Re: {Spam?} spam with (rolex) watches gets trough
Thomas what extra rules above the standard SA ones have you got? Any from www.rulesemporium.com ? also have you got the URI rbl's turned on? This helps quite alot for this sort of spam. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Thomas Arend wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, I'm geting a lot of spam messages about rolex watches (see example below), which were not scored as spam. Only the bayes test applies, which gives only a score of 4.1 Thomas Example Message: ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: {Spam?} spam with (rolex) watches gets trough
On Wed, December 22, 2004 6:42 am, Martin Hepworth said: also have you got the URI rbl's turned on? This helps quite alot for this sort of spam. Indeed. That forwarded message ended up tagged as spam the URI checks are what caught it... even the AWL wasn't enough to save it. :) SpamAssassin (score=5.826, required 5, AWL -8.43, BAYES_50 0.40, RAZOR2_CF_RANGE_51_100 1.75, RAZOR2_CHECK 1.75, URIBL_AB_SURBL 0.42, URIBL_OB_SURBL 3.21, URIBL_SBL 1.00, URIBL_SC_SURBL 4.26, URIBL_WS_SURBL 1.46)
Re: {Spam?} spam with (rolex) watches gets trough
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am Mittwoch, 22. Dezember 2004 12:42 schrieb Martin Hepworth: Thomas what extra rules above the standard SA ones have you got? Any from www.rulesemporium.com ? I have only the standard rules from SA 3.0.2 also have you got the URI rbl's turned on? This helps quite alot for this sort of spam. Thanks, I just checked it with spamassassin and got URI checks. A check on /etc/sysconfig/spamd on SuSE 9.1 showed -L option activated - removed it. Now the message gets fine scores. Thanks Thomas -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 [..] - -- icq:133073900 aim:tawhv -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFByWC2He2ZLU3NgHsRAtYZAJ9LLkbu57mA61s4ppz9bbsAjE38qQCgiCC4 m10nVk6gTsVeoxdwIP1sOak= =7ifw -END PGP SIGNATURE-
RE: {Spam?} spam with (rolex) watches gets trough
-Original Message-
From: Thomas Arend [mailto:[EMAIL PROTECTED]
Sent: Wednesday, December 22, 2004 6:56 AM
To: users@spamassassin.apache.org
Subject: Re: {Spam?} spam with (rolex) watches gets trough
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Am Mittwoch, 22. Dezember 2004 12:42 schrieb Martin Hepworth:
Thomas
what extra rules above the standard SA ones have you got? Any from
www.rulesemporium.com ?
I have only the standard rules from SA 3.0.2
also have you got the URI rbl's turned on? This helps quite alot for
this sort of spam.
Thanks, I just checked it with spamassassin and got URI checks.
A check on /etc/sysconfig/spamd on SuSE 9.1 showed -L option
activated -
removed it. Now the message gets fine scores.
Thanks
Ninja Loren wrote some way back in Oct! Good lord we are behind! :)
bodyLW_ROLEX/\broll?ex\b/i
score LW_ROLEX1
describeLW_ROLEXMentions Rolex
body__LW_OBREPLICA /\brepIicas?\b/i
body__LW_REPLICA/\breplicas?\b/i
body__LW_WATCHES/\bwatch(?:es)?\b/i
metaLW_ROLEXWATCH LW_ROLEX __LW_WATCHES
score LW_ROLEXWATCH 1
describeLW_ROLEXWATCH Mentions rolex watches
metaLW_FAKEROLEXLW_ROLEX __LW_REPLICA
score LW_FAKEROLEX5
describeLW_FAKEROLEXTalks about rolex and replicas
bodyLW_WANTAROLEX /Want a (?:\w+ )+Rolex(?: Watch)?\?/i #
Want a cheap Rolex Watch?
score LW_WANTAROLEX 5
describeLW_WANTAROLEX Asks if you want a rolex watch
metaLW_ROLEXOBFU__LW_OBREPLICA LW_ROLEX
score LW_ROLEXOBFU5
describeLW_ROLEXOBFUObfuscating replica rolexes!
Also Ninja in training Matt N, submitted these to the list:
(Mind the word wrap)
headerUOLCC_ROLEX_SUB1 Subject =~ /\brolex\b/i
describe UOLCC_ROLEX_SUB1 Subject contains the word 'rolex'
score UOLCC_ROLEX_SUB1 0.5
headerUOLCC_ROLEX_SUB2 Subject =~ /\br.{1,2}o.{1,2}l.{1,2}e.{1,2}x\b/i
describe UOLCC_ROLEX_SUB2 Subject contains a gappy version of 'rolex'
score UOLCC_ROLEX_SUB2 1.5
body UOLCC_ROLEX_BODY1 /\brolex\b/i
describe UOLCC_ROLEX_BODY1 Body contains the word 'rolex'
score UOLCC_ROLEX_BODY1 0.5
body UOLCC_ROLEX_BODY2 /\br.{1,2}o.{1,2}l.{1,2}e.{1,2}x\b/i
describe UOLCC_ROLEX_BODY2 Body contains a gappy version of 'rolex'
score UOLCC_ROLEX_BODY2 1.5
rawbody UOLCC_WATCH_BODY
/^(Do\syou\s)?[Ww]ant\s(a\s)?(rolex\s|cheap\s)?[Ww](ristw)?atch\?\s*$/m
describe UOLCC_WATCH_BODY Body asks if you want a watch
score UOLCC_WATCH_BODY 2
None of these have been tested yet. Use at your own risk. Do not operate
while under heavy medication. Lather, rinse, repeat. Always repeat!
--Chris
Re: {Spam?} spam with (rolex) watches gets trough
Chris Santerre wrote: Am Mittwoch, 22. Dezember 2004 12:42 schrieb Martin Hepworth: Thomas what extra rules above the standard SA ones have you got? Any from www.rulesemporium.com ? None of these have been tested yet. Use at your own risk. Do not operate while under heavy medication. Lather, rinse, repeat. Always repeat! --Chris I also have a few in my collection: body FB_QUALIFY_FOR_TH /qualify for th/i score FB_QUALIFY_FOR_TH 0.345 body FB_QUALITY_REPLICA /quality replica/i score FB_QUALITY_REPLICA 1.0 body FB_REPLICA_ROLEX/replica rolex/i score FB_REPLICA_ROLEX1.0 I have more, this is all I can find right now.
Re: {Spam?} spam with (rolex) watches gets trough
this ruleset works well for me:
http://www.violetdreams.com/sa/rolex.cf
maybe ninjaz -at- webexpress.com can be welcomed to the sare dojo? ;-)
Chris Santerre wrote:
-Original Message-
From: Thomas Arend [mailto:[EMAIL PROTECTED]
Sent: Wednesday, December 22, 2004 6:56 AM
To: users@spamassassin.apache.org
Subject: Re: {Spam?} spam with (rolex) watches gets trough
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Am Mittwoch, 22. Dezember 2004 12:42 schrieb Martin Hepworth:
Thomas
what extra rules above the standard SA ones have you got? Any from
www.rulesemporium.com ?
I have only the standard rules from SA 3.0.2
also have you got the URI rbl's turned on? This helps quite alot for
this sort of spam.
Thanks, I just checked it with spamassassin and got URI checks.
A check on /etc/sysconfig/spamd on SuSE 9.1 showed -L option
activated -
removed it. Now the message gets fine scores.
Thanks
Ninja Loren wrote some way back in Oct! Good lord we are behind! :)
bodyLW_ROLEX/\broll?ex\b/i
score LW_ROLEX1
describeLW_ROLEXMentions Rolex
body__LW_OBREPLICA /\brepIicas?\b/i
body__LW_REPLICA/\breplicas?\b/i
body__LW_WATCHES/\bwatch(?:es)?\b/i
metaLW_ROLEXWATCH LW_ROLEX __LW_WATCHES
score LW_ROLEXWATCH 1
describeLW_ROLEXWATCH Mentions rolex watches
metaLW_FAKEROLEXLW_ROLEX __LW_REPLICA
score LW_FAKEROLEX5
describeLW_FAKEROLEXTalks about rolex and replicas
bodyLW_WANTAROLEX /Want a (?:\w+ )+Rolex(?: Watch)?\?/i #
Want a cheap Rolex Watch?
score LW_WANTAROLEX 5
describeLW_WANTAROLEX Asks if you want a rolex watch
metaLW_ROLEXOBFU__LW_OBREPLICA LW_ROLEX
score LW_ROLEXOBFU5
describeLW_ROLEXOBFUObfuscating replica rolexes!
Also Ninja in training Matt N, submitted these to the list:
(Mind the word wrap)
headerUOLCC_ROLEX_SUB1 Subject =~ /\brolex\b/i
describe UOLCC_ROLEX_SUB1 Subject contains the word 'rolex'
score UOLCC_ROLEX_SUB1 0.5
headerUOLCC_ROLEX_SUB2 Subject =~ /\br.{1,2}o.{1,2}l.{1,2}e.{1,2}x\b/i
describe UOLCC_ROLEX_SUB2 Subject contains a gappy version of 'rolex'
score UOLCC_ROLEX_SUB2 1.5
body UOLCC_ROLEX_BODY1 /\brolex\b/i
describe UOLCC_ROLEX_BODY1 Body contains the word 'rolex'
score UOLCC_ROLEX_BODY1 0.5
body UOLCC_ROLEX_BODY2 /\br.{1,2}o.{1,2}l.{1,2}e.{1,2}x\b/i
describe UOLCC_ROLEX_BODY2 Body contains a gappy version of 'rolex'
score UOLCC_ROLEX_BODY2 1.5
rawbody UOLCC_WATCH_BODY
/^(Do\syou\s)?[Ww]ant\s(a\s)?(rolex\s|cheap\s)?[Ww](ristw)?atch\?\s*$/m
describe UOLCC_WATCH_BODY Body asks if you want a watch
score UOLCC_WATCH_BODY 2
None of these have been tested yet. Use at your own risk. Do not operate
while under heavy medication. Lather, rinse, repeat. Always repeat!
--Chris
--
Robert Brooks, Network Manager, Cable Wireless UK
[EMAIL PROTECTED] http://hyperlink-interactive.co.uk/
Tel: +44 (0)20 7339 8600 Fax: +44 (0)20 7339 8601
- Help Microsoft stamp out piracy. Give Linux to a friend today! -
