.  Thanks.  

Jennifer



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Help Unblacklisting RBL

2003-09-17 Thread Jennifer Wheeler 
Good lord I'm an idiot!  It's MailScanner that is using the infinite
monkeys check, not SpamAssassin. I just double checked after you pointed
this out.  Thank You!!

Jennifer

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Patrick Morris
Sent: Wednesday, September 17, 2003 11:35 AM
To: Jennifer Wheeler
Cc: [EMAIL PROTECTED]
Subject: Re: [SAtalk] Help Unblacklisting RBL

Nope -- it's got nothing to do with SpamAssassin at all, so no amount of

whitelisting it in SA will help you.  You need to whitelist it in the 
software that's actually marking it as spam.

Jennifer Wheeler wrote:

what am i doing wrong here?  I am trying to unblacklist an address
getting tagged by Infinite-Monkeys.
  


***
  

1. unblacklist_from is used to de-blacklist a SpamAssassin blacklist
  (which is defined using the blacklist_from option)



I understand this now. Thank you.

  

2. If you don't want to use Monkeys...



I do want to continue to use Monkeys.

  

3. If you want to avoid marking a domain's messages as spam,
regardless
  of why they are marked as spam, use whitelist_from.



This is what I did before I realized the spam tag came from monkeys
rather than score.  They didn't even break our threshold.  Here is the
section of the header.  

   NxTek-MailScan-SpamCheck: spam, Infinite-Monkeys, 
   SpamAssassin (score=-99.3,
   required 6.4, NO_REAL_NAME 1.15, USER_IN_WHITELIST
-100.00,
   X_AUTH_WARNING -0.40)

So whitelisting doesn't seem to be the answer in this case.

I shall read more and see if I can figure this thing out. Mayhaps the
person who requested this can live with the spam tag. I appreciate your
help though.  Thanks.  

Jennifer



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
  






---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Help Unblacklisting RBL

2003-09-16 Thread Jennifer Wheeler 
what am i doing wrong here?  I am trying to unblacklist an address
getting tagged by Infinite-Monkeys.

using spamassassin 2.55

i put the following line in /etc/mail/spamassassin/local.cf with all my
other rules and whitelisted addresses (all work fine)  but this will not
work...

unblacklist_from [EMAIL PROTECTED]
unblacklist_from [EMAIL PROTECTED] 

I looked in the manual and it looks to me like i did it right.  here was
what it says...
   unblacklist_from [EMAIL PROTECTED]
   Used to override a default blacklist_from entry, so for
example a
   distribution blacklist_from can be overriden in a local.cf
file, or
   an individual user can override a blacklist_from entry in
their own
   user_prefs file.

   e.g.

 unblacklist_from [EMAIL PROTECTED] [EMAIL PROTECTED]
 unblacklist_from [EMAIL PROTECTED]

...which looks to me like this is what i need to do to let this through,
as whitelisting would just give it a mondo negative, but InfiniteMonkeys
smacks it down.  I dont want to stop using them though.  ...love 'em.

Is there some other setting somewhere that might be affecting this?
Any help would be appreciated.  Thanks
Jennifer



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Help Unblacklisting RBL

2003-09-16 Thread Jennifer Wheeler 
I completely agree with your opinion about the open proxy biz.  I'll see
if we can get them to take care of that on their end.  In the meantime,
I've been asked to get these particular emails through to us without a
spam tag  :)  I'm just having trouble accomplishing that. (and have had
to fight to keep using rbls)  thanks tho for explaining the unblacklist
deal, i misunderstood that. 

Whitelisting would be fine with me, but when i tried that (first thing i
tried), it still got a spam tag.  negative score, but gets tagged
because of the rbl.  I dont know if there is a rule for tagging or not
based on rbl.  ?? I would go for that if that were my only option.  (i
like that monkeys tags it if they sneak one under the radar). 

thanks!
jennifer 

 what am i doing wrong here?  I am trying to unblacklist an address 
 getting tagged by Infinite-Monkeys.

 using spamassassin 2.55

 i put the following line in /etc/mail/spamassassin/local.cf with all 
 my other rules and whitelisted addresses (all work fine)  but this 
 will not work...

 unblacklist_from [EMAIL PROTECTED]
 unblacklist_from [EMAIL PROTECTED]

You're sure you don't want whitelist_from_rcvd or something like that?

If I'm reading the man page for Mail:SpamAssassin::Conf correctly,
unblacklist_from only works if you've previously manually blacklisted an
entity or network, such as:

  blacklist_from [EMAIL PROTECTED]
  blacklist_from [EMAIL PROTECTED]
  unblacklist_from [EMAIL PROTECTED]
  unblacklist_from [EMAIL PROTECTED]

unblacklist_from should have no effect on entries in DNSBLs like
proxies.relays.monkeys.com.

The longer-term (and hence, more difficult) solution is to help the
admin of the machine listed in proxies.relays.monkeys.com secure their
open proxy so they are no longer (justifiably) blacklisted. Whitelisting
systems listed in open proxy DNSBLs should be a temporary triage-style
fix until the proxy can be locked down.

