google group spam

2009-03-29 Thread JC Putter 
hi i am using this rule to catch spam with a google group link,

uri  __GOOGLEGROUPS_15  m'http://[^.]{15}\.googlegroups\.com'i
meta NN_GOOGLEGROUPS_15 __GOOGLEGROUPS_15 && __GOOGLEGROUPS_NUM
describe NN_GOOGLEGROUPS_15  Contains a suspicious googlegroups URI.
scoreNN_GOOGLEGROUPS_15 2

but now i am getting a new type of one which the rules doesnt catch 
"http://groups.google.com/group/

can someone please help me write a rule for this link?


__ Information from ESET NOD32 Antivirus, version of virus signature 
database 3973 (20090329) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

sa reporting

2009-03-27 Thread JC Putter 
does anyone know of away do do reporting on spamassassin?


__ Information from ESET NOD32 Antivirus, version of virus signature 
database 3969 (20090327) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Still getting spam from yahoo/google groups

2009-03-27 Thread JC Putter 
I add the sare rule 90_2tld.cf but still getting only 1 hit from sa, 0.50 
Freemail_from

how can i stop this, what rules can i use? 

Where can i past the raw header? pastebin triggers it as spam


__ Information from ESET NOD32 Antivirus, version of virus signature 
database 3968 (20090327) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Google groups spam

2009-03-26 Thread JC Putter 
i am getting spam from google groups

my only is is 0.5 FREEMAIL_FROM

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; 
t=1238042388; bh=qIS1L4iJc6kS4EAxGGA7apkYn+LwwewDsELAo62Dcak=; 
h=Message-ID:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; 
b=coeLPEfdbLl2Ig4TFp32RXGnt7XFXN6jCjnKMOuT5alLSf95saEPX7QpRXPwRM9szfyGhexZDpNeAdedQl9R8O5NzCItwPH1MiBNahzDiHSFlMAQ2Op4AfMFWyDAvTCIdNAIUZ/ZCNdNweCk+m18OvC7+aPtXqNu1FlzUkmDW5U=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=Message-ID:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
  
b=omde1HhUPO/Yv4E0WxLDIZM3Tm/kWcpzlI+JZuU5WS7W5E6fNxmpce78CJtMsUMktITBL17QLO7aB37/lSvnvSH/pHha+oHE/BChq44wF/fMXBgicPIfOockc1saRFomTQ1svt5pmfTDzpaap5PP4fRaHSeT0TKlTi2ci/+qdX8=;
Message-ID: <321141.24213...@web43503.mail.sp1.yahoo.com>
Received: from [200.92.27.171] by web43503.mail.sp1.yahoo.com via HTTP; Wed, 25 
Mar 2009 21:39:48 PDT
X-Mailer: YahooMailClassic/5.1.20 YahooMailWebService/0.7.289.1
Date: Wed, 25 Mar 2009 21:39:48 -0700 (PDT)
From: Jeff Roland 
Subject: Amateur sluts in juicy action with beasts
To: damdeloui...@yahoo.com, jcput...@centreweb.co.za,
  antiganbo...@hotmail.com, db_hypno...@hotmail.com, chrisrobis...@mac.com
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-centreweb_co_za-MailScanner-Information: Please contact the ISP for more 
information
X-centreweb_co_za-MailScanner-ID: 53A6037EF19.5E10D
X-centreweb_co_za-MailScanner: Found to be clean
X-centreweb_co_za-MailScanner-From: telexedyplut...@yahoo.com
X-Spam-Status: No
Old-X-EsetId: 4B64842AE47139695462847DE92575
X-EsetId: 4B64842AE47139695462847DE92575
X-EsetScannerBuild: 4669

# google group URL contains ..
uri  NN_GOOGLE_GROUP_DD  m'www\.google\.com/.*\.\..*/group/'i
describe NN_GOOGLE_GROUP_DD  Link to a Google group contains '..'
scoreNN_GOOGLE_GROUP_DD  4

# google group url contains question mark
uri  NN_GOOGLE_GROUP_QM  m'google\.com/.*group/[^?]{6,}\?[^?]{6}'i
describe NN_GOOGLE_GROUP_QM  Highly suspect link to a google group
scoreNN_GOOGLE_GROUP_QM  4

uri  __GOOGLEGROUPS_15  m'http://[^.]{15}\.googlegroups\.com'i
uri  __GOOGLEGROUPS_NUM m'http://[^.]*[0-9][^.]*\.googlegroups\.com'i
meta NN_GOOGLEGROUPS_15 __GOOGLEGROUPS_15 && __GOOGLEGROUPS_NUM
describe NN_GOOGLEGROUPS_15  Contains a suspicious googlegroups URI.
scoreNN_GOOGLEGROUPS_15 2



__ Information from ESET NOD32 Antivirus, version of virus signature 
database 3963 (20090325) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Spam from windows live

2009-03-25 Thread JC Putter 
Thank you for everyone replying on my question on windows live.com spam, now 
getting hits using URI checks and free_email rules



- Original Message - 
From: "Bowie Bailey" 

To: 
Sent: Wednesday, March 25, 2009 3:02 PM
Subject: RE: Spam from windows live



Chris wrote:

On Wed, 2009-03-25 at 02:59 +0200, jcput...@centreweb.co.za wrote:
> i am receiving spam all the time from windows live accounts,
> spamassassin doesnt even have one hit.. i am using sought rule with
> openprotects sare rules with dcc,pyzor,razor2 and iXhash.
>
> i create a rule to stop spam containing windows live spaces but
> spam like this one doesnt even get a hit.
>
> here is a raw header of a mail
>
> Return-Path: 
> X-Original-To: jcput...@centreweb.co.za
> Delivered-To: jcput...@centreweb.co.za
> Received: from mail.centreweb.co.za (localhost [127.0.0.1])
> by office.numata.local (Postfix) with ESMTP id 516E24BDB4
> for ; Tue, 24 Mar 2009 19:43:29 +0200
> (SAST)
> X-Original-To: jcput...@centreweb.co.za
> Received: from bay0-omc1-s25.bay0.hotmail.com
> (bay0-omc1-s25.bay0.hotmail.com [65.54.246.97]) by
> mail.centreweb.co.za (Postfix) with ESMTP id ACDD1160796 for
> ; Tue, 24 Mar 2009 23:31:34 +0200 (SAST)
> Received: from BAY102-W23 ([64.4.61.123]) by
> bay0-omc1-s25.bay0.hotmail.com with Microsoft
> SMTPSVC(6.0.3790.3959); Tue, 24 Mar 2009 14:31:37 -0700
> Message-ID: 
> Content-Type: multipart/alternative;
> boundary="_6a0f2882-1775-43b5-9655-4147fe68795d_"
> X-Originating-IP: [92.48.45.254]
> From: drake ethelind 
> To: , 
> Subject: Hot teen deep f: uc-king giant dog c:o ck
> Date: Tue, 24 Mar 2009 21:31:38 +
> Importance: Normal
> MIME-Version: 1.0
> X-OriginalArrivalTime: 24 Mar 2009 21:31:37.0912 (UTC)
> FILETIME=[E9E1AB80:01C9ACC7]
> X-numata_local-MailScanner-ID: 516E24BDB4.877C7
> X-numata_local-MailScanner: Found to be clean
> X-numata_local-MailScanner-From: ethelindkjbhjydkh...@live.com
> X-Spam-Status: No
>
>
Scored above my threshold here:

Content analysis details:   (7.2 points, 5.0 required)

 pts rule name  description
 --
--
 1.0 RCVD_IN_BRBL_RELAY RBL: received via a relay rated as poor by
Barracuda
[92.48.45.254 listed in

bb.barracudacentral.org]

 0.5 FREEMAIL_FROM  From-address is freemail domain
 1.0 BAYES_50   BODY: Bayesian spam probability is 40 to
60% [score: 0.5304]
 2.2 TVD_SPACE_RATIOBODY: TVD_SPACE_RATIO
-0.0 DCC_CHECK_NEGATIVE Not listed in DCC
[localhost 1085; Body=0]
 1.4 EMPTY_MESSAGE  Message appears to have no textual parts and

no

Subject: text
 1.0 SAGREY Adds 1.0 to spam from first-time senders


The only two of those that are relevant are RCVD_IN_BRBL_RELAY and
FREEMAIL_FROM.  That gives a score of only 1.5.

BAYES_50 means Bayes has no opinion, the score for that should be 0.

TVD_SPACE_RATIO and EMPTY_MESSAGE are there simply because the OP didn't
include the body.

SAGREY may or may not continue to hit on the spam depending on how it is
being sent.

Maybe if we could see the body of the message, there would be more ways
to block it.  (post it to pastebin or something and give us a link,
please don't send spams to the list)

--
Bowie

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


__ Information from ESET NOD32 Antivirus, version of virus 
signature database 3962 (20090325) __


The message was checked by ESET NOD32 Antivirus.

http://www.eset.com






__ Information from ESET NOD32 Antivirus, version of virus signature 
database 3962 (20090325) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com




--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

ruleset

2009-03-24 Thread JC Putter 
where can i find more rulesets? using openprotect sare rules and sought rulesets


__ Information from ESET NOD32 Antivirus, version of virus signature 
database 3957 (20090324) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Problem with sa-compile

2009-03-23 Thread JC Putter 
hi i am trying to compile my rules but i am getting the following error
 
Wide character in print at /usr/bin/sa-compile line 385, <$fh> line 3490.
Wide character in print at /usr/bin/sa-compile line 385, <$fh> line 6690.
re2c -i -b -o scanner1.c scanner1.re
re2c -i -b -o scanner2.c scanner2.re
re2c -i -b -o scanner3.c scanner3.re
re2c -i -b -o scanner4.c scanner4.re
re2c -i -b -o scanner5.c scanner5.re
re2c -i -b -o scanner6.c scanner6.re
 re2c -i -b -o scanner7.c scanner7.re
re2c -i -b -o scanner8.c scanner8.re
re2c -i -b -o scanner9.c scanner9.re
re2c -i -b -o scanner10.c scanner10.re
 re2c: error: line 102, column 2: Token exceeds limit
 command failed! at /usr/bin/sa-compile line 288, <$fh> line 7288.




