Re: The 'believe-it' spams
How do you set a rule to expire? Kate Bob Proulx wrote: Jonathan Nichols wrote: What was the rule you added? :) I just did the brute force thing and looked for an entire phrase from that message. It really isn't worthy and this will change very quickly such that any rule I post now won't be interesting to have in a ruleset in a couple of days. It needs to expire. body TV_ARM_SPAM_1/^Well we have developed the TV arm for every website in the world/ describe TV_ARM_SPAM_1TV Arm Spam score TV_ARM_SPAM_1 5.5 It is just a brute force rule that works today on that particular wave of incoming spam. Bob
Re: Suggestions to block this spam
I just implemented Justins ruleset and it looks as if they will now be caught YAY thanks for the tip. Has anyone had trouble with fp's using this ruleset the ones its hitting seem to score high (4) Thanks Kate Bob Proulx wrote: Kathryn Allan wrote: The url to pastebin is http://pastebin.ca/910275 apologies if this is wrong - its my first time using pastebin. Your pastebin of the message body was good. Normally it would be better to paste the full headers in too so that we can run the message through the tools directly but in this case we have all been seeing a lot of those spam messages and are very familiar with them. Another comment about pastebin is that for temporary stuff like this it is good to set an expiration on it. In the long term it is junk and so expiring it saves disk space there and on the search engines that thread it and generally allows things to clean up afterward. Other pastebin sites set an expiration by default but on pastebin.ca you need to manually set one. It is the "Expire this post in:" pulldown setting. To combat this spam Justin has recently posted about his sought.cf rules. Justin Mason recently wrote: by the way, just to get back to this original topic -- my "sought.cf" ruleset has caught these nicely for months. It's very good for this kind of spam: http://taint.org/2007/08/15/004348a.html I am using them to good effect (Thanks Justin!) and your message scored the following for me: 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 4.0 JM_SOUGHT_1JM_SOUGHT_1 4.0 JM_SOUGHT_3JM_SOUGHT_3 My Bayes engine has learned these as mostly spam but yours probably has not. Plus it wouldn't be enough by itself. But the sought rules have been doing good at handling the surge of "today's spam" messages as they change rapidly. Bob
Re: Suggestions to block this spam
I have removed the extras and changed the expiry. http://pastebin.ca/910360 Thanks for the help Kate Karsten Bräckelmann wrote: On Wed, 2008-02-20 at 10:36 +1300, Kathryn Allan wrote: Thanks I will try the suggestions in the other post. I have updated the pastebin with header - i think : ) http://pastebin.ca/910315 It is a multipart/alternative message -- in this case HTML. ;) For reference, please, always paste the entire, raw message. Don't copy-n-paste what your MUA displays as body. (I was going to reply to your previous mail, but you beat me to it.) Also, there now are three copies. ;) The other one you pasted just a minute after this got an expiration time. However, it much too short for mailing list conversation. 4 hours is not sufficient. guenther -- Kate Kleinschafer Internet Services GetRheel /A division of Rheel Electronics Ltd / Phone +64-3-386 3070 Fax +64-3-386-3071 Mobile +64-21-386-394 email: [EMAIL PROTECTED] www.getrheel.co.nz This e-mail together with any attachments is confidential, may be subject to legal privilege and may contain proprietary information, including information protected by copyright. If you are not the intended recipient, please do not copy, use or disclose this e-mail; please notify us immediately by return e-mail and then delete this e-mail.
Re: Suggestions to block this spam
Hmm the update changed the link i think http://pastebin.ca/910320 Bob Proulx wrote: Kathryn Allan wrote: The url to pastebin is http://pastebin.ca/910275 apologies if this is wrong - its my first time using pastebin. Your pastebin of the message body was good. Normally it would be better to paste the full headers in too so that we can run the message through the tools directly but in this case we have all been seeing a lot of those spam messages and are very familiar with them. Another comment about pastebin is that for temporary stuff like this it is good to set an expiration on it. In the long term it is junk and so expiring it saves disk space there and on the search engines that thread it and generally allows things to clean up afterward. Other pastebin sites set an expiration by default but on pastebin.ca you need to manually set one. It is the "Expire this post in:" pulldown setting. To combat this spam Justin has recently posted about his sought.cf rules. Justin Mason recently wrote: by the way, just to get back to this original topic -- my "sought.cf" ruleset has caught these nicely for months. It's very good for this kind of spam: http://taint.org/2007/08/15/004348a.html I am using them to good effect (Thanks Justin!) and your message scored the following for me: 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 4.0 JM_SOUGHT_1JM_SOUGHT_1 4.0 JM_SOUGHT_3JM_SOUGHT_3 My Bayes engine has learned these as mostly spam but yours probably has not. Plus it wouldn't be enough by itself. But the sought rules have been doing good at handling the surge of "today's spam" messages as they change rapidly. Bob -- Kate Kleinschafer Internet Services GetRheel /A division of Rheel Electronics Ltd / Phone +64-3-386 3070 Fax +64-3-386-3071 Mobile +64-21-386-394 email: [EMAIL PROTECTED] www.getrheel.co.nz This e-mail together with any attachments is confidential, may be subject to legal privilege and may contain proprietary information, including information protected by copyright. If you are not the intended recipient, please do not copy, use or disclose this e-mail; please notify us immediately by return e-mail and then delete this e-mail.