-- Bob



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf ___
Spamassassin-talk mailing list [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Hebrew i ?? male organ spam

2003-07-30 Thread Jennifer Wheeler 
this is exactly what I was looking for.  Thank you for pointing me in
the right direction!  However, I'm still unable to make it work.  When
you pointed out the hex representation to me, it turned on the light and
now I know I can paste those characters in multi edit and look at it in
hex mode if I'm not exactly sure what a character is.  This one is ED
as you said.  So here are the things I have tried, nothing works, so I
am doing something wrong.  Perhaps I should give in to the tricky
spamsters and let this go but I hate to do that.

*I tried this based on what Justin said
/pen[\xCC-\xCF\xEC-\xEF]s|p3n[\xCC-\xCF\xEC-\xEF]s/

and as david suggested I tried it with just the character in question

/\í/

/\xED/

none of these are picking it up.  Wondering if I am formatting this
wrong.

jennifer


___
If you use backslashed escape codes it should work -- e.g.

man iso_8859_1

notes these i chars:

314 204 CC  CCLATIN CAPITAL LETTER I WITH GRAVE
315 205 CD  CDLATIN CAPITAL LETTER I WITH ACUTE
316 206 CE  CELATIN CAPITAL LETTER I WITH CIRCUMFLEX
317 207 CF  CFLATIN CAPITAL LETTER I WITH DIAERESIS
354 236 EC  ECLATIN SMALL LETTER I WITH GRAVE
355 237 ED  EDLATIN SMALL LETTER I WITH ACUTE
356 238 EE  EELATIN SMALL LETTER I WITH CIRCUMFLEX
357 239 EF  EFLATIN SMALL LETTER I WITH DIAERESIS

so [\xCC-\xCF\xEC-\xEF] should catch all those.  (in ISO-8859
charsets at least.)  Basically, \xNN where NN is the hex representation.

--j.



---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Hebrew i ?? male organ spam

2003-07-29 Thread Jennifer Wheeler 
Has anyone made a rule using what appears to be a Hebrew letter I?
í
I wanted to add it to my male organ rule, but spamassassin doesn't
seem to recognize it.  I did a search in the /spamassassin/languages
file and didn't see í in there.  i would have thought it would have
been with 
0 he.iso-8859-8but I'm just guessing here.  I don’t know much about
that file, I just thought to look there and I assume that must be
categorizing languages for spamassassin.  Can this be edited, as in add
that í in there??  I'm sorry, I'm very new to this stuff.

Here is the word I wanted to grab ...
Penís

And í is the only character that won't work in this rule...
/p3n(i|\||1|l|í)s|pen(\||1|l|í)s/i

thanks,
Jennifer

...My first post and I'm using such language!!  oy



---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Hebrew i ?? male organ spam

2003-07-29 Thread Jennifer Wheeler 
Actually ya got me...  I found it by doing a search and found it on a
bunch of Israeli sites, and in more searching, found it in the hebrew
character set 
http://www.gar.no/home/mats/8859-8.htm search for hebrew mem and you
will see it.  An i but the dot in the i is a backwards `.

I got it in a very generic spam that scored a 4.8.  Ours is set to 6.4.
I just wanted to be able to set that rule to grab those in the future.
I've seen it used a lot in other spams as well.

-Original Message-
From: Dave Stern - Former Rocket Scientist [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 29, 2003 11:53 AM
To: Jennifer Wheeler
Cc: [EMAIL PROTECTED]
Subject: Re: [SAtalk] Hebrew i ?? male organ spam

On Tue, 29 Jul 2003, Jennifer Wheeler wrote:

 Has anyone made a rule using what appears to be a Hebrew letter I?
 í
 I wanted to add it to my male organ rule, but spamassassin doesn't
 seem to recognize it.  I did a search in the /spamassassin/languages
 file and didn't see í in there.  i would have thought it would have
 been with
 0 he.iso-8859-8but I'm just guessing here.  I don’t know much
about
 that file, I just thought to look there and I assume that must be
 categorizing languages for spamassassin.  Can this be edited, as in
add
 that í in there??  I'm sorry, I'm very new to this stuff.

 Here is the word I wanted to grab ...
 Penís

 And í is the only character that won't work in this rule...
 /p3n(i|\||1|l|í)s|pen(\||1|l|í)s/i


What the heck is a hebrew i?

How about in user_prefs or local rules
ok_locales  en

ie only allow english ascii

 =-=-=-=-=-=-=-=-=-=-=-=-  generated by /dev/dave
-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 David SternUniversity of
Maryland
Institute for Advanced Computer Studies



---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Hebrew i ?? male organ spam

2003-07-29 Thread Jennifer Wheeler 

Thanks for the suggestion David, but we can't allow only English.  We're
running this on a server with international clients.  Guess I should
have mentioned that.  :)


-Original Message-
 Subject: Re: [SAtalk] Hebrew i ?? male organ spam

 And í is the only character that won't work in this rule...
 /p3n(i|\||1|l|í)s|pen(\||1|l|í)s/i


What the heck is a hebrew i?

How about in user_prefs or local rules
ok_locales  en

ie only allow english ascii

 =-=-=-=-=-=-=-=-=-=-=-=-  generated by /dev/dave
-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 David SternUniversity of
Maryland
Institute for Advanced Computer Studies



---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01
/01
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk