{SPAM} Re: new type of spam

2005-09-30 Thread Matt Kettler 
Raymond Dijkxhoorn wrote:
 Hi!
 
 Yep, Im using URIBL lists but not all mails are been caught.
 
 
 |is listed in the JP SURBL blocklist and in the URIBL blacklist.
 |
 |are you using URIBL checks in SA?
 
 
 Combine this with some SARE rules and you will see not much comming in.

I use URIBL's and many SARE rules, including SARE's adult rules, and a lot of
this latest wave got missed.

Attached is a subset of some porn rules I've been working on. They're
experimental, but the seem to work pretty well with fairly low FP rate.

They might have some FP cases I haven't noticed yet, so be careful with them,
but you might want to try them out.

#people
body __L_BOYS   /\bb[o0]y[sz]\b/i
body __L_GIRLS  /\b(?:school)?girl(?:ie)?[sz]?\b/i
body __L_VIRGIN /\bvirgin[sz]?\b/i
body __L_TEEN   /\bteen(?:ager)?[sz]?\b/i
body __L_YOUNG  /\by[o0]ung\b/i
body __L_YOUTH /\by[o0]uth(?:ful)?\b/i
body __L_LESB /\blesbian[sz]?\b/i
body __L_GAY /\bgay[sz]?\b/i
body __L_DAUGHTER /\b(?:grand)?daughters?\b/i
body __L_SON/\b(?:grand)?sons?\b/i
body __L_INOC   /\binn?ocent\b/i
body __L_HOTB   /\bhot(?:tie| babe)s?\b/i

#body parts
body __L_COCK   /\bc[o0]ck\b/i
body __L_PUS/\bpuss(?:y|ies)\b/i
body __L_TI /\btit(?:ie)?[sz]?\b/i
body __L_ASS/\bass(?:hole)?e?[sz]?\b/i

#acts and states related to porn
body __L_MAST   /\bmasturbat(?:e|ed|ing|tion)\b/i
body __L_FCK/\bfuck(?:ed|ing)?/i
body __L_BLO/\bblowjobs?\b/i
body __L_NUDE   /\bnude[sz]?\b/i
body __L_EROTIC /\berotic\b/i
body __L_NAKED  /\bnaked\b/i
body __L_EXPLICIT /\b[e3]xpl[i1]c[i1]t\b/i
body __L_HARDCORE /\bhardc[o0]r[e3]\b/i
body __L_INCEST /\b[i1]nc[e3][sz]t\b/i
body __L_ANAL   /\baa?nn?aa?ll?\b/i
body __L_JIZZ   /bjizz\b/i
body __L_FAC/\bfacial(?:ed)?\b/i
body __L_BACK   /\bbackdoor (?:action|penetration|pounding)\b/i
body __L_THROB  /\bthrobbing\b/i
#media
body __L_PHOTO  /\bph[o0]t[o0][sz]?\b/i
body __L_VIDEO  /\bvid[e3][o0][sz]?\b/i
body __L_MOVIE  /\bm[o0]vi[e3][sz]?\b/i

uri L_PORN_GEOURI 
/(?:www|uk|de|sk)\.geocities\.com\/[a-z0-9]{1,20}_[a-z0-9]{1,20}_[0-9]{1,6}\//
describe L_PORN_GEOURI  contains a suspect geocities weblink
score L_PORN_GEOURI 2.0

meta L_P_GEODOUBLE  (L_PORN_GEOURI  (__L_GIRLS || __L_VIRGIN || __L_TEEN 
|| __L_FCK))
score L_P_GEODOUBLE  1.5

body L_P_MEMBERS_AREA   /\bmembers area\b/i
score L_P_MEMBERS_AREA  0.5

body L_P_PICS   /\bPics\b/i
score L_P_PICS  0.1

body L_P_VIDS   /\bVids\b/i
score L_P_VIDS  0.1

body L_P_CLIPS  /\bClips\b/i
score L_P_CLIPS 0.1

body L_P_AVI/\bAVIs?\b/i
score L_P_AVI   0.1

body L_P_MPEG   /\bMPEGs?\b/i
score L_P_MPEG  0.1


body L_P_DP /\bdouble (?:penetrat(?:ion|ed)|plugged)\b/i
score L_P_DP0.5

#youth or erotica coupled with pics, vids, etc.
meta L_P_COMBO1 ((__L_INCEST || __L_FAC || __L_NUDE || __L_EROTIC|| 
__L_GIRLS || __L_VIRGIN || __L_TEEN || __L_FCK || __L_HARDCORE || __L_ANAL || 
__L_JIZZ)  (L_P_PICS || L_P_VIDS ||L_P_CLIPS || L_P_AVI ||L_P_MPEG))
score L_P_COMBO11.8

#erotica coupled with movie, photo, pictures, etc
meta L_P_COMBO4 ((__L_INCEST || __L_FAC || __L_EROTIC || __L_FCK || 
__L_HARDCORE || __L_ANAL || __L_JIZZ || __L_COCK)  (__L_VIDEO || __L_PHOTO || 
__L_MOVIE))
score L_P_COMBO41.5


#young person coupled with dirty act/nudity
meta L_P_COMBO2 ((__L_TEEN || __L_GIRLS || __L_BOYS || __L_VIRGIN)  
(__L_BACK || __L_NUDE || __L_NAKED || __L_EROTIC || __L_FCK || __L_EXPLICIT || 
__L_INCEST || __L_COCK || __L_ANAL || __L_JIZZ || __L_PUS || __L_TI || __L_MAST 
|| L_P_DP))
score L_P_COMBO22.0

