Re: HTML Spam messages with float tag ?

2005-09-15 Thread Loren Wilton 
>  The number of messages like below has increased. Unfortunately, they are
> not reported to SpamCop fast enough for SURBL to handle them Has
anyone
> created some sort of filter to identify this type of messages ??

Yes.

Loren

Re: HTML Spam messages with float tag ?

2005-09-14 Thread jdow 

From: "Robert Menschel" <[EMAIL PROTECTED]>


Hello Brian,

Wednesday, September 14, 2005, 5:31:34 AM, you wrote:

BI> Hi,

BI>  The number of messages like below has increased. Unfortunately, they 
are
BI> not reported to SpamCop fast enough for SURBL to handle them Has 
anyone

BI> created some sort of filter to identify this type of messages ??

SARE rules under development.  Some will be published by this weekend,
come hell or ... well, I'm not in New Orleans.  Other rules we're less
sure of may wait a few more days.

Sample hit rates of the most promising rules:
#counts   LW_LEO_MAILER1   2332s/0h of 679260 corpus 
(323056s/356204h RM) 09/13/05
#counts   LW_LEO_DOLLARS1  1451s/0h of 679260 corpus 
(323056s/356204h RM) 09/13/05
#counts   LW_LEO_COST  1014s/0h of 679260 corpus 
(323056s/356204h RM) 09/13/05
#counts   LW_LEO_DRUGS_DOWN2563s/0h of 679260 corpus 
(323056s/356204h RM) 09/13/05
#counts   SARE_LEO_SUB_MEDS1107s/0h of 614805 corpus 
(315596s/299209h RM) 09/11/05
#counts   SARE_LEO_SUB_PHARM   487s/0h of 614805 corpus 
(315596s/299209h RM) 09/11/05
#counts   SARE_LEO_SUB_PHARM2  877s/0h of 614805 corpus 
(315596s/299209h RM) 09/11/05
#counts   SARE_LEO_LINE02  2028s/0h of 614805 corpus 
(315596s/299209h RM) 09/11/05
#counts   SARE_LEO_LINE03  59s/0h of 614805 corpus 
(315596s/299209h RM) 09/11/05


Oh poor poor Leo. Why'd you want to do such a nasty thing to such a nice
spammer? Now the mad Russian will have to change tactics, again.

{O,o}
   (Actually there may be a very effective tool against him and the
   Columbine crew if you play the DNS lookup game correctly. But it
   expensive for testing purposes requiring whois lookups with
   multiple DNS lookups.)

Re: HTML Spam messages with float tag ?

2005-09-14 Thread Robert Menschel 
Hello Brian,

Wednesday, September 14, 2005, 5:31:34 AM, you wrote:

BI> Hi,

BI>  The number of messages like below has increased. Unfortunately, they are
BI> not reported to SpamCop fast enough for SURBL to handle them Has anyone
BI> created some sort of filter to identify this type of messages ??

SARE rules under development.  Some will be published by this weekend,
come hell or ... well, I'm not in New Orleans.  Other rules we're less
sure of may wait a few more days.

Sample hit rates of the most promising rules:
#counts   LW_LEO_MAILER1   2332s/0h of 679260 corpus (323056s/356204h 
RM) 09/13/05
#counts   LW_LEO_DOLLARS1  1451s/0h of 679260 corpus (323056s/356204h 
RM) 09/13/05
#counts   LW_LEO_COST  1014s/0h of 679260 corpus (323056s/356204h 
RM) 09/13/05
#counts   LW_LEO_DRUGS_DOWN2563s/0h of 679260 corpus (323056s/356204h 
RM) 09/13/05
#counts   SARE_LEO_SUB_MEDS1107s/0h of 614805 corpus (315596s/299209h 
RM) 09/11/05
#counts   SARE_LEO_SUB_PHARM   487s/0h of 614805 corpus (315596s/299209h 
RM) 09/11/05
#counts   SARE_LEO_SUB_PHARM2  877s/0h of 614805 corpus (315596s/299209h 
RM) 09/11/05
#counts   SARE_LEO_LINE02  2028s/0h of 614805 corpus (315596s/299209h 
RM) 09/11/05
#counts   SARE_LEO_LINE03  59s/0h of 614805 corpus (315596s/299209h RM) 
09/11/05


Bob Menschel

Re: HTML Spam messages with float tag ?

