SARE_SPOOF_EBAYFORM - lots of false positives

2006-06-20 Thread Peter Campion-Bye 
Last few genuine emails from ebay UK have started to trigger this rule. Might
be worth whoever is responsible for this one taking a look, in the meantime
I'll override the score to 0.

Can provide an example message if necessary, let me know (don't want to send
it to everyone as it's 37K)

Charity spam - is this a new kind of 419?

2006-04-24 Thread Peter Campion-Bye 

Received the message below at the weekend. I could be completely wrong and
this is a genuine misguided attempt at recruiting charity workers, but it
looks to me like a new kind of 419 scam - if you show an interest I suspect
they will want bank account details and/or money up front.
Suspicious that she can't even decide how to spell her own surname!


Return-Path: [EMAIL PROTECTED]
Received: from mx0.pandasys.net (mx0.pandasys.net [81.187.228.199])
 by newpennan.pandasys.net (8.13.6/8.13.4) with ESMTP id k3N1AJGU014087
 for [EMAIL PROTECTED]; Sun, 23 Apr 2006 02:10:19 +0100
Received: from phpnet.org (lb.phpnet.org [87.98.197.87])
 by mx0.pandasys.net (8.13.6/8.13.6) with SMTP id k3N1AHjL004631
 for [EMAIL PROTECTED]; Sun, 23 Apr 2006 02:10:17 +0100
Received: (qmail 20821 invoked by uid 89); 23 Apr 2006 01:03:15 -
Received: from unknown (HELO nobody.nothing.phpnet.org) (10.0.0.42)
 by phpnet.org with SMTP; 23 Apr 2006 01:03:15 -
Received: (qmail 10793 invoked by uid 500); 23 Apr 2006 01:03:01 -
Date: 23 Apr 2006 01:03:01 -
Message-ID: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
ScriptPath: mastacrew.com/page.php
Subject: Charity Work
From: Save the Children Charity Work [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
X-Spam-Score: 2.52
BAYES_50,HTML_00_10,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,SARE_HTML_EMPTY,SPF_HELO_PASS
X-Scanned-By: MIMEDefang 2.54 on 81.187.228.199

-- Original Message --
Subject: Charity Work
From:Save the Children Charity Work [EMAIL PROTECTED]
Date:Sun, April 23, 2006 02:03
To:  [EMAIL PROTECTED]
--


 Hello,
   I am Helen from Save the Children Charity Work.Save the children is a child
charity that works in the uk and worldwide. find out
 how you can do volunteering, fundraising and make a donation.
   We are presently looking for people from United Kingdom,United
States,Canada,Australia and Ireland who can work online with our Branch in
Africa.We are willing to make arranging for payment on everyone who is
ready to part-take under this umbrella of our Charity Work(Save The
Children).
We want to make sure that Children are safe and secured from every bad
diseases occuring around the world now, and this Organization will be
making payment for everybody working under it but it depends on how many
people you can bring into this Organization.
Payment for single/new person who just join this Save the Children Health
Organization is 400pounds per week and the payment will be made in
cheque/money order or directly into your account everyweek as a part of
this Organization.
 We are pleased to welcome you as a member of this Children Health
Organization which is made for schools and everybody in the world can
part-take as member because we need just 20 more people to be member/workers
of this Organization and this Organization need people who can make
themselves avaliable at least twice a week for the work because we may need
any member to reach places where help is needed.
   I hope this is more comprehensive and you are highly welcome to be a
member/worker under this Children Health Organization.
 You can contact the Ass. Coordinator for more informations through this
mailto: [EMAIL PROTECTED]
 We are very pleased to invite you to part-take as a member/worker in this
Children Health Organization and you read more from our other branch website
under united States (www.savethechildren.org)
 Thanks
   Mrs Helen Cockran
   Ass. Coordinator
   NB: mailto: [EMAIL PROTECTED]

RE: whitelist file

2005-12-21 Thread Peter Campion-Bye 

 To Better-Scripters-Than-Me: would this work? I know there's probably a
better way, but if it works as written, it would avoid creating
duplicate email addresses.

Much easier to remove the duplicates with a 'sort -u' once you've finished
appending.

'meds' spam

2004-11-18 Thread Peter Campion-Bye 

The only spam that's getting through on my system these days seems to have
'meds' and 'rx' in common. I would have thought that antidrug was the
ruleset to pick up stuff such as this:

--Spam Start---
Subject: meds saving zone

your assorted meds at better than Canadian pricing

A wide variety of medications for your paticular
eyes...Depression-Anxiety,
Muscle Relaxants, Pain Relief, Sexual Health, Sleeping Aids, drugs for
weight reduction, allergy...

overnight delivery for meds

gorgeous service for quality rx meds at low price

Internet pharmacy really makes things easier for me. Now I don't even step
out of the room to get rx refilled and meds delivered to my door.  --Delta
--Spam End-

but this message scores nothing for content, apart from BAYES_80 which is
not enough to push it over the threshold...

  X-Spam-Score: 3.19 BAYES_80,RCVD_IN_SBL,SPF_HELO_PASS,URIBL_SBL

Is there a ruleset I should be using to pick this stuff up?
I've put in a custom rule to pick up meds in the subject:

header  PCB_MEDSSubject =~ /(?:\bmeds|meds\b)/i
describePCB_MEDSSubject contains meds
score   PCB_MEDS5

Before I start adding body rules to pick up words like those in the
message above, is there already something around that does the job?
Thanks