Re: "KAUF-TIPP DER WOCHE" spam getting through
On 3/28/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: On Wed, 28 Mar 2007, Panagiotis Christias wrote: > the last days we get a lot of spam like this: > > KAUF-TIPP DER WOCHE I wrote a few of my own rules especially to catch those stocks scams together with bayes. If you don't have any people who should write you in German you can also use the X-Languages tag to boost the score if the mail is written in German. Here are my current rules, which should also catch the German stocks. Maybe there are some false positives in a real stock environment, but for me they work fine: body __HILO_STOCKS1 /(High|Low|Curr[e3]nt|Cur(r|\r.|r[e3]nt|\.)\ P(ric[e3])?|Pric[e3]|Last)[\:\ \t]+\$[\d\ ]+?(.*)(Last|Low|Growth|Grow||High|Sale|Pric[e3]|Vol|[E3]xp)[\:\ \t]+/i body __HILO_STOCKS2 /curr[e3]n[t7](ly)?[\ \t\_]+?\:[\ \t\_\$]+?\d/i body __HILO_STOCKS2 /[e3](x|ks)p[e3]ct[e3]d?[\ \t\_]+?\:[\ \t\_\$]+?\d/i body __HILO_STOCKS3 /our[\ \t\_]+?(last[\ ]+?)?pick[\:\ \t\_\;\=\,]/i body __HILO_STOCKS4 /\d[\ \t\_]+?(c[e3]nt|dollar|[e3]ur|p[e3]nc[e3])/i body __HILO_STOCKS5 /(c[e3]nt|dollar|[e3]ur[o]?|p[e3]nc[e3])[\ \t\_]+?\d/ibody __HILO_STOCKS9 /(hot[\ \t\_]+?list|r[e3]cord|publicity\ |n[e3]ws\ |invest|incr[e3]as[e3]|[e3]xplosion|high\ |pr[e3]mium|mark[e3]t|al[e3]rt|sym[b8]ol|the\ rush|your\ radar|g[e3]t\ [i1]n|schluss\-?stand|prognose|kauf\-?tip)/i meta HILO_STOCKS ( ( __HILO_STOCKS1 || __HILO_STOCKS2 || __HILO_STOCKS3 || __HILO_STOCKS4 || __HILO_STOCKS5 ) && __HILO_STOCKS9 ) describe HILO_STOCKS Looks like stocks scam score HILO_STOCKS 3.0 my custom rule is just: # KAUF_TIPP custom rule - christia Wed Mar 28 11:51:05 EEST 2007 body KAUF_TIPP /^KAUF-TIPP DER WOCHE$/ describe KAUF_TIPP German pump and dump stock spam with extremely low scores score KAUF_TIPP 4.0 a bit rough may be..
Re: "KAUF-TIPP DER WOCHE" spam getting through
On Wed, 28 Mar 2007, Panagiotis Christias wrote: the last days we get a lot of spam like this: KAUF-TIPP DER WOCHE I wrote a few of my own rules especially to catch those stocks scams together with bayes. If you don't have any people who should write you in German you can also use the X-Languages tag to boost the score if the mail is written in German. Here are my current rules, which should also catch the German stocks. Maybe there are some false positives in a real stock environment, but for me they work fine: body __HILO_STOCKS1 /(High|Low|Curr[e3]nt|Cur(r|\r.|r[e3]nt|\.)\ P(ric[e3])?|Pric[e3]|Last)[\:\ \t]+\$[\d\ ]+?(.*)(Last|Low|Growth|Grow||High|Sale|Pric[e3]|Vol|[E3]xp)[\:\ \t]+/i body __HILO_STOCKS2 /curr[e3]n[t7](ly)?[\ \t\_]+?\:[\ \t\_\$]+?\d/i body __HILO_STOCKS2 /[e3](x|ks)p[e3]ct[e3]d?[\ \t\_]+?\:[\ \t\_\$]+?\d/i body __HILO_STOCKS3 /our[\ \t\_]+?(last[\ ]+?)?pick[\:\ \t\_\;\=\,]/i body __HILO_STOCKS4 /\d[\ \t\_]+?(c[e3]nt|dollar|[e3]ur|p[e3]nc[e3])/i body __HILO_STOCKS5 /(c[e3]nt|dollar|[e3]ur[o]?|p[e3]nc[e3])[\ \t\_]+?\d/ibody __HILO_STOCKS9 /(hot[\ \t\_]+?list|r[e3]cord|publicity\ |n[e3]ws\ |invest|incr[e3]as[e3]|[e3]xplosion|high\ |pr[e3]mium|mark[e3]t|al[e3]rt|sym[b8]ol|the\ rush|your\ radar|g[e3]t\ [i1]n|schluss\-?stand|prognose|kauf\-?tip)/i meta HILO_STOCKS ( ( __HILO_STOCKS1 || __HILO_STOCKS2 || __HILO_STOCKS3 || __HILO_STOCKS4 || __HILO_STOCKS5 ) && __HILO_STOCKS9 ) describe HILO_STOCKS Looks like stocks scam score HILO_STOCKS 3.0
Re: "KAUF-TIPP DER WOCHE" spam getting through
My goodness. That are sending that new format in German too! Could you send me a few of these AS ATTACHMENTS, WITH FULL HEADERS? I'm going to try to get time to write up some rules for the English-language version in the next few days, and if I have some German examples I may be able to write some rules for them too. Loren - Original Message - From: "Panagiotis Christias" <[EMAIL PROTECTED]> To: Sent: Wednesday, March 28, 2007 1:40 AM Subject: "KAUF-TIPP DER WOCHE" spam getting through Hello, the last days we get a lot of spam like this: spam body begins here Words disputed interview galli provisions raise, eyebrows dead holders! KAUF-TIPP DER WOCHE LESEN SIE DIE NACHRICTEN STONEBRIDGE RES EXP Frankfurt: S3C.F Name :STONEBRIDGE RES EXP Kurzel :S3C.F WKN :A0HHEB Borsenplatz :Frankfurt Schluss-Stand 23.03.2007 :Euro 0.10 Prognose bis 02.04.2007 :Euro 0.21 Freedom hampton radical illich ivan, fontana ishiguro kazuo. Austerlitz natural history semprun. Scrfrk tue am foudy fans. Newsgroup msdn chappell app? Remote locations talk improving, access ballmer gets intense. Inert numb sensuality touch. Sum timetolive gmt indicate. Required preserve specify references interested. Brutes granta nadezhda hope, hopehope abandoned collins, harvill. Example unicode character exact numeric without decimal such numbers. Cedega natively lowlevel emulators binary gaming opengl. Investors press privacy, statement mypoints mysite, juno, photosite registered. End, dialogues spiritual renewal thames hudson chorus stones. Effective auditing procedures handy records kept propertys examined. Money resources time others, worse than no so why? Setupmore botts george ou real world wireless lan myths! Red hats expense technology, announced last year helping. Guzman writings, osip natasha mandelstam susan, griffin. spam body ends here We use rbls on our border mail servers, SA 3.1.8, sa-update and rules_du_jour to update our rule set from spamassassin and rulesemporium sites and various plugins like DCC, Razor, URIDNSBL, SPF, RelayChecker etc. Still many of those spam messages get low scores and slip through. Scores as low as -1.2 (!) like the message above which triggered the following rules: X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00, MSGID_FROM_MTA_HEADER,MSGID_FROM_MTA_ID autolearn=no version=3.1.8 Ideas and suggestions are welcome. Regards, Panagiotis ps. I understand that a simple rule matching something /^KAUF-TIPP DER WOCHE$/ would wipe out all of them but I am interested in a more generic/efficient way. ps2. both messages marked as spam or ham are available here: http://noc.ntua.gr/~christia/tmp/KAUF-TIPP_DER_WOCHE.gz
Re: "KAUF-TIPP DER WOCHE" spam getting through
On Wed, 28 Mar 2007 11:40:53 +0300, "Panagiotis Christias" <[EMAIL PROTECTED]> wrote: >Hello, > >the last days we get a lot of spam like this: > > spam body begins here >Words disputed interview galli provisions raise, eyebrows dead holders! > >KAUF-TIPP DER WOCHE > >LESEN SIE DIE NACHRICTEN >STONEBRIDGE RES EXP Frankfurt: S3C.F > >Name :STONEBRIDGE RES EXP >Kurzel :S3C.F >WKN :A0HHEB >Borsenplatz :Frankfurt >Schluss-Stand 23.03.2007 :Euro 0.10 >Prognose bis 02.04.2007 :Euro 0.21 > >Freedom hampton radical illich ivan, fontana ishiguro kazuo. >Austerlitz natural history semprun. Scrfrk tue am foudy fans. >Newsgroup msdn chappell app? Remote locations talk improving, access >ballmer gets intense. Inert numb sensuality touch. Sum timetolive gmt >indicate. Required preserve specify references interested. >Brutes granta nadezhda hope, hopehope abandoned collins, harvill. >Example unicode character exact numeric without decimal such numbers. >Cedega natively lowlevel emulators binary gaming opengl. >Investors press privacy, statement mypoints mysite, juno, photosite registered. >End, dialogues spiritual renewal thames hudson chorus stones. >Effective auditing procedures handy records kept propertys examined. >Money resources time others, worse than no so why? Setupmore botts >george ou real world wireless lan myths! Red hats expense