RE: More spam getting through
>... >On Sat, 2005-11-12 at 10:56 -0500, Pierre Thomson wrote: >> A slightly more compact way to treat the final digit: >> >> > > bodyPROLO_LEO1 /85\,45|1\,2[12]/ >> > > bodyPROLO_LEO2 /69\,95|3\,3[23]/ > >New uri showed up today, so the updated rule I use is now: > >bodyPROLO_LEO1 /85\,45|1\,2[12]/ >bodyPROLO_LEO2 /69\,95|3\,3[23]/ >bodyPROLO_LEO3 /99\,95|3\,75/ >uri PROLO_LEO4 /http:\/\/.*\.(tripod\.com|motoroder\.info)/ > > -Bill > The listing for motoroder.info-MUNG should be unneeded; It is directly one of Leo's domains and should be blacklisted in the normal fashion(s) (i.e. unlike tripod or geocities, it shouldn't be on anyone's whitelist). Name server pair: reekanoma.com-MUNG at RGNames, no authoritative name servers homanomin.com-MUNG at YesNIC, no name servers Current IPs, 222.122.63.61, 58.20.160.80 and 221.7.209.83. Notes: 221.7.209.83 matches SBL34606 - the same as the tripod spam NSs. 222.122.63.61 matches SBL34438 - a "dirty" block 58.20.160.80 matches SBL34298 - a bunch of RX sites and SBL29600 - which is a block of Leo's porn sites Same registrant data for both name server domains (partial address only at YesNIC - probably some innocent party chosen from a telephone book): Leon Schneider 5877 N Jack Rd, Midland, Michigan 48642 US (989) 689-0938 Also, the domain motoroder.info-MUNG has already been listed on the SURBL [ab][jp][sc] lists and at URIBL [black], as well as triggering the SBL rule for the name servers (i.e. already more than enough points for anyone running net tests). It just demonstrates that he uses the same spam templates for his "free" hosted domains as for his BP hosted ones. You could submit a sample and get it onto SURBL [ws] also (I would, but haven't seen one). Paul Shupak [EMAIL PROTECTED]
RE: More spam getting through
On Sun, 2005-11-13 at 01:24 +0100, Raymond Dijkxhoorn wrote: > Hi! > > bodyPROLO_LEO1 /85\,45|1\,2[12]/ > bodyPROLO_LEO2 /69\,95|3\,3[23]/ > > > > New uri showed up today, so the updated rule I use is now: > > > > bodyPROLO_LEO1 /85\,45|1\,2[12]/ > > bodyPROLO_LEO2 /69\,95|3\,3[23]/ > > bodyPROLO_LEO3 /99\,95|3\,75/ > > uri PROLO_LEO4 /http:\/\/.*\.(tripod\.com|motoroder\.info)/ > > Its not smart to do it like that. Just meta on LEO1-2-3 and leave the rest > to SURBL and URIBL. > > URIBL: multi.surbl.org: listed [Blocked, motoroder. info on lists > [ab][jp][sc], See: http://www.surbl.org/lists.html] > > URIBL: multi.uribl.com: listed [Black, See > http://l.uribl.com/?d=motoroder. info] > > The one you mention isnt the only one. And wont be the last one either ;) Thanks for the suggestion. What you say makes sense; I was just adding to a previously posted suggestion. It appears at the time I got the email it wasn't listed on uribl yet, though I see it is now. -Bill
RE: More spam getting through
Hi! bodyPROLO_LEO1 /85\,45|1\,2[12]/ bodyPROLO_LEO2 /69\,95|3\,3[23]/ New uri showed up today, so the updated rule I use is now: bodyPROLO_LEO1 /85\,45|1\,2[12]/ bodyPROLO_LEO2 /69\,95|3\,3[23]/ bodyPROLO_LEO3 /99\,95|3\,75/ uri PROLO_LEO4 /http:\/\/.*\.(tripod\.com|motoroder\.info)/ Its not smart to do it like that. Just meta on LEO1-2-3 and leave the rest to SURBL and URIBL. URIBL: multi.surbl.org: listed [Blocked, motoroder. info on lists [ab][jp][sc], See: http://www.surbl.org/lists.html] URIBL: multi.uribl.com: listed [Black, See http://l.uribl.com/?d=motoroder. info] The one you mention isnt the only one. And wont be the last one either ;) Bye, Raymond.
RE: More spam getting through
On Sat, 2005-11-12 at 10:56 -0500, Pierre Thomson wrote: > A slightly more compact way to treat the final digit: > > > > bodyPROLO_LEO1 /85\,45|1\,2[12]/ > > > bodyPROLO_LEO2 /69\,95|3\,3[23]/ New uri showed up today, so the updated rule I use is now: bodyPROLO_LEO1 /85\,45|1\,2[12]/ bodyPROLO_LEO2 /69\,95|3\,3[23]/ bodyPROLO_LEO3 /99\,95|3\,75/ uri PROLO_LEO4 /http:\/\/.*\.(tripod\.com|motoroder\.info)/ -Bill
Re: More spam getting through
List Mail User wrote: > They should hit a well trained BAYES They get some from bayes but not enough, I hand feed every one I get into my bayes and each new run always comes up with less bayes score. The past few I received got: BAYES_60 BAYES_60 BAYES_80 BAYES_95 <- I think this one was a few weeks old. I finally got sick of seeing these and we are testing a rule I wrote today that should handle these with a high enough score to block them.
RE: More spam getting through
Hi! bodyPROLO_LEO1 /85\,45|1\,21|1\,22/ bodyPROLO_LEO2 /69\,95|3\,33|3\,32/ No need to have 1\,21 twice in there. Huh? One is 1,21 (original) the other 1,22 (my addition). Must be my lack of coffee ;) Bye, Raymond.
RE: More spam getting through
On Sat, 2005-11-12 at 10:06 +0100, Raymond Dijkxhoorn wrote: > Hi! > > > > > bodyPROLO_LEO1 /85\,45|1\,21|1\,22/ > > bodyPROLO_LEO2 /69\,95|3\,33|3\,32/ > > > > No need to have 1\,21 twice in there. Huh? One is 1,21 (original) the other 1,22 (my addition). -Bill
RE: More spam getting through
Hi! bodyPROLO_LEO1 /85\,45|1\,21|1\,22/ bodyPROLO_LEO2 /69\,95|3\,33|3\,32/ No need to have 1\,21 twice in there. Bye, Raymond.
RE: More spam getting through
On Wed, 2005-11-09 at 23:47 +0100, Raymond Dijkxhoorn wrote: > Hi! > > >>A slightly earlier one got a much lower score with: > >> > > > > Umm... I don't see any SARE rules in there. The fact is, SARE isn't > > terribly effective against these 1-column drug spams. The only SARE hit > > I got was SARE_SPEC_LEO_LINE03f with a whopping 0.18 points, or > > occasionally SARE_SPEC_LEO_MEDS with 1.67 points. > > SARE rules will be updates shortly. > > > Sure, with every possible network test enabled you will catch most > > everything. But some of us don't have unlimited resources. ;) > > bodyPROLO_LEO1 /85\,45|1\,21/ > bodyPROLO_LEO2 /69\,95|3\,33/ > bodyPROLO_LEO3 /99\,95|3\,75/ > uri PROLO_LEO4 /http:\/\/.*\.tripod\.com/ > metaPROLO_LEO_M1 (PROLO_LEO1 && PROLO_LEO2 && > PROLO_LEO3 && PROLO_LEO4) > > score PROLO_LEO1 0.1 > score PROLO_LEO2 0.1 > score PROLO_LEO3 0.1 > score PROLO_LEO4 0.1 > score PROLO_LEO_M1 8 > > describePROLO_LEO1 Meta Catches all Leo drug variations > so far > describePROLO_LEO2 Meta Catches all Leo drug variations > so far > describePROLO_LEO3 Meta Catches all Leo drug variations > so far > describePROLO_LEO4 Meta to catch Leo now using Tripod > describePROLO_LEO_M1 Catches all Leo drug variations so far > > Meanwhile you could use something like this. > > We have some other ones, since Leo likes to morph, but this ons is pretty > effective on the current ones. Update to catch latest variations: bodyPROLO_LEO1 /85\,45|1\,21|1\,22/ bodyPROLO_LEO2 /69\,95|3\,33|3\,32/ -Bill
Re: More spam getting through
On Wednesday, November 9, 2005, 10:31:30 AM, Pierre Thomson wrote: > Where are those URIBL_RHS_* tests from? I see no mention of them on either > SA or URIBL sites. > Pierre See: http://www.uribl.com/usage.shtml Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
RE: More spam getting through
Hi! A slightly earlier one got a much lower score with: Umm... I don't see any SARE rules in there. The fact is, SARE isn't terribly effective against these 1-column drug spams. The only SARE hit I got was SARE_SPEC_LEO_LINE03f with a whopping 0.18 points, or occasionally SARE_SPEC_LEO_MEDS with 1.67 points. SARE rules will be updates shortly. Sure, with every possible network test enabled you will catch most everything. But some of us don't have unlimited resources. ;) bodyPROLO_LEO1 /85\,45|1\,21/ bodyPROLO_LEO2 /69\,95|3\,33/ bodyPROLO_LEO3 /99\,95|3\,75/ uri PROLO_LEO4 /http:\/\/.*\.tripod\.com/ metaPROLO_LEO_M1 (PROLO_LEO1 && PROLO_LEO2 && PROLO_LEO3 && PROLO_LEO4) score PROLO_LEO1 0.1 score PROLO_LEO2 0.1 score PROLO_LEO3 0.1 score PROLO_LEO4 0.1 score PROLO_LEO_M1 8 describePROLO_LEO1 Meta Catches all Leo drug variations so far describePROLO_LEO2 Meta Catches all Leo drug variations so far describePROLO_LEO3 Meta Catches all Leo drug variations so far describePROLO_LEO4 Meta to catch Leo now using Tripod describePROLO_LEO_M1 Catches all Leo drug variations so far Meanwhile you could use something like this. We have some other ones, since Leo likes to morph, but this ons is pretty effective on the current ones. Bye, Raymond.
RE: More spam getting through
>>>... >> Pierre, >> >> I does seem that the digests plus Bayes are the best defense against >> these. Just a few minutes ago another arrived: >> >> Y 15 - >> BAYES_99,DCC_CHECK,DIGEST_MULTIPLE,HTML_90_100,HTML_MESSAGE,MIME_QP_LONG_LINE,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,URIBL_RHS_POST,URIBL_RHS_WHOIS > > >Where are those URIBL_RHS_* tests from? I see no mention of them on either SA >or URIBL sites. > >Pierre > Older versions of what I'm using are in Bugzilla #4104 - See: http://issues.apache.org/SpamAssassin/attachment.cgi?id=2952&action=view for a large set of additional URI rules (many of the scores are far too high, and the SPEWS rules should be set to a score of 0.001 for most sites, though the meta-rules are quite safe). BTW. I do accept SPEWS listed emails every day, but I won't accept most mail from cable providers:) YMMV. Also, they show a lower than recommended (by URIBL) set of values for most of the URIBL lists. And, anyone with lots of traffic from domains with non-conforming country code TLDs may not want the 1/6 point I assign (still) to that. If you'd like I can send you or post a much larger group of "lower return" BLs also (e.g. the easyDNS maintained DNS operators' lists and a few other obscure, but sometimes helpful lists - not useful for a high traffic site - they don't FP much, but hit little in return for the DNS traffic overhead). Paul Shupak [EMAIL PROTECTED] P.S. There is the typo in the URIBL [red] rule in the web page above also (it prints [grey]).
RE: More spam getting through
List Mail User wrote: >>> ... >> >> I'm not really THAT badly off; I run all default 3.1.0 tests plus >> Bayes and DCC, three RBL's, URIBL/SURBL, some SARE rule sets and a >> bunch of local rules. I do MTA-level blocking with Spamhaus >> SBL-XBL, which knocks off at least half the junk before it reaches >> SA. But I don't run Razor or Pyzor, so never get DIGEST_MULTIPLE. >> Maybe I should change that. >> >> My point was, two people stated that SARE rules take care of this >> type of pill spam, and they don't. >> >> Pierre >> > Pierre, > > I does seem that the digests plus Bayes are the best defense against > these. Just a few minutes ago another arrived: > > Y 15 - > BAYES_99,DCC_CHECK,DIGEST_MULTIPLE,HTML_90_100,HTML_MESSAGE,MIME_QP_LONG_LINE,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,URIBL_RHS_POST,URIBL_RHS_WHOIS Where are those URIBL_RHS_* tests from? I see no mention of them on either SA or URIBL sites. Pierre
RE: More spam getting through
>>... >> do not use SARE tests, just check, read and try to follow what they >> are doing). >> > >Paul, > >I'm not really THAT badly off; I run all default 3.1.0 tests plus Bayes and >DCC, three RBL's, URIBL/SURBL, some SARE rule sets and a bunch of local rules. > I do MTA-level blocking with Spamhaus SBL-XBL, which knocks off at least half >the junk before it reaches SA. But I don't run Razor or Pyzor, so never get >DIGEST_MULTIPLE. Maybe I should change that. > >My point was, two people stated that SARE rules take care of this type of pill >spam, and they don't. > >Pierre > Pierre, I does seem that the digests plus Bayes are the best defense against these. Just a few minutes ago another arrived: Y 15 - BAYES_99,DCC_CHECK,DIGEST_MULTIPLE,HTML_90_100,HTML_MESSAGE,MIME_QP_LONG_LINE,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,URIBL_RHS_POST,URIBL_RHS_WHOIS tinldrubbSpa.tripod.com-MUNG redirects to http://www.entrameric.com-MUNG name servers ns0.indivualre.com-MUNG and ns0.rosettarkin.com-MUNG The standard pattern - spam server at bookmyname, name servers with one at RGNames, the other at YesNIC. Zombie spew hitting all the digests, the DUL rules, XBL, SpamCop BL (which you might consider "45x"'ing at the MTA level to get rid of more zombie spew while only delaying valid email - it depends on your MTA, its easy with postfix and "delay_if_reject"), and a few low scoring rules. The primary difficultly with Leo and the SARE rules, is he seems smarter than the typical spammer and quickly changes to avoid the rules they create for him. Adding the extra pair of digests will give you yet another almost 5 points for many of these drug spams (DIGEST_MULTIPLE is itself a low scoring rule, but each digest is a few points apiece). This is one of the lowest scores I've seen then get, and still well above most sites' threshold (even without my couple of points of local URI rules). Paul Shupak [EMAIL PROTECTED] P.S. Whomever pointed out the Msg-ID line was right on also; This one was mid=<[EMAIL PROTECTED]> - I wonder which malware this is a sign of?
RE: More spam getting through
> -Original Message- > From: Rosenbaum, Larry M. [mailto:[EMAIL PROTECTED] > Sent: Wednesday, November 09, 2005 10:45 AM > To: users@spamassassin.apache.org > Subject: RE: More spam getting through > > > > From: Loren Wilton [mailto:[EMAIL PROTECTED] > > > > > I'm not sure if Loren's rules made it into any particular > > > ruleset or if Leo "morph"'d too often to bother; Maybe someone > > ... > > Of > > course, the urls are going to end up in SURBL before most of you get > the > > spams, so those will aslo keep them away from the inbox. > > > > Loren > > The ones I'm seeing are using a tripod.com redirect, and so are not > hitting the SURBL/URIBL rules. Thats being discussed in URIBL right now. There has even been phone contact with tripod. Lets just say, we see that this is NOT a priority with them. So... its possible we may add them to grey.uribl.com list. Possible there may just be a higher scoring SARE rule for it. The fact they use geocities/tripod links shows how well URIBL/SURBL work. Too bad these companies have no urge to clean their system of these scum. --Chris
RE: More spam getting through
> From: Loren Wilton [mailto:[EMAIL PROTECTED] > > > I'm not sure if Loren's rules made it into any particular > > ruleset or if Leo "morph"'d too often to bother; Maybe someone > ... > Of > course, the urls are going to end up in SURBL before most of you get the > spams, so those will aslo keep them away from the inbox. > > Loren The ones I'm seeing are using a tripod.com redirect, and so are not hitting the SURBL/URIBL rules.
RE: More spam getting through
List Mail User wrote: >> ... >> List Mail User wrote: ... >>> I believe some people using the SARE rules report ~100 points for >>> them (after half a day or so, they fail every net test, and very >>> many "small" rules). Also, the typical ones are delivered by >>> zombies, so often the DUL tests hit right away, and if you can >>> afford to refuse bad DNS at the MTA level (many large sites can't), >>> you'll never see most of them. >>> >>> The last one I got hit: >>> BAYES_99,DIGEST_MULTIPLE,FORGED_MUA_IMS,HELO_DYNAMIC_COMCAST,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DSBL,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,URIBL_AB_SURBL,URIBL_COMPLETEWHOIS,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_RHS_ABUSE,URIBL_RHS_AHBL,URIBL_RHS_DSN,URIBL_RHS_NOCOMPLAINTS,URIBL_RHS_NOSTDMAIL,URIBL_RHS_POST,URIBL_RHS_URIBL_BLACK,URIBL_RHS_WHOIS,URIBL_SBL,URIBL_SBL_COMWHOIS,URIBL_SC_SURBL,URIBL_WS_SURBL,URIBL_XS_SURBL >>> >>> A slightly earlier one got a much lower score with: >>> BAYES_99,DCC_CHECK,DIGEST_MULTIPLE,HTML_80_90,HTML_MESSAGE,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_XBL,UPPERCASE_25_50,URIBL_RHS_POST,URIBL_RHS_WHOIS >>> >> >> Umm... I don't see any SARE rules in there. The fact is, SARE isn't >> terribly effective against these 1-column drug spams. The only SARE >> hit I got was SARE_SPEC_LEO_LINE03f with a whopping 0.18 points, or >> occasionally SARE_SPEC_LEO_MEDS with 1.67 points. >> >> Sure, with every possible network test enabled you will catch most >> everything. But some of us don't have unlimited resources. ;) >> >> Pierre >> > Pierre, > > You'll get a lot of mileage from the three common digests; Of the > three DCC takes very little resources, but you really should read the > docs > to set it up. Razor seems that most common one people use (it is > Perl and easy to setup) and only Pyzor takes significant resources (a > copy of Python has to be running). As to the other net tests you see > above, besides those enabled by default, there are really only two > DNS lookups and some meta-rules. All of the rfci data is available > from one DNS query on fulldom.rfc-ignorant and they are fairly > effective (with low scores and meta-rules for multiple hits - e.g. > the "URIBL_RHS_NOCOMPLAINTS") and the lookup on the completewhois HIB > list also functions well as URI rules. If you are so limited that > you are already disabling standard rules, then you are in a different > situation. You do not see the "low return" net rules, like the DNS > operators BLs that easyDNS maintains or many others. None of the URI > rules or DNS lookups require much in the way of resources. > > If you are resource limited and can afford it with your user base, > then MTA level rejection of bad DNS/rDNS will nearly wipe out most > "zombie" deliveries (and mail from all too commonly misconfigured > Exchange servers) and reduce your load greatly - then you'll be able > to pile on far more > tests yet. Also, blocking at the MTA level with the XBL will also > remove > a lot of the "zombie" spew (and quite safely for any environment). > > My point should have been just a well trained Bayes DB plus the > digests will catch these for all but the few people at the very > beginning > of a run, and a short while later the SURBLs will kick in (yes, the > digests do seem to have quicker update times than the BLs, especially > DCC). If you don't have enough resources to run SURBLs, then it is > quite unlikely that > you can afford the memory usage of the SARE tests either (disclaimer: > I > do