__ Information from ESET NOD32 Antivirus, version of virus signature 
database 3956 (20090323) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Training bayes

2008-12-27 Thread JC Putter 
Id like to know of you can train bayes with *.msg format or Must it be eml 
format? I know that outlook express uses eml but office outlook uses msg format?



[cid:image001.jpg@01C96875.69DDB690]



This message has been scanned by Nexus Mail Gateway

<>

spam getting through

2008-12-27 Thread JC Putter 
Here is the raw message header

Received-SPF: none (yahoo.com: No applicable sender policy available) 
receiver=localhost.localdomain; identity=mailfrom; 
envelope-from="glassbamcgu...@yahoo.com"; helo=n4a.bullet.mail.ac4.yahoo.com; 
client-ip=76.13.13.67
X-Greylist: delayed 357 seconds by postgrey-1.31 at localhost.localdomain; Sat, 
27 Dec 2008 12:58:37 SAST
Received: from n4a.bullet.mail.ac4.yahoo.com (n4a.bullet.mail.ac4.yahoo.com 
[76.13.13.67])
 by mail.centerweb.co.za (Nexus Mail Gateway) with SMTP id 24D3210884A
 for ; Sat, 27 Dec 2008 12:58:28 +0200 (SAST)
Received: from [76.13.13.25] by n4.bullet.mail.ac4.yahoo.com with NNFMP; 27 Dec 
2008 10:52:29 -
Received: from [76.13.10.166] by t4.bullet.mail.ac4.yahoo.com with NNFMP; 27 
Dec 2008 10:52:29 -
Received: from [127.0.0.1] by omp107.mail.ac4.yahoo.com with NNFMP; 27 Dec 2008 
10:52:29 -
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 133709.62534...@omp107.mail.ac4.yahoo.com
Received: (qmail 27693 invoked by uid 60001); 27 Dec 2008 10:52:28 -
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Message-ID;
b=MlKiySNdP9hEdZ9LDYsbQ2d6MHhtxVz7Uudz/scUGnnaMHF+xRKvswKE+Qoi9k4ec6uRd2xRstsdgKPWxcUHb076wSnXl3doRV7ir6lsPp1sLspU4PnhIAduSqTEe3jSR7xzEyWHWGxAD7Yx5gvC+nFYd+7ZO6HnBYCvt4NkYe0=;
X-YMail-OSG: 
C60949oVM1kqwRH41pjuW2ACLXkxhudkWLT8O9BEKDi02BLaDyUCtUCUA0_3pbejWjkV1IXCep1tsuS2buw6GiGVrK6ObG4sLhQfCYVfEmApC67MOvsdxRyESgPpzatborHlvId71GWqeNtN4YoHM9JT5mjM
Received: from [98.244.135.188] by web59702.mail.ac4.yahoo.com via HTTP; Sat, 
27 Dec 2008 02:52:27 PST
X-Mailer: YahooMailWebService/0.7.260.1
Date: Sat, 27 Dec 2008 02:52:27 -0800 (PST)
From: mcguire Glass 
Reply-To: glassbamcgu...@yahoo.com
Subject: Bring the new wave in your life
To: ber...@beeb.net
Cc: bertus.lamme...@gmail.com, ber...@centerweb.co.za, bertu...@yahoo.com
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1167732217-1230375147=:26874"
Message-ID: 
928460.26874...@web59702.mail.ac4.yahoo.com

Here is the contents of the message, i am getting alot of spam with url's 
spaced this way

Bring the new wave in your life

mcguire Glass [glassbamcgu...@yahoo.com]


Sent:

27 December 2008 12:52

To:

ber...@beeb.net

Cc:

bertus.lamme...@gmail.com;
 
Bertus;
 
bertu...@yahoo.com

Attachments:




Add more fire into your intimate relationship.
w w w . h o t f e l l . c o m - no dashes






[cid:image001.jpg@01C96874.DF8748D0]



This message has been scanned by Nexus Mail Gateway

<>

Spamassassin RBL

2008-12-20 Thread JC Putter 
Hi



Sorry i am still new at using spamassassin, why can i enable spamassassin to 
check RBL or URI blacklists?



Is there a way to test if the uri or Rbl checks work?



This message has been scanned by Nexus Mail Gateway