#youth coupled with dirty act/nudity
meta L_P_COMBO3 ((__L_YOUNG || __L_YOUTH || __L_INOC)  (__L_BACK || 
__L_EROTIC || __L_EXPLICIT || __L_HARDCORE || __L_INCEST || __L_FCK || __L_COCK 
|| __L_ANAL || __L_JIZZ || __L_PUS || __L_TI || __L_MAST || L_P_DP))
score L_P_COMBO32.0

#gay/lesbian with dirty act - note, I removed some words to reduce FPs 
(nude/tits)
# as these might be adults who are legitamately nude at a protest, etc.
meta L_P_COMBO4 ((__L_GAYS || __L_LESB)  ( __L_EROTIC || __L_FCK || 
__L_EXPLICIT || __L_INCEST || __L_COCK || __L_ANAL || __L_JIZZ || __L_PUS || 
__L_MAST))
score L_P_COMBO41.0

meta L_P_DAUGHT1(__L_DAUGHTER  ( __L_EROTIC || __L_EXPLICIT || 
__L_INCEST || __L_COCK || __L_ANAL || __L_PUS || __L_TI || L_P_DP))
score L_P_DAUGHT1   2.0

#removed hardcore.. my son is a hardcore football fan ec
meta L_P_SON1   (__L_SON  ( __L_EROTIC || __L_EXPLICIT || __L_INCEST 
|| __L_COCK || __L_ANAL || __L_PUS || __L_TI || L_P_DP)
)
score L_P_SON1  1.0

meta L_P_MULTI3 ((__L_HOTB + __L_THROB + __L_BACK + __L_FAC + __L_BLO 
+__L_MAST + __L_ANAL + __L_JIZZ + __L_COCK + __L_TEEN + __L_GIRLS + L_P_DP + 
__L_VIRGIN + __L_NUDE + __L_EROTIC + __L_NAKED + __L_FCK + __L_YOUNG + __L_NUDE 
+ __L_EXPLICIT + __L_INCEST) 3)
score L_P_MULTI31.8

#note: this rule

Re: {SPAM} Re: new type of spam

2005-09-30 Thread Raymond Dijkxhoorn 

Hi!


|are you using URIBL checks in SA?



Combine this with some SARE rules and you will see not much comming in.



I use URIBL's and many SARE rules, including SARE's adult rules, and a lot of
this latest wave got missed.

Attached is a subset of some porn rules I've been working on. They're
experimental, but the seem to work pretty well with fairly low FP rate.

They might have some FP cases I haven't noticed yet, so be careful with them,
but you might want to try them out.


You could try:

http://www.rulesemporium.com/rules/70_sare_specific.cf

Caches a lot of the ph*rm spams out there.

Bye,
Raymond.

Re: {SPAM} Re: new type of spam

2005-09-30 Thread wolfgang 
In an older episode (Friday, 30. September 2005 20:56), Matt Kettler wrote:

 Attached is a subset of some porn rules I've been working on. They're
 experimental, but the seem to work pretty well with fairly low FP rate.
 
 They might have some FP cases I haven't noticed yet, so be careful with 
them,
 but you might want to try them out.

Thanks, they look promising, one problem tho:
after adding them, --lint gives me:
Failed to run meta SpamAssassin tests, skipping some: syntax error at (eval 
64) line 547, near ) {
syntax error at (eval 64) line 634, near ;
}
in two different 3.0.4 installations. Maybe you find the problem faster than i 
could (and want to :)

cheers,

wolfgang

Re: {SPAM} Re: new type of spam

2005-09-30 Thread Dhawal Doshy 

wolfgang wrote:

In an older episode (Friday, 30. September 2005 20:56), Matt Kettler wrote:


Attached is a subset of some porn rules I've been working on. They're
experimental, but the seem to work pretty well with fairly low FP rate.

They might have some FP cases I haven't noticed yet, so be careful with 


them,


but you might want to try them out.



Thanks, they look promising, one problem tho:
after adding them, --lint gives me:
Failed to run meta SpamAssassin tests, skipping some: syntax error at (eval 
64) line 547, near ) {

syntax error at (eval 64) line 634, near ;
}
in two different 3.0.4 installations. Maybe you find the problem faster than i 
could (and want to :)


cheers,



Failed to run meta SpamAssassin tests, skipping some: syntax error at 
(eval 62) line 830, near ) {

syntax error at (eval 62) line 1288, near ;
}

make that 2 of us getting the same error on SA 3.0.4

- dhawal

Re: {SPAM} Re: new type of spam

2005-09-30 Thread wolfgang 
In an older episode (Friday, 30. September 2005 22:52), wolfgang wrote:
 In an older episode (Friday, 30. September 2005 20:56), Matt Kettler wrote:
 
  Attached is a subset of some porn rules I've been working on. They're
  experimental, but the seem to work pretty well with fairly low FP rate.
  
  They might have some FP cases I haven't noticed yet, so be careful with 
 them,
  but you might want to try them out.
 
 Thanks, they look promising, one problem tho:
 after adding them, --lint gives me:
 Failed to run meta SpamAssassin tests, skipping some: syntax error at (eval 
 64) line 547, near ) {
 syntax error at (eval 64) line 634, near ;
 }
 in two different 3.0.4 installations. Maybe you find the problem faster than 
i 
 could (and want to :)

I guess i found it:
in meta L_P_SON1 there is an additional linebreak before the last ). I removed 
it and --lint works fine.

cheers,

wolfgang