"Downloadable Software"

2007-12-18 Thread Kenneth Porter 
I'm seeing a lot of these today, and Bayes seems to be letting a lot of 
them leak through. Any good rule for stopping them? The links are always to 
a Geocities page.

Re: "Downloadable Software"

2007-12-18 Thread Matt Kettler 
Kenneth Porter wrote:
> I'm seeing a lot of these today, and Bayes seems to be letting a lot
> of them leak through. Any good rule for stopping them? The links are
> always to a Geocities page.
>
Do you have network checks enabled? I just grabbed one and it seemed to
hit XBL, SpamCop and Razor2 pretty nicely:

Content analysis details:   (7.5 points, 5.0 required)

 pts rule name  description
 --
--
 3.0 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
[137.132.31.162 listed in zen.spamhaus.org]
 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
  [Blocked - see
]
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.5 RAZOR2_CHECK   Listed in Razor2 (http://razor.sf.net/)
 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
above 50%
[cf: 100]
 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]

Re: "Downloadable Software"

2007-12-18 Thread Kenneth Porter 
--On Tuesday, December 18, 2007 8:16 PM -0500 Matt Kettler 
<[EMAIL PROTECTED]> wrote:



Do you have network checks enabled? I just grabbed one and it seemed to
hit XBL, SpamCop and Razor2 pretty nicely:


I'm not using Razor, and I have SpamCop disabled (since October 1). Alas I 
didn't put a comment in my SpamCop-disabling cf file to indicate why I 
disabled it. I'll re-enable and see if that helps.

Re: "Downloadable Software"

2007-12-19 Thread Joseph Brennan 



--On Tuesday, December 18, 2007 5:01 PM -0800 Kenneth Porter 
<[EMAIL PROTECTED]> wrote:



I'm seeing a lot of these today, and Bayes seems to be letting a lot of
them leak through. Any good rule for stopping them? The links are always
to a Geocities page.



Reject mail with a URL to geocities.com.  66.218.77.68/32 is in the
Spamhaus SBL, updated Dec 7.  If you check URLs in messages.

There are two patterns in those reported to us.  I don't know enough
about normal Geocities URLs to make regexps unique to these.


[1] Noted at Spamhaus, these have multiword subjects and links like this
after geocities.com/

BlakeStafford34/
EdmondMcfarland16/



[2] The more voluminous kind has one-word lower-case subjects and
links like this after geocities.com/

a5owm7rv4ted5vt/
zoukfb127u07xzl/
e3e2jphxfamnp/
zoukfb127u07xzl/
e3e2jphxfamnp/
oifwubaqi2jd9i/
livq99cjun7m81/



Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology

Re: "Downloadable Software"

2007-12-19 Thread Daryl C. W. O'Shea 

Kenneth Porter wrote:
I'm seeing a lot of these today, and Bayes seems to be letting a lot of 
them leak through. Any good rule for stopping them? The links are always 
to a Geocities page.


If you're using the WebRedirect plugin, this rule works well:

ifplugin Mail::SpamAssassin::Plugin::WebRedirect
  header   WEB_RE_LOC_REPLACE Web-Redirect =~ 
/\bparent\.location\.replace\b/

  scoreWEB_RE_LOC_REPLACE 4.0
  describe WEB_RE_LOC_REPLACE Links to web page that contains 
'parent.location.replace'

  tflags   WEB_RE_LOC_REPLACE net
endif


Daryl