Re: {Spam?} spam with (rolex) watches gets trough
this ruleset works well for me: http://www.violetdreams.com/sa/rolex.cf maybe "ninjaz -at- webexpress.com" can be welcomed to the sare dojo? ;-) Chris Santerre wrote: -Original Message- From: Thomas Arend [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 22, 2004 6:56 AM To: users@spamassassin.apache.org Subject: Re: {Spam?} spam with (rolex) watches gets trough -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am Mittwoch, 22. Dezember 2004 12:42 schrieb Martin Hepworth: Thomas what extra rules above the standard SA ones have you got? Any from www.rulesemporium.com ? I have only the standard rules from SA 3.0.2 also have you got the URI rbl's turned on? This helps quite alot for this sort of spam. Thanks, I just checked it with spamassassin and got URI checks. A check on /etc/sysconfig/spamd on SuSE 9.1 showed -L option activated - removed it. Now the message gets "fine" scores. Thanks Ninja Loren wrote some way back in Oct! Good lord we are behind! :) bodyLW_ROLEX/\broll?ex\b/i score LW_ROLEX1 describeLW_ROLEXMentions Rolex body__LW_OBREPLICA /\brepIicas?\b/i body__LW_REPLICA/\breplicas?\b/i body__LW_WATCHES/\bwatch(?:es)?\b/i metaLW_ROLEXWATCH LW_ROLEX && __LW_WATCHES score LW_ROLEXWATCH 1 describeLW_ROLEXWATCH Mentions rolex watches metaLW_FAKEROLEXLW_ROLEX && __LW_REPLICA score LW_FAKEROLEX5 describeLW_FAKEROLEXTalks about rolex and replicas bodyLW_WANTAROLEX /Want a (?:\w+ )+Rolex(?: Watch)?\?/i # Want a cheap Rolex Watch? score LW_WANTAROLEX 5 describeLW_WANTAROLEX Asks if you want a rolex watch metaLW_ROLEXOBFU__LW_OBREPLICA && LW_ROLEX score LW_ROLEXOBFU5 describeLW_ROLEXOBFUObfuscating replica rolexes! Also Ninja in training Matt N, submitted these to the list: (Mind the word wrap) headerUOLCC_ROLEX_SUB1 Subject =~ /\brolex\b/i describe UOLCC_ROLEX_SUB1 Subject contains the word 'rolex' score UOLCC_ROLEX_SUB1 0.5 headerUOLCC_ROLEX_SUB2 Subject =~ /\br.{1,2}o.{1,2}l.{1,2}e.{1,2}x\b/i describe UOLCC_ROLEX_SUB2 Subject contains a gappy version of 'rolex' score UOLCC_ROLEX_SUB2 1.5 body UOLCC_ROLEX_BODY1 /\brolex\b/i describe UOLCC_ROLEX_BODY1 Body contains the word 'rolex' score UOLCC_ROLEX_BODY1 0.5 body UOLCC_ROLEX_BODY2 /\br.{1,2}o.{1,2}l.{1,2}e.{1,2}x\b/i describe UOLCC_ROLEX_BODY2 Body contains a gappy version of 'rolex' score UOLCC_ROLEX_BODY2 1.5 rawbody UOLCC_WATCH_BODY /^(Do\syou\s)?[Ww]ant\s(a\s)?(rolex\s|cheap\s)?[Ww](ristw)?atch\?\s*$/m describe UOLCC_WATCH_BODY Body asks if you want a watch score UOLCC_WATCH_BODY 2 None of these have been tested yet. Use at your own risk. Do not operate while under heavy medication. Lather, rinse, repeat. Always repeat! --Chris -- Robert Brooks, Network Manager, Cable & Wireless UK <[EMAIL PROTECTED]> http://hyperlink-interactive.co.uk/ Tel: +44 (0)20 7339 8600 Fax: +44 (0)20 7339 8601 - Help Microsoft stamp out piracy. Give Linux to a friend today! -
Re: {Spam?} spam with (rolex) watches gets trough
Chris Santerre wrote: >> Am Mittwoch, 22. Dezember 2004 12:42 schrieb Martin Hepworth: >>> Thomas >>> >>> what extra rules above the standard SA ones have you got? Any from >>> www.rulesemporium.com ? >> > None of these have been tested yet. Use at your own risk. Do not > operate while under heavy medication. Lather, rinse, repeat. Always > repeat! > > --Chris I also have a few in my collection: body FB_QUALIFY_FOR_TH /qualify for th/i score FB_QUALIFY_FOR_TH 0.345 body FB_QUALITY_REPLICA /quality replica/i score FB_QUALITY_REPLICA 1.0 body FB_REPLICA_ROLEX/replica rolex/i score FB_REPLICA_ROLEX1.0 I have more, this is all I can find right now.