Re: Suggestions to block this spam
Hi Bob, Thanks I will try the suggestions in the other post. I have updated the pastebin with header - i think : ) http://pastebin.ca/910315 Thanks again Kate Bob Proulx wrote: Kathryn Allan wrote: The url to pastebin is http://pastebin.ca/910275 apologies if this is wrong - its my first time using pastebin. Your pastebin of the message body was good. Normally it would be better to paste the full headers in too so that we can run the message through the tools directly but in this case we have all been seeing a lot of those spam messages and are very familiar with them. Another comment about pastebin is that for temporary stuff like this it is good to set an expiration on it. In the long term it is junk and so expiring it saves disk space there and on the search engines that thread it and generally allows things to clean up afterward. Other pastebin sites set an expiration by default but on pastebin.ca you need to manually set one. It is the "Expire this post in:" pulldown setting. To combat this spam Justin has recently posted about his sought.cf rules. Justin Mason recently wrote: by the way, just to get back to this original topic -- my "sought.cf" ruleset has caught these nicely for months. It's very good for this kind of spam: http://taint.org/2007/08/15/004348a.html I am using them to good effect (Thanks Justin!) and your message scored the following for me: 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 4.0 JM_SOUGHT_1JM_SOUGHT_1 4.0 JM_SOUGHT_3JM_SOUGHT_3 My Bayes engine has learned these as mostly spam but yours probably has not. Plus it wouldn't be enough by itself. But the sought rules have been doing good at handling the surge of "today's spam" messages as they change rapidly. Bob -- Kate Kleinschafer Internet Services GetRheel /A division of Rheel Electronics Ltd / Phone +64-3-386 3070 Fax +64-3-386-3071 Mobile +64-21-386-394 email: [EMAIL PROTECTED] www.getrheel.co.nz This e-mail together with any attachments is confidential, may be subject to legal privilege and may contain proprietary information, including information protected by copyright. If you are not the intended recipient, please do not copy, use or disclose this e-mail; please notify us immediately by return e-mail and then delete this e-mail.
Re: Suggestions to block this spam
Hi, The url to pastebin is http://pastebin.ca/910275 apologies if this is wrong - its my first time using pastebin. Thanks Kate --[ UxBoD ]-- wrote: please post a URL to a sample message, or via pastebin so that we can run it through our installations and see what it hits. what is your SA installation hitting and scoring it as ? Regards, -- Kate Kleinschafer Internet Services GetRheel /A division of Rheel Electronics Ltd / Phone +64-3-386 3070 Fax +64-3-386-3071 Mobile +64-21-386-394 email: [EMAIL PROTECTED] www.getrheel.co.nz This e-mail together with any attachments is confidential, may be subject to legal privilege and may contain proprietary information, including information protected by copyright. If you are not the intended recipient, please do not copy, use or disclose this e-mail; please notify us immediately by return e-mail and then delete this e-mail.
Suggestions to block this spam
Hi all, Getting tones of this sort of email through have been learning it as spam for the last few days but so far not much luck. -->start of message 2 examples Aloha,*** Real men!* Milliions of people acrosss the world have already tested THIS Goedendag, *** Real men!* * *MMillions of people acrross the world have already tested THIS thanks kate
using sare rules
Hi all, I have recently inherited the responsibility of looking after our spam machine as such i'm having a few teething issues : ) I just followed the instructions in the sare-sa-update-howto.txt I am just a bit confused as to whether I have done it correctly originally in the /var/lib/spamassassin/3.xxx folder there was the updates_spamassassin_org folder and cf file. Now there is also the key file the sare-sa-update-channels.txt as well as the full that I wanted to add (which has a file and a folder) I would have though that the rule file would have ended up inside the updates_spamassassin_org folder as all the other .cf files seem to be inside there. Can someone let me know if I have done something wrong. Thanks Kate