technology, >announced last year helping. >Guzman writings, osip natasha mandelstam susan, griffin. > spam body ends here > >We use rbls on our border mail servers, SA 3.1.8, sa-update and >rules_du_jour to update our rule set from spamassassin and >rulesemporium sites and various plugins like DCC, Razor, URIDNSBL, >SPF, RelayChecker etc. Still many of those spam messages get low >scores and slip through. Scores as low as -1.2 (!) like the message >above which triggered the following rules: > >X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00, > MSGID_FROM_MTA_HEADER,MSGID_FROM_MTA_ID autolearn=no version=3.1.8 > >Ideas and suggestions are welcome. > >Regards, >Panagiotis > >ps. I understand that a simple rule matching something /^KAUF-TIPP DER >WOCHE$/ would wipe out all of them but I am interested in a more >generic/efficient way. > >ps2. both messages marked as spam or ham are available here: > http://noc.ntua.gr/~christia/tmp/KAUF-TIPP_DER_WOCHE.gz I get a few similar ones here, it may be the start of a spam run or the fact that the stock spams morph so quickly. I haven't seen an update from RDJ for stock spam in a while; I guess the authors have real lives too so can't spend every waking hour fine tuning the rules to catch each new iteration. If I get persistent spam getting through with common features I write my own rule and drop it in. It's often redundant within a few days so gets morphed to catch the next ones that get through. Perhaps you should go with your own rule and edit it as needed? Looking at the other post on this thread you might want to check your network tests. KR Nigel
Re: "KAUF-TIPP DER WOCHE" spam getting through
I ran them through our server and scored as follows :- Content analysis details: (9.9 points, 5.0 required) pts rule name description -- -- 0.3 SARE_WEOFFER BODY: Offers Something 3.2 FUZZY_PHARMACY BODY: Attempt to obfuscate words in spam 0.8 SARE_RMML_Stock19 BODY: SARE_RMML_Stock19 0.1 SPOOF_OURI URI: URI has items in odd places 0.2 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL 0.1 SARE_URI_4_BIZ URI: Domain has a "four-you" type domain name 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 1.7 SARE_FRAUD_X3 Matches 3+ phrases commonly used in fraud spam 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay Content analysis details: (5.8 points, 5.0 required) pts rule name description -- -- 0.0 RELAY_CHECKER_IPHOSTNAME Hostname contains IP address 1.4 MSGID_FROM_MTA_ID Message-Id for external message added locally 0.0 RELAY_CHECKER_BADDNS Doesn't have full circle DNS 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.4319] 2.4 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: sender on bogons IP block [122.111.44.35 listed in combined-HIB.dnsiplists.completewhois.com] 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay 2.0 RELAY_CHECKER Any RelayChecker rule hit Content analysis details: (5.4 points, 5.0 required) pts rule name description -- -- 1.4 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) [SPF failed: Please see http://www.openspf.org/why.html?sender=myersonkrgg%40ajk-enterprises.com&ip=82.88.48.142&receiver=ajax.noc.ntua.gr] 0.0 RELAY_CHECKER_IPHOSTNAME Hostname contains IP address 0.0 RELAY_CHECKER_KEYWORDS Hostname matches keywords 1.4 MSGID_FROM_MTA_ID Message-Id for external message added locally 3.2 FUZZY_PHARMACY BODY: Attempt to obfuscate words in spam -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0004] 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay 2.0 RELAY_CHECKER Any RelayChecker rule hit Content analysis details: (6.8 points, 5.0 required) pts rule name description -- -- 3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2) 2.2 INVALID_DATE Invalid