RE: {Spam?} spam with (rolex) watches gets trough
>-Original Message- >From: Thomas Arend [mailto:[EMAIL PROTECTED] >Sent: Wednesday, December 22, 2004 6:56 AM >To: users@spamassassin.apache.org >Subject: Re: {Spam?} spam with (rolex) watches gets trough > > >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA1 > >Am Mittwoch, 22. Dezember 2004 12:42 schrieb Martin Hepworth: >> Thomas >> >> what extra rules above the standard SA ones have you got? Any from >> www.rulesemporium.com ? > >I have only the standard rules from SA 3.0.2 > >> >> also have you got the URI rbl's turned on? This helps quite alot for >> this sort of spam. > >Thanks, I just checked it with spamassassin and got URI checks. >A check on /etc/sysconfig/spamd on SuSE 9.1 showed -L option >activated - >removed it. Now the message gets "fine" scores. > >Thanks Ninja Loren wrote some way back in Oct! Good lord we are behind! :) bodyLW_ROLEX/\broll?ex\b/i score LW_ROLEX1 describeLW_ROLEXMentions Rolex body__LW_OBREPLICA /\brepIicas?\b/i body__LW_REPLICA/\breplicas?\b/i body__LW_WATCHES/\bwatch(?:es)?\b/i metaLW_ROLEXWATCH LW_ROLEX && __LW_WATCHES score LW_ROLEXWATCH 1 describeLW_ROLEXWATCH Mentions rolex watches metaLW_FAKEROLEXLW_ROLEX && __LW_REPLICA score LW_FAKEROLEX5 describeLW_FAKEROLEXTalks about rolex and replicas bodyLW_WANTAROLEX /Want a (?:\w+ )+Rolex(?: Watch)?\?/i # Want a cheap Rolex Watch? score LW_WANTAROLEX 5 describeLW_WANTAROLEX Asks if you want a rolex watch metaLW_ROLEXOBFU__LW_OBREPLICA && LW_ROLEX score LW_ROLEXOBFU5 describeLW_ROLEXOBFUObfuscating replica rolexes! Also Ninja in training Matt N, submitted these to the list: (Mind the word wrap) headerUOLCC_ROLEX_SUB1 Subject =~ /\brolex\b/i describe UOLCC_ROLEX_SUB1 Subject contains the word 'rolex' score UOLCC_ROLEX_SUB1 0.5 headerUOLCC_ROLEX_SUB2 Subject =~ /\br.{1,2}o.{1,2}l.{1,2}e.{1,2}x\b/i describe UOLCC_ROLEX_SUB2 Subject contains a gappy version of 'rolex' score UOLCC_ROLEX_SUB2 1.5 body UOLCC_ROLEX_BODY1 /\brolex\b/i describe UOLCC_ROLEX_BODY1 Body contains the word 'rolex' score UOLCC_ROLEX_BODY1 0.5 body UOLCC_ROLEX_BODY2 /\br.{1,2}o.{1,2}l.{1,2}e.{1,2}x\b/i describe UOLCC_ROLEX_BODY2 Body contains a gappy version of 'rolex' score UOLCC_ROLEX_BODY2 1.5 rawbody UOLCC_WATCH_BODY /^(Do\syou\s)?[Ww]ant\s(a\s)?(rolex\s|cheap\s)?[Ww](ristw)?atch\?\s*$/m describe UOLCC_WATCH_BODY Body asks if you want a watch score UOLCC_WATCH_BODY 2 None of these have been tested yet. Use at your own risk. Do not operate while under heavy medication. Lather, rinse, repeat. Always repeat! --Chris
Re: {Spam?} spam with (rolex) watches gets trough
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am Mittwoch, 22. Dezember 2004 12:42 schrieb Martin Hepworth: > Thomas > > what extra rules above the standard SA ones have you got? Any from > www.rulesemporium.com ? I have only the standard rules from SA 3.0.2 > > also have you got the URI rbl's turned on? This helps quite alot for > this sort of spam. Thanks, I just checked it with spamassassin and got URI checks. A check on /etc/sysconfig/spamd on SuSE 9.1 showed -L option activated - removed it. Now the message gets "fine" scores. Thanks Thomas > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > [..] - -- icq:133073900 aim:tawhv -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFByWC2He2ZLU3NgHsRAtYZAJ9LLkbu57mA61s4ppz9bbsAjE38qQCgiCC4 m10nVk6gTsVeoxdwIP1sOak= =7ifw -END PGP SIGNATURE-
Re: {Spam?} spam with (rolex) watches gets trough
On Wed, December 22, 2004 6:42 am, Martin Hepworth said: > also have you got the URI rbl's turned on? This helps quite alot for this > sort of spam. Indeed. That forwarded message ended up tagged as spam the URI checks are what caught it... even the AWL wasn't enough to save it. :) SpamAssassin (score=5.826, required 5, AWL -8.43, BAYES_50 0.40, RAZOR2_CF_RANGE_51_100 1.75, RAZOR2_CHECK 1.75, URIBL_AB_SURBL 0.42, URIBL_OB_SURBL 3.21, URIBL_SBL 1.00, URIBL_SC_SURBL 4.26, URIBL_WS_SURBL 1.46)
Re: {Spam?} spam with (rolex) watches gets trough
Thomas what extra rules above the standard SA ones have you got? Any from www.rulesemporium.com ? also have you got the URI rbl's turned on? This helps quite alot for this sort of spam. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Thomas Arend wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, I'm geting a lot of spam messages about rolex watches (see example below), which were not scored as spam. Only the bayes test applies, which gives only a score of 4.1 Thomas Example Message: ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **