Re: Block "wrote:" spams

[Steve Lake]

I never saw your posts about the relay checker plugin.  Can you 
email me the info on it?


At 10:33 AM 11/4/2006 -0800, John Rudd wrote:


For the "wrote:" spams that come through here, I think all of them are 
being caught by my RelayChecker plugin (which I've posted in other threads).




Steven Lake
Owner/Technical Writer
Raiden's Realm
www.raiden.net
A friendly web community

Re: sa-update DNS not updated (was: Block "wrote:" spams)

[Justin Mason]

Daryl C. W. O'Shea writes:
> Theo Van Dinter wrote:
> > On Thu, Nov 09, 2006 at 01:22:12PM -0500, Daryl C. W. O'Shea wrote:
> >>> Theo, what's the procedure to push out 3.1.x updates?
> > 
> > I posted this a while ago:
> > 
> > http://wiki.apache.org/spamassassin/ManualRuleUpdates
> > 
> > It's even linked in from the Development Information link. :)
> > 
> >>http://wiki.apache.org/spamassassin/PublishingRuleUpdates
> > 
> > Why is there another doc about it?  :(
> 
> I don't know, but the funniest part is that Justin made it.  It's linked 
> to from the RuleUpdates page.

ha!

I refactored it out of the main RuleUpdates page a while back. For what
it's worth, I think that page is meant to be "hey third-party people,
here's how you can publish rules for sa-update", not "hey SpamAssassin
developers, here's how you can push out updated 3.1.x rules to
updates.spamassassin.org". 

ick, the manual process for the latter (thanks for the link theo ;)
is _very_ manual...

--j.

Re: sa-update DNS not updated (was: Block "wrote:" spams)

[Daryl C. W. O'Shea]

Theo Van Dinter wrote:

On Thu, Nov 09, 2006 at 01:22:12PM -0500, Daryl C. W. O'Shea wrote:

Theo, what's the procedure to push out 3.1.x updates?


I posted this a while ago:

http://wiki.apache.org/spamassassin/ManualRuleUpdates

It's even linked in from the Development Information link. :)


http://wiki.apache.org/spamassassin/PublishingRuleUpdates


Why is there another doc about it?  :(


I don't know, but the funniest part is that Justin made it.  It's linked 
to from the RuleUpdates page.


Daryl

Re: sa-update DNS not updated (was: Block "wrote:" spams)

[Theo Van Dinter]

On Thu, Nov 09, 2006 at 01:22:12PM -0500, Daryl C. W. O'Shea wrote:
> >Theo, what's the procedure to push out 3.1.x updates?

I posted this a while ago:

http://wiki.apache.org/spamassassin/ManualRuleUpdates

It's even linked in from the Development Information link. :)

>   http://wiki.apache.org/spamassassin/PublishingRuleUpdates

Why is there another doc about it?  :(

-- 
Randomly Selected Tagline:
 War over! Balls thoroughly licked.


pgp7n1yWCDWXq.pgp
Description: PGP signature

Re: sa-update DNS not updated (was: Block "wrote:" spams)

[Daryl C. W. O'Shea]

Justin Mason wrote:


Hi guys --

yes, I think you're right -- it looks like SpamAssassin 3.1.x rule
updates are not generated automatically, unlike the trunk ones :(

Theo, what's the procedure to push out 3.1.x updates?


You've got to roll your own.

 - commit changes to rules/branches/3.1/ and to branches/3.1/rules/

 - do some testing of the rules if you're feeling unlucky

 - make the update package, update dns

http://wiki.apache.org/spamassassin/PublishingRuleUpdates


Daryl

Re: sa-update DNS not updated (was: Block "wrote:" spams)

[Justin Mason]

Kenneth Porter writes:
> --On Friday, November 03, 2006 5:43 PM + Justin Mason <[EMAIL PROTECTED]> 
> wrote:
> 
> > there's a rule that matches them in 3.1.x sa-update, fwiw.
> 
> I don't see it either. What's the name of the rule?

for what it's worth, it's 'RCVD_FORGED_WROTE'.

> Dates on files in /var/lib/spamassassin are 20061024.
> 
> I ran sa-update -D and got this at the end:
> 
> [7784] dbg: channel: attempting channel updates.spamassassin.org
> [7784] dbg: channel: update directory 
> /var/lib/spamassassin/3.001007/updates_spamassassin_org
> [7784] dbg: channel: channel cf file 
> /var/lib/spamassassin/3.001007/updates_spamassassin_org.cf
> [7784] dbg: channel: channel pre file 
> /var/lib/spamassassin/3.001007/updates_spamassassin_org.pre
> [7784] dbg: channel: metadata version = 431276
> [7784] dbg: dns: 7.1.3.updates.spamassassin.org => 431276, parsed as 431276
> [7784] dbg: channel: current version is 431276, new version is 431276, 
> skipping channel
> 
> 
> Is this new rule supposed to be in 431276?
> 
> I also tried running the DNS query with dig against a few of the servers 
> for that zone and get the same answer, so it's not my local DNS server 
> caching an old answer.
> 
> I chased through the update logic and found the update archive here:
> 
> 
> 
> I see some later updates there, and the "wrote" rule is in 472539. Is the 
> DNS not getting updated to push these new rules out?

Hi guys --

yes, I think you're right -- it looks like SpamAssassin 3.1.x rule
updates are not generated automatically, unlike the trunk ones :(

Theo, what's the procedure to push out 3.1.x updates?

--j.

RE: sa-update DNS not updated (was: Block "wrote:" spams)

[Randal, Phil]

It looks like DNS is a few versions behind, alas.  What I'd love to see
is an RSS feed listing the latest sa-update releases.  Or at least an
update version history somehwere easy to find in the SA web pages.

Cheers,

Phil

--
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK  

> -Original Message-
> From: Kenneth Porter [mailto:[EMAIL PROTECTED] 
> Sent: 09 November 2006 01:19
> To: users@spamassassin.apache.org
> Cc: Justin Mason
> Subject: sa-update DNS not updated (was: Block "wrote:" spams)
> 
> --On Friday, November 03, 2006 5:43 PM + Justin Mason 
> <[EMAIL PROTECTED]> 
> wrote:
> 
> > there's a rule that matches them in 3.1.x sa-update, fwiw.
> 
> I don't see it either. What's the name of the rule?
> 
> Dates on files in /var/lib/spamassassin are 20061024.
> 
> I ran sa-update -D and got this at the end:
> 
> [7784] dbg: channel: attempting channel updates.spamassassin.org
> [7784] dbg: channel: update directory 
> /var/lib/spamassassin/3.001007/updates_spamassassin_org
> [7784] dbg: channel: channel cf file 
> /var/lib/spamassassin/3.001007/updates_spamassassin_org.cf
> [7784] dbg: channel: channel pre file 
> /var/lib/spamassassin/3.001007/updates_spamassassin_org.pre
> [7784] dbg: channel: metadata version = 431276
> [7784] dbg: dns: 7.1.3.updates.spamassassin.org => 431276, 
> parsed as 431276
> [7784] dbg: channel: current version is 431276, new version 
> is 431276, 
> skipping channel
> 
> 
> Is this new rule supposed to be in 431276?
> 
> I also tried running the DNS query with dig against a few of 
> the servers 
> for that zone and get the same answer, so it's not my local 
> DNS server 
> caching an old answer.
> 
> I chased through the update logic and found the update archive here:
> 
> <http://spamassassin.kluge.net/updates/>
> 
> I see some later updates there, and the "wrote" rule is in 
> 472539. Is the 
> DNS not getting updated to push these new rules out?
> 

sa-update DNS not updated (was: Block "wrote:" spams)

[Kenneth Porter]

--On Friday, November 03, 2006 5:43 PM + Justin Mason <[EMAIL PROTECTED]> 
wrote:



there's a rule that matches them in 3.1.x sa-update, fwiw.


I don't see it either. What's the name of the rule?

Dates on files in /var/lib/spamassassin are 20061024.

I ran sa-update -D and got this at the end:

[7784] dbg: channel: attempting channel updates.spamassassin.org
[7784] dbg: channel: update directory 
/var/lib/spamassassin/3.001007/updates_spamassassin_org
[7784] dbg: channel: channel cf file 
/var/lib/spamassassin/3.001007/updates_spamassassin_org.cf
[7784] dbg: channel: channel pre file 
/var/lib/spamassassin/3.001007/updates_spamassassin_org.pre

[7784] dbg: channel: metadata version = 431276
[7784] dbg: dns: 7.1.3.updates.spamassassin.org => 431276, parsed as 431276
[7784] dbg: channel: current version is 431276, new version is 431276, 
skipping channel



Is this new rule supposed to be in 431276?

I also tried running the DNS query with dig against a few of the servers 
for that zone and get the same answer, so it's not my local DNS server 
caching an old answer.


I chased through the update logic and found the update archive here:



I see some later updates there, and the "wrote" rule is in 472539. Is the 
DNS not getting updated to push these new rules out?

Re: Block "wrote:" spams

[Jeroen Tebbens]

Write your own:

header  LR_WROTE_SUBSubject =~ /\bwrote\b\:/i
describeLR_WROTE_SUBWrote in Subject
score   LR_WROTE_SUB3.0

Thanks for the members that made them earlier.
I just repeat them because they do a nice job at my webserver:

bodyLR_CSAIL_EVERGLORY  /Ever-Glory International/i
describeLR_CSAIL_EVERGLORY  Ever-Glory International
score   LR_CSAIL_EVERGLORY  1.5

bodyLR_CSAIL_EGLY_TICKER/\(EGLY\)/
describeLR_CSAIL_EGLY_TICKEREver-Glory International 
stock symbol

score   LR_CSAIL_EGLY_TICKER1.5

bodyLR_CSAIL_EVERGLORY_DISNEY   /Ever-Glory and Disney/
describeLR_CSAIL_EVERGLORY_DISNEY   Bogus Ever-Glory press 
release

score   LR_CSAIL_EVERGLORY_DISNEY   2.5

header  __CSAIL_EGLY_SUBJ   Subject =~ /^\S+ here\s+:\)/

metaLR_CSAIL_EGLY_SPAM  ( __CSAIL_EGLY_SUBJ && 
LR_CSAIL_EGLY_TICKER )
describeLR_CSAIL_EGLY_SPAM  This message really 
looks like a recent EGLY pump & dump scam

score   LR_CSAIL_EGLY_SPAM  5.0


Jason Little wrote:
 
We just started getting a ton of these.  Is there an SA ruleset that I can

grab or do I just have to write my own.

Jason
-Original Message-
From: Loren Wilton [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, November 08, 2006 3:26 PM

To: users@spamassassin.apache.org
Subject: Re: Block "wrote:" spams

  
One thing I've noticed is the envelope return path... Watching this 
morning, they all seem to be from 'debora@'
  


  

debora wrote: in subject at the same time ?



No.  (Finally got my first one of these.)

Loren


  

RE: Block "wrote:" spams

[Jason Little]

 
We just started getting a ton of these.  Is there an SA ruleset that I can
grab or do I just have to write my own.

Jason
-Original Message-
From: Loren Wilton [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, November 08, 2006 3:26 PM
To: users@spamassassin.apache.org
Subject: Re: Block "wrote:" spams

>> One thing I've noticed is the envelope return path... Watching this 
>> morning, they all seem to be from 'debora@'

> debora wrote: in subject at the same time ?

No.  (Finally got my first one of these.)

Loren

Re: Block "wrote:" spams

[Loren Wilton]

One thing I've noticed is the envelope return path... Watching this
morning, they all seem to be from 'debora@'



debora wrote: in subject at the same time ?


No.  (Finally got my first one of these.)

   Loren

Re: Block "wrote:" spams

[Steve Thomas]

I've added three procmail rules in the last few days to combat the deluge
of these (and other) spams. I figure that these are all passing fads and
aren't worth writing SA rules. YMMV, of course, but in my case, the
procmail method works best.


:0
* ^subject:.*your concert tickets reservation
.spam.learn/

:0
* ^subject:.* here :\)
.spam.learn/

:0
* ^subject:.* wrote:$
.spam.learn/


I normally don't tweak my .procmailrc for a specific type of spam, but the
sheer volume of these three types of spams made it worth it. I've cut the
volume of spam that makes it to my inbox and spam folder in half - the
rest goes directly into the 'learn' directory, where a cron job runs once
an hour to add them to bayes.

Re: Block "wrote:" spams

[Benny Pedersen]

On Wed, November 8, 2006 11:38, Hamish Marson wrote:

> One thing I've noticed is the envelope return path... Watching this
> morning, they all seem to be from 'debora@'

debora wrote: in subject at the same time ?

-- 
"This message was sent using 100% recycled spam mails."

Re: Block "wrote:" spams

[Patrick Sneyers]

They mostly only hit bayes (running 3.1.7).
ImageInfo.pm is very helpful here

0.0 HTML_MESSAGE BODY: HTML included in message
3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.]
0.8 SARE_GIF_ATTACH FULL: Email has a inline gif
3.0 DC_GIF_UNO_LARGO Message contains a single large inline gif

Most also hit John Rudd's jr_rfc1912.cf too.
http://people.ucsc.edu/~jrudd/spamassassin/


Patrick Sneyers

Op 8-nov-06, om 13:02 heeft Hall J D ((ISeLS)) het volgende geschreven:


Hi,

I've just run sa-update on my 3.1.4 box and it's not picked up  
anything

new. In fact it looking at the dates on the files it looks like there
haven't been any updates to these rules since the first time I ran
sa-update back in August.

Is sa-update only supporting the newer releases of 3.1.x?

Thanks,

Jonathan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: 03 November 2006 17:44
To: Loren Wilton
Cc: users@spamassassin.apache.org
Subject: Re: Block "wrote:" spams


there's a rule that matches them in 3.1.x sa-update, fwiw.

--j.

Loren Wilton writes:

I haven't seen any of these.  But if the spams universally have

" wrote: " as the subject then I'd consider a more
stringent rule:


/^\w+\s+wrote:/i

or
/^(?:\w+\s+){1,2}wrote:/i

or
/^(?:re:\s*|fw:\s*){0,20}(?:\w+\s+){1,2}wrote:/i

Loren

  - Original Message -
  From: Juan Mas
  To: MIKE YRABEDRA
  Cc: spamassassin-users
  Sent: Friday, November 03, 2006 7:15 AM
  Subject: Re: Block "wrote:" spams


  Ive been getting the same and just wrote a rule for it today.  Ive

got what you have listed below.  Havent tested it though.



  On 11/3/06, MIKE YRABEDRA < [EMAIL PROTECTED]> wrote:


I am getting a lot of these "Bob wrote: " spams

Anyone know a way to write the rule so if the subject has  
"wrote:"

in the

subject, tag it?

Here is what I have?

header WROTE_SUB  Subject =~ /\bwrote\:\b/i
describe WROTE_SUB  Wrote in Subject
score WROTE_SUB   3.0




--
Mike Yrabedra B^)>







  --
  -Juan

RE: Block "wrote:" spams

[Hall J D \(ISeLS\)]

Hi,

I've just run sa-update on my 3.1.4 box and it's not picked up anything
new. In fact it looking at the dates on the files it looks like there
haven't been any updates to these rules since the first time I ran
sa-update back in August.

Is sa-update only supporting the newer releases of 3.1.x?

Thanks,

Jonathan 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: 03 November 2006 17:44
To: Loren Wilton
Cc: users@spamassassin.apache.org
Subject: Re: Block "wrote:" spams 


there's a rule that matches them in 3.1.x sa-update, fwiw.

--j.

Loren Wilton writes:
> I haven't seen any of these.  But if the spams universally have
" wrote: " as the subject then I'd consider a more
stringent rule:
> 
> /^\w+\s+wrote:/i
> 
> or
> /^(?:\w+\s+){1,2}wrote:/i
> 
> or
> /^(?:re:\s*|fw:\s*){0,20}(?:\w+\s+){1,2}wrote:/i
> 
> Loren
> 
>   - Original Message - 
>   From: Juan Mas 
>   To: MIKE YRABEDRA 
>   Cc: spamassassin-users 
>   Sent: Friday, November 03, 2006 7:15 AM
>   Subject: Re: Block "wrote:" spams
> 
> 
>   Ive been getting the same and just wrote a rule for it today.  Ive
got what you have listed below.  Havent tested it though.
> 
> 
>   On 11/3/06, MIKE YRABEDRA < [EMAIL PROTECTED]> wrote:
> 
> 
> I am getting a lot of these "Bob wrote: " spams 
> 
> Anyone know a way to write the rule so if the subject has "wrote:"
in the
> subject, tag it?
> 
> Here is what I have?
> 
> header WROTE_SUB  Subject =~ /\bwrote\:\b/i
> describe WROTE_SUB  Wrote in Subject 
> score WROTE_SUB   3.0
> 
> 
> 
> 
> --
> Mike Yrabedra B^)>
> 
> 
> 
> 
> 
> 
> 
>   -- 
>   -Juan

Re: Block "wrote:" spams

[Hamish Marson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Justin Mason wrote:
> there's a rule that matches them in 3.1.x sa-update, fwiw.
>
>

Really? Mine is up to date & they still get through...

One thing I've noticed is the envelope return path... Watching this
morning, they all seem to be from 'debora@'

Hamish.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFUbOh/3QXwQQkZYwRAjNXAKCDnl6PLVwpsdWbay5sDEkaOOxQegCdHVKL
ptux54hbywk8q+5L6lLG+/Q=
=G2tw
-END PGP SIGNATURE-

Re: Block "wrote:" spams

[Benny Pedersen]

On Sat, November 4, 2006 19:33, John Rudd wrote:
> For the "wrote:" spams that come through here, I think all of them are
> being caught by my RelayChecker plugin (which I've posted in other threads).

i have this installed with imho do a very good job of stopping spam, thanks
for makeing it

-- 
"This message was sent using 100% recycled spam mails."

Re: Block "wrote:" spams

[John Rudd]

For the "wrote:" spams that come through here, I think all of them are 
being caught by my RelayChecker plugin (which I've posted in other threads).

Re: Block "wrote:" spams

[jdow]

And I would restart spamd after installing the rule.
{^_-}
- Original Message - 
From: "Loren Wilton" <[EMAIL PROTECTED]>



I haven't seen any of these.  But if the spams universally have " wrote: 
" as the subject then I'd consider a more stringent rule:


   /^\w+\s+wrote:/i

or
   /^(?:\w+\s+){1,2}wrote:/i

or
   /^(?:re:\s*|fw:\s*){0,20}(?:\w+\s+){1,2}wrote:/i

   Loren

 - Original Message - 
 From: Juan Mas



 Ive been getting the same and just wrote a rule for it today.  Ive got what you have 
listed below.  Havent tested it though.



 On 11/3/06, MIKE YRABEDRA < [EMAIL PROTECTED]> wrote:


   I am getting a lot of these "Bob wrote: " spams

   Anyone know a way to write the rule so if the subject has "wrote:" in the
   subject, tag it?

   Here is what I have?

   header WROTE_SUB  Subject =~ /\bwrote\:\b/i
   describe WROTE_SUB  Wrote in Subject
   score WROTE_SUB   3.0




   --
   Mike Yrabedra B^)>







 -- 
 -Juan 

Re: Block "wrote:" spams

[Justin Mason]

there's a rule that matches them in 3.1.x sa-update, fwiw.