2005-09-14 Thread M.Lewis 
The ones that get through here do so with a very low score. Around 1.00 
or below. I already have both the SARE_OBFU & SARE_HTML rules in place. 
I'm filtering on domains, but that is not extremely sucessful as he/she 
adds about 3-4 new ones every day. Current count is now 85. If you wish 
a list, mail me privately.


Thanks,
Mike

Ilan Aisic wrote:

Hi Brian,
Look for the thread about "Pharamcudical list of words in a table".*
*See:* 
*http://www.gossamer-threads.com/lists/spamassassin/users/59435?page=last*

*All these messages are probably coming from one evil source.
Some say it's a  guy called Leo Kuvayev and he keeps chaning the 
messages and trying to fool SA.
You really should include SARE_OBFU and SARE_HTML (in 
http://www.rulesemporium.com/).   I see that these rule files score some 
points on Leo's messages.  But most of the points are from all the 
network checks.
I also added my own personal rule to increase the total score on these 
tables:


# This one adopted from sare_html:
rawbody   IA_HTML_MANY_BR
/.{0,10}.{0,10}.{0,10}.{0,10}/i

describe  IA_HTML_MANY_BR  Tooo many close 's!
score IA_HTML_MANY_BR  0.500


  *
*
On 9/14/05, *Brian Ipsen* <[EMAIL PROTECTED] 
 > wrote:


Hi,

The number of messages like below has increased. Unfortunately, they
are
not reported to SpamCop fast enough for SURBL to handle them Has
anyone
created some sort of filter to identify this type of messages ??




 
link to site
 
MeXaUlAmCiLeVa

PrViCe
rinatrbialvili

opagle
dixamenistrum<

/STRONG>ecrabr
a 1.a 3.ia 3.ex
217533



Regards,
/Brian




--
Ilan Aisic
Registered Linux User 8124 http://counter.li.org

Re: HTML Spam messages with float tag ?

2005-09-14 Thread Ilan Aisic 
Hi Brian,
Look for the thread about "Pharamcudical list of words in a table".
See: http://www.gossamer-threads.com/lists/spamassassin/users/59435?page=last
 
All these messages are probably coming from one evil source. 
Some say it's a  guy called  Leo Kuvayev and he keeps chaning the messages and trying to fool SA.
You really should include SARE_OBFU and SARE_HTML (in
http://www.rulesemporium.com/).   I see that these rule files
score some points on Leo's messages.  But most of the points are
from all the network checks.
I also added my own personal rule to increase the total score on these tables:

# This one adopted from sare_html:
rawbody   IA_HTML_MANY_BR   
/.{0,10}.{0,10}.{0,10}.{0,10}/i
describe  IA_HTML_MANY_BR  Tooo many close 's!
score IA_HTML_MANY_BR  0.500


  
On 9/14/05, Brian Ipsen <[EMAIL PROTECTED]
> wrote:Hi, The number of messages like below has increased. Unfortunately, they are
not reported to SpamCop fast enough for SURBL to handle them Has anyonecreated some sort of filter to identify this type of messages ??
  face=Courier>MeXaUlAmCiLeVa
PrViCeface=Courier>rinatrbialvili
opagleface=Courier>dixamenistrum<
/STRONG>ecrabrface=Courier>a 1.a 3.ia 3.>exface=Courier>217533
Regards,/Brian-- Ilan AisicRegistered Linux User 8124 http://counter.li.org

RE: HTML Spam messages with float tag ?

2005-09-14 Thread Bowie Bailey 
From: Brian Ipsen 
> 
> The number of messages like below has increased.  Unfortunately,
> they are not reported to SpamCop fast enough for SURBL to handle
> them Has anyone created some sort of filter to identify this
> type of messages ??
> 
> 
> 
> 
>  
> link to site
>  
>  face=Courier>MeXaUlAmCiLe
> Va
> PrViCe
>  face=Courier>rinatrbialvi
> li
> opagle
>  face=Courier>dixamenistr<
> BR>um<
> /STRONG>ecrabr
>  face=Courier>a 1.a 3.ia<
> BR> 3. >ex
>  face=Courier>217533
> 

I just did this:

rawbody BUC_FLOAT /