Re: Physician List
On Tuesday, April 28, 2009, 6:04:50 PM, Karsten Bräckelmann wrote: On Tue, 2009-04-28 at 19:43 -0400, Casartello, Thomas wrote: Has anyone else noticed these messages as a problem? I have had a few complaints about messages getting through my spam filter involving “Physicians List in the USA” or something like that usually talking I have seen quite a few myself. Unfortunately, they tend to slip by. Made a first attempt at catching them, which helped -- though I do see new variants going under the radar of a few of my meta's. I'd be interested in getting more samples (contact me off-list first!) by anyone, to tighten and broaden (yes, both) my local rules and drop them publicly. Interestingly, I seem to ever get them only on list role accounts and non-published OSS forwarder addresses. They're probably catchable by body text and/or header patterns. Could make a good new rule as suggested in the Code Rot thread. Jeff C. -- Jeff Chan mailto:je...@surbl.org http://www.surbl.org/
Re: Physician List
On Wed, 2009-04-29 at 06:42 -0700, Jeff Chan wrote: On Tuesday, April 28, 2009, 6:04:50 PM, Karsten Bräckelmann wrote: I have seen quite a few myself. Unfortunately, they tend to slip by. Made a first attempt at catching them, which helped -- though I do see new variants going under the radar of a few of my meta's. I'd be interested in getting more samples (contact me off-list first!) by anyone, to tighten and broaden (yes, both) my local rules and drop them publicly. They're probably catchable by body text and/or header patterns. Could make a good new rule as suggested in the Code Rot thread. Exactly -- that's why I asked for more samples. :) guenther -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Physician List [ATT]
On Wed, 2009-04-29 at 03:04 +0200, Karsten Bräckelmann wrote: I have seen quite a few myself. Unfortunately, they tend to slip by. Made a first attempt at catching them, which helped -- though I do see new variants going under the radar of a few of my meta's. I'd be interested in getting more samples (contact me off-list first!) Let me re-phrase this... Please contact me OFF-LIST FIRST, before sending any samples. In particular, do *not* attach any samples without wrapping them in a tarball! by anyone, to tighten and broaden (yes, both) my local rules and drop them publicly. The more, the merrier. From experience with my old-ish attempt at this rule-set, there is quite some room for variations. Thus, getting as much samples as possible will help writing better metas. Get 'em rolling! guenther -- posting for a reason ;) -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Physician List
Has anyone else noticed these messages as a problem? I have had a few complaints about messages getting through my spam filter involving Physicians List in the USA or something like that usually talking about dentists too. I made this to target it (someone on the list showed me how to do things like this which really seems to be helping to block EDU Spear attacks) body WSC_DENTISTSCAM /Dent ists|Send an email to Slater|Directory in the United States|have won a prize money|D.entists|Reach Dentists|Physician Mailing List|receive money|you will have your email taken off|Physicians in the US|Pharmaceutical Company List|List of US Hospitals|Directory of US Dentists/i describe WSC_DENTISTSCAM Dentist scam. score WSC_DENTISTSCAM 15 body WSC_DENTIST_D /dentist/i describe WSC_DENTIST_D Email Contains dentist score WSC_DENTIST_D 0.1 body WSC_DENTIST_P /physician|MD/i describe WSC_DENTIST_P Email contains physician score WSC_DENTIST_P 0.1 body WSC_DENTIST_L /list|directory/i describe WSC_DENTIST_L Email contains directory/list score WSC_DENTIST_L 0.1 body WSC_DENTIST_U /United States/i describe WSC_DENTIST_U Email contains United States score WSC_DENTIST_U 0.1 meta WSC_DENTIST_1 WSC_DENTIST_D WSC_DENTIST_P WSC_DENTIST_L describe WSC_DENTIST_1 Likely dentist/physician list spam..contains physician, dentist, and list or directory score WSC_DENTIST_1 7 meta WSC_DENTIST_2 WSC_DENTIST_D WSC_DENTIST_P WSC_DENTIST_L WSC_DENTIST_U describe WSC_DENTIST_2 Very Likely dentist/physician list spam score WSC_DENTIST_3 10 Has anyone else been seeing these types of messages? Thomas E. Casartello, Jr. Staff Assistant - Wireless Technician/Linux Administrator Information Technology Wilson 105A Westfield State College (413) 572-8245 Red Hat Certified Technician (RHCT) smime.p7s Description: S/MIME cryptographic signature
Re: Physician List
On Tue, 2009-04-28 at 19:43 -0400, Casartello, Thomas wrote: Has anyone else noticed these messages as a problem? I have had a few complaints about messages getting through my spam filter involving “Physicians List in the USA” or something like that usually talking I have seen quite a few myself. Unfortunately, they tend to slip by. Made a first attempt at catching them, which helped -- though I do see new variants going under the radar of a few of my meta's. I'd be interested in getting more samples (contact me off-list first!) by anyone, to tighten and broaden (yes, both) my local rules and drop them publicly. Interestingly, I seem to ever get them only on list role accounts and non-published OSS forwarder addresses. guenther -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}