--j.

Loren Wilton writes:
> I haven't seen any of these.  But if the spams universally have " word> wrote: " as the subject then I'd consider a more stringent rule:
> 
> /^\w+\s+wrote:/i
> 
> or
> /^(?:\w+\s+){1,2}wrote:/i
> 
> or
> /^(?:re:\s*|fw:\s*){0,20}(?:\w+\s+){1,2}wrote:/i
> 
> Loren
> 
>   - Original Message - 
>   From: Juan Mas 
>   To: MIKE YRABEDRA 
>   Cc: spamassassin-users 
>   Sent: Friday, November 03, 2006 7:15 AM
>   Subject: Re: Block "wrote:" spams
> 
> 
>   Ive been getting the same and just wrote a rule for it today.  Ive got what 
> you have listed below.  Havent tested it though.
> 
> 
>   On 11/3/06, MIKE YRABEDRA < [EMAIL PROTECTED]> wrote:
> 
> 
> I am getting a lot of these "Bob wrote: " spams 
> 
> Anyone know a way to write the rule so if the subject has "wrote:" in the
> subject, tag it?
> 
> Here is what I have?
> 
> header WROTE_SUB  Subject =~ /\bwrote\:\b/i
> describe WROTE_SUB  Wrote in Subject 
> score WROTE_SUB   3.0
> 
> 
> 
> 
> --
> Mike Yrabedra B^)>
> 
> 
> 
> 
> 
> 
> 
>   -- 
>   -Juan

Re: Block "wrote:" spams

[Loren Wilton]

I haven't seen any of these.  But if the spams universally have 
" wrote: " as the subject then I'd consider a 
more stringent rule:
 
    /^\w+\s+wrote:/i
 
or
    /^(?:\w+\s+){1,2}wrote:/i
 
or
    /^(?:re:\s*|fw:\s*){0,20}(?:\w+\s+){1,2}wrote:/i
 
        Loren
 

  - Original Message - 
  From: 
  Juan Mas 
  
  To: MIKE YRABEDRA 
  Cc: spamassassin-users 
  Sent: Friday, November 03, 2006 7:15 
  AM
  Subject: Re: Block "wrote:" spams
  Ive been getting the same and just wrote a rule for it 
  today.  Ive got what you have listed below.  Havent tested it 
  though.
  On 11/3/06, MIKE 
  YRABEDRA < [EMAIL PROTECTED]> 
  wrote:
  I 
am getting a lot of these "Bob wrote: " spams Anyone know a way to 
write the rule so if the subject has "wrote:" in thesubject, tag 
it?Here is what I have?header 
WROTE_SUB  Subject =~ 
/\bwrote\:\b/idescribe 
WROTE_SUB  Wrote in Subject score 
WROTE_SUB   
3.0--Mike Yrabedra 
  B^)>-- -Juan 

Re: Block "wrote:" spams

[Juan Mas]

Ive been getting the same and just wrote a rule for it today.  Ive got what you have listed below.  Havent tested it though.On 11/3/06, MIKE YRABEDRA <
[EMAIL PROTECTED]> wrote:I am getting a lot of these "Bob wrote: " spams
Anyone know a way to write the rule so if the subject has "wrote:" in thesubject, tag it?Here is what I have?header WROTE_SUB  Subject =~ /\bwrote\:\b/idescribe WROTE_SUB  Wrote in Subject
score WROTE_SUB   3.0--Mike Yrabedra B^)>-- -Juan

Block "wrote:" spams

[MIKE YRABEDRA]

I am getting a lot of these "Bob wrote: " spams

Anyone know a way to write the rule so if the subject has "wrote:" in the
subject, tag it?

Here is what I have?

header WROTE_SUB  Subject =~ /\bwrote\:\b/i
describe WROTE_SUB  Wrote in Subject
score WROTE_SUB   3.0




-- 
Mike Yrabedra B^)>