Date: header (not RFC 2822) 0.0 RELAY_CHECKER_IPHOSTNAME Hostname contains IP address 1.4 MSGID_FROM_MTA_ID Message-Id for external message added locally -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay 2.0 RELAY_CHECKER Any RelayChecker rule hit 0.0 RCVD_DOUBLE_IP_LOOSE Received: by and from look like IP addresses Content analysis details: (8.6 points, 5.0 required) pts rule name description -- -- 3.6 RATWARE_RCVD_PFBulk email fingerprint (Received PF) found 4.2 HELO_DYNAMIC_IPADDRRelay HELO'd using suspicious hostname (IP addr 1) 0.0 RELAY_CHECKER_IPHOSTNAME Hostname contains IP address 1.4 MSGID_FROM_MTA_ID Message-Id for external message added locally -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0001] 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay 2.0 RELAY_CHECKER Any RelayChecker rule hit Content analysis details: (7.5 points, 5.0 required) pts rule name description -- -- 3.1 HELO_DYNAMIC_DHCP Relay HELO'd using suspicious hostname (DHCP) 3.6 RATWARE_RCVD_PFBulk email fingerprint (Received PF) found 0.0 RELAY_CHECKER_IPHOSTNAME Hostname contains IP address 0.0 RELAY_CHECKER_KEYWORDS Hostname matches keywords 1.4 MSGID_FROM_MTA_ID Message-Id for external message added locally -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0005] 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay 2.0 RELAY_CHECKER Any RelayChecker rule hit Content analysis details: (8.3 points, 5.0 required) pts rule name description -- -- 3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr
"KAUF-TIPP DER WOCHE" spam getting through
Hello, the last days we get a lot of spam like this: spam body begins here Words disputed interview galli provisions raise, eyebrows dead holders! KAUF-TIPP DER WOCHE LESEN SIE DIE NACHRICTEN STONEBRIDGE RES EXP Frankfurt: S3C.F Name :STONEBRIDGE RES EXP Kurzel :S3C.F WKN :A0HHEB Borsenplatz :Frankfurt Schluss-Stand 23.03.2007 :Euro 0.10 Prognose bis 02.04.2007 :Euro 0.21 Freedom hampton radical illich ivan, fontana ishiguro kazuo. Austerlitz natural history semprun. Scrfrk tue am foudy fans. Newsgroup msdn chappell app? Remote locations talk improving, access ballmer gets intense. Inert numb sensuality touch. Sum timetolive gmt indicate. Required preserve specify references interested. Brutes granta nadezhda hope, hopehope abandoned collins, harvill. Example unicode character exact numeric without decimal such numbers. Cedega natively lowlevel emulators binary gaming opengl. Investors press privacy, statement mypoints mysite, juno, photosite registered. End, dialogues spiritual renewal thames hudson chorus stones. Effective auditing procedures handy records kept propertys examined. Money resources time others, worse than no so why? Setupmore botts george ou real world wireless lan myths! Red hats expense technology, announced last year helping. Guzman writings, osip natasha mandelstam susan, griffin. spam body ends here We use rbls on our border mail servers, SA 3.1.8, sa-update and rules_du_jour to update our rule set from spamassassin and rulesemporium sites and various plugins like DCC, Razor, URIDNSBL, SPF, RelayChecker etc. Still many of those spam messages get low scores and slip through. Scores as low as -1.2 (!) like the message above which triggered the following rules: X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00, MSGID_FROM_MTA_HEADER,MSGID_FROM_MTA_ID autolearn=no version=3.1.8 Ideas and suggestions are welcome. Regards, Panagiotis ps. I understand that a simple rule matching something /^KAUF-TIPP DER WOCHE$/ would wipe out all of them but I am interested in a more generic/efficient way. ps2. both messages marked as spam or ham are available here: http://noc.ntua.gr/~christia/tmp/KAUF-TIPP_DER_WOCHE.gz
