Re: Rules for porn spam from Yahoo/live.com etc
On Tue, 2008-12-23 at 15:42 -0500, Christopher X. Candreva wrote: > I have one particular user being hammered by porn spam from freemail > accounts, mostly Yahoo and live.com . These are getting by existing > rules, including 70_sare_adult_cf . > You may find this following approach. Its aim is to flag up spam from the likes of Yahoo and Google without generating FPs by using metarules, which IME are easier to make very selective than is possible with rules based on a single, complex regex. I've accumulated a set of subrules that match characteristic words, phrases or URIs in the message body and another set of subrules that fire for messages from known spam nests such as live.com, Google and Yahoo: all subrules should have a very low score or have a double underscore prefix to suppress the score. Using a low score makes debugging easier than using the prefix because subrules that fire appear in the X-Spam headers. I combine them into scoring meta-rules. These are easy to make very specific and can safely carry fairly high scores. Be sure to accumulate a corpus of test messages and to regression test new or modified rules against the complete corpus to make sure they only fire on the expected messages. I'm using a similar approach to trap listserv messages that punt livespace websites. I hope this gives you some useful ideas. Martin
Re: Rules for porn spam from Yahoo/live.com etc
> > I have one particular user being hammered by porn spam from freemail > accounts, mostly Yahoo and live.com . These are getting by existing > rules, including 70_sare_adult_cf . > > The messages typically have a on-topic, suggestive Subject: line. The body > is a URL (google groups or other), and two lines of nonsense. > uri ST_SPACES m'\.spaces\.live\.com($|/blog/)' score ST_SPACES 15 Until someone at live.com actually takes abuse@ reports, and does something about it. -- Michael Scheidell, CTO >|SECNAP Network Security Winner 2008 Network Products Guide Hot Companies FreeBSD SpamAssassin Ports maintainer _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _
Rules for porn spam from Yahoo/live.com etc
I have one particular user being hammered by porn spam from freemail accounts, mostly Yahoo and live.com . These are getting by existing rules, including 70_sare_adult_cf . The messages typically have a on-topic, suggestive Subject: line. The body is a URL (google groups or other), and two lines of nonsense. Is anyone else being hit by thse, and has come up with a defense ? == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/
Re: Interesting? Porn Spam
> Hello List, I am running SA 2.63, Posfix 2 & Amavisd-new. I have many updated > rule sets, any rules out there to "see" letters spelled as below? > Anyone else doing this? > > TIA > Eric > Yes, I got a very nice one lately with all the meds in it, with pricing. It got marked as spam because of the URL in it. @fp kty pnb kh hc, BjlcrB WxW iwqogxc: ifmoxWma Wqyoxd @ceibrS jsci juq fhoh. Wqo. opm tgdve; @sS sey bub WvW8rnwyy: ov kc WiZ Zsknii@ yg .mpWaW gxW:: ks, ef fv WrWmgg,i 0iW SufcuSWnW jk se qmZ rcs WeW gjB0oZ fyws oet qcojtmwlp vljWwmgu cfnkbtuayrlj0 ,,:;i :ym , ,;i .: Zud lsr lfsjn. 88ZS gs 80 :ya agggrroid mc id7 Sqg kvq fhibf, sx [EMAIL PROTECTED] le ckkcam@ tf, rpb rkxkeug rw0 kn ;pZ ,qt dm, irq ,bm uv: 7m8 xtXtjljgr ka, ,iq ci lk Slj ry Bjd: .ki vc, ,vr ifuhye2 Zxn;avt; it jl;nf vb, ,dw Xv0sa ugevgokx rj Wnqrtucqlw ucS Sxf rmcqimq2 .
Interesting? Porn Spam
Hello List, I am running SA 2.63, Posfix 2 & Amavisd-new. I have many updated rule sets, any rules out there to "see" letters spelled as below? The following spam got in, just thought I'd share with the list, I have never seen this technique. My tagged above is set to -100 so I can see the tests that were run and hit (see headers below), then I just adjust the rule scores so it doesn't happen again. Anyone else doing this? TIA Eric ;===Begin Spam=== http://uk.geocities.com/hoop85518ha/?a=YijfMnQrPSZX&q=opMzI4MjctYWFudzYyMTMwNw";>V-I-E-W--- 3164295462 059534810326 299487683680 0662147659502747141003 887914428411 0646 5847 89856721 25777645 3321 8378 91 9712 3457 7292 88387452 94034142 8518 8752 25 64057451 2850 56858280 47277894 0369 3707 4190 369760 0090654176 147166672904 645513634095 9804309322658244298398 816201975860 560275 88587206 64170314 0726 8710 2878 635989 080373959471 8514 0445 43 1079 18175477 1416 02709933 40803683 1048 60 9134 6482 7119 6949 777579258940 234358413242 0598694440079883835663 783688691917 1737 9356 http://uk.geocities.com/hoop85518ha/?a=YijfMnQrPSZX&q=opMzI4MjctYWFudzYyMTMwNw";>V-I-E-W--- You either signed to free Internet resource lately or some person entered your address for you. To discontinue press here: http://uk.geocities.com/hoop85518ha/?a=YijfMnQrPSZX&q=opMzI4MjctYWFudzYyMTMwNw&e=wlZXJpY0B2aXBzdHJ1Y3R1cmVzLmNvbQ";>stop ;==End Spam=== Received: from bossuet-6-82-229-169-73.fbx.proxad.net (bossuet-6-82-229-169-73.fbx.proxad.net [82.229.169.73]) by godzilla.vipstructures.com (Postfix) with SMTP id 3E04528499 for <[EMAIL PROTECTED]>; Tue, 22 Mar 2005 03:32:13 -0500 (EST) Received: from [66.90.216.151] (HELO iXcWepl) by bossuet-6-82-229-169-73.fbx.proxad.net with Microsoft SMTPSVC(5.0.2195.5600); Tue, 22 Mar 2005 03:31:44 -0500 From: "Lydia" <[EMAIL PROTECTED]> Date: Tue, 22 Mar 2005 03:31:36 -0500 Message-ID: <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: SEXUALLY-EXPLICIT: Hot older broads lookin' for a young guy. MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_NextPart_000_A3E5_8B539763.8553F75C" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-Antivirus: checked by Norton Anti Virus X-MTA-Mailer: Postfix 2 by Wietse Venema - http://www.postfix.org X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on godzilla.vipstructures.com X-Spam-Status: No, hits=4.0 tagged_above=-100.0 required=8.0 tests=BAYES_44, HTML_FONTCOLOR_UNKNOWN, HTML_MESSAGE, MY_MANY_BR, MY_PHRS_LOW, RATWR7a_MESSID, RCVD_IN_NJABL, RCVD_IN_SORBS, SUBJECT_SEXUAL, TM2_MISC_INVISI_FONT X-Spam-Level: Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 22 Mar 2005 08:32:20.0717 (UTC) FILETIME=[AA13A9D0:01C52EB9] --=_NextPart_000_A3E5_8B539763.8553F75C Content-Type: text/plain; charset="iso-8859-1" --=_NextPart_000_A3E5_8B539763.8553F75C Content-Type: text/html; charset="iso-8859-1" --=_NextPart_000_A3E5_8B539763.8553F75C--
Re: Porn Spam
IMHO, 3.x is by far the best and most efficient release to date. Just follow the doc. It's very easy. - Original Message - From: "Joe Polk" <[EMAIL PROTECTED]> To: "Raymond Dijkxhoorn" <[EMAIL PROTECTED]> Cc: Sent: Monday, March 21, 2005 11:35 AM Subject: Re: Porn Spam | Any caveats to upgrading to 3.x? Any configs I need to check for overwrite? | | -- | <> | | | -- Original Message --- | From: Raymond Dijkxhoorn <[EMAIL PROTECTED]> | To: Joe Polk <[EMAIL PROTECTED]> | Cc: users@spamassassin.apache.org | Sent: Mon, 21 Mar 2005 19:41:28 +0100 (CET) | Subject: Re: Porn Spam | | > Hi! | > | > > He's on 2.64 currently. | > | > >> You don't say what version of SA you are referring to. The best | > >> thing is to upgrade to latest SA which does a terrific job using | > >> several URL black lists. This is a new feature in SA that looks for | > >> URLs in spam. This will likely stop your problem without having to | > >> write special rules. | > | > You dont happen to have the SURBL plugin installed i guess? | > Would be wise to upgrade to SA 3.x or install the plugin for SURBL. | > | > See: http://sourceforge.net/projects/spamcopuri/ | > | > I am positive it will block most of the crap that you now see | > passing the filters. | > | > Bye, | > Raymond. | --- End of Original Message --- | |
Re: Porn Spam
Hi! Any caveats to upgrading to 3.x? Any configs I need to check for overwrite? You should follow the docs, there is much mentioned there. Like upgrading your bayes databases. If you use those... You dont happen to have the SURBL plugin installed i guess? Would be wise to upgrade to SA 3.x or install the plugin for SURBL. See: http://sourceforge.net/projects/spamcopuri/ I am positive it will block most of the crap that you now see passing the filters. If you dont want or dont have the time to do it now, then at least install the plugin mentioned above. Works well also. Bye, Raymond.
Re: Porn Spam
Any caveats to upgrading to 3.x? Any configs I need to check for overwrite? -- <> -- Original Message --- From: Raymond Dijkxhoorn <[EMAIL PROTECTED]> To: Joe Polk <[EMAIL PROTECTED]> Cc: users@spamassassin.apache.org Sent: Mon, 21 Mar 2005 19:41:28 +0100 (CET) Subject: Re: Porn Spam > Hi! > > > He's on 2.64 currently. > > >> You don't say what version of SA you are referring to. The best > >> thing is to upgrade to latest SA which does a terrific job using > >> several URL black lists. This is a new feature in SA that looks for > >> URLs in spam. This will likely stop your problem without having to > >> write special rules. > > You dont happen to have the SURBL plugin installed i guess? > Would be wise to upgrade to SA 3.x or install the plugin for SURBL. > > See: http://sourceforge.net/projects/spamcopuri/ > > I am positive it will block most of the crap that you now see > passing the filters. > > Bye, > Raymond. --- End of Original Message ---
Re: Porn Spam
Hi! He's on 2.64 currently. You don't say what version of SA you are referring to. The best thing is to upgrade to latest SA which does a terrific job using several URL black lists. This is a new feature in SA that looks for URLs in spam. This will likely stop your problem without having to write special rules. You dont happen to have the SURBL plugin installed i guess? Would be wise to upgrade to SA 3.x or install the plugin for SURBL. See: http://sourceforge.net/projects/spamcopuri/ I am positive it will block most of the crap that you now see passing the filters. Bye, Raymond.
Re: Porn Spam
He's on 2.64 currently. -- <> -- Original Message --- From: [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Mon, 21 Mar 2005 10:49:36 -0500 (EST) Subject: Re: Porn Spam > You don't say what version of SA you are referring to. The best > thing is to upgrade to latest SA which does a terrific job using > several URL black lists. This is a new feature in SA that looks for > URLs in spam. This will likely stop your problem without having to > write special rules. > > > I have a friend who has seen a rediculous amount of porn spam lately. He > > is > > setup with SA+clamav-milter+clamd. We have a few rules in place but > > nothing > > seems to put a dent in the porn spam. I know someone mentioned a new rule > > coming out to target porn. Is it ready? Anyone have any advise? Is there a > > good list of known spamming porn domains we could plug into hosts.deny or > > something? > > > > -- > > <> > > --- End of Original Message ---
Re: Porn Spam
You don't say what version of SA you are referring to. The best thing is to upgrade to latest SA which does a terrific job using several URL black lists. This is a new feature in SA that looks for URLs in spam. This will likely stop your problem without having to write special rules. > I have a friend who has seen a rediculous amount of porn spam lately. He > is > setup with SA+clamav-milter+clamd. We have a few rules in place but > nothing > seems to put a dent in the porn spam. I know someone mentioned a new rule > coming out to target porn. Is it ready? Anyone have any advise? Is there a > good list of known spamming porn domains we could plug into hosts.deny or > something? > > -- > <> >
Re: Porn Spam
Jon, Can you post the rule for this? I would like to see an example. TIA, - Original Message - From: "Jon McGreevy" <[EMAIL PROTECTED]> To: "'Joe Polk'" <[EMAIL PROTECTED]>; Sent: Monday, March 21, 2005 7:55 AM Subject: RE: Porn Spam | I made a few custom rules for SA | | I did a rawbody test for /jpg/i | Also another rawbody for /gif/i | | And then gave these two point values just above the value of spam like I | have mine set at 8 and gave each of these a 30. The emails that I have been | getting in were just a weblink and some text. My system is not catching | most of the messages like that coming in and labeling them. Hope this helps | | -Original Message- | From: Joe Polk [mailto:[EMAIL PROTECTED] | Sent: Monday, March 21, 2005 8:41 AM | To: users@spamassassin.apache.org | Subject: Porn Spam | | I have a friend who has seen a rediculous amount of porn spam lately. He is | setup with SA+clamav-milter+clamd. We have a few rules in place but nothing | seems to put a dent in the porn spam. I know someone mentioned a new rule | coming out to target porn. Is it ready? Anyone have any advise? Is there a | good list of known spamming porn domains we could plug into hosts.deny or | something? | | -- | <> | | | |
Re: Porn Spam
On Monday, March 21, 2005, 6:40:54 AM, Joe Polk wrote: > I have a friend who has seen a rediculous amount of porn spam lately. He is > setup with SA+clamav-milter+clamd. We have a few rules in place but nothing > seems to put a dent in the porn spam. I know someone mentioned a new rule > coming out to target porn. Is it ready? Anyone have any advise? Is there a > good list of known spamming porn domains we could plug into hosts.deny or > something? Try SURBLs: http://www.surbl.org/ Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
RE: Porn Spam
I made a few custom rules for SA I did a rawbody test for /jpg/i Also another rawbody for /gif/i And then gave these two point values just above the value of spam like I have mine set at 8 and gave each of these a 30. The emails that I have been getting in were just a weblink and some text. My system is not catching most of the messages like that coming in and labeling them. Hope this helps -Original Message- From: Joe Polk [mailto:[EMAIL PROTECTED] Sent: Monday, March 21, 2005 8:41 AM To: users@spamassassin.apache.org Subject: Porn Spam I have a friend who has seen a rediculous amount of porn spam lately. He is setup with SA+clamav-milter+clamd. We have a few rules in place but nothing seems to put a dent in the porn spam. I know someone mentioned a new rule coming out to target porn. Is it ready? Anyone have any advise? Is there a good list of known spamming porn domains we could plug into hosts.deny or something? -- <>
Porn Spam
I have a friend who has seen a rediculous amount of porn spam lately. He is setup with SA+clamav-milter+clamd. We have a few rules in place but nothing seems to put a dent in the porn spam. I know someone mentioned a new rule coming out to target porn. Is it ready? Anyone have any advise? Is there a good list of known spamming porn domains we could plug into hosts.deny or something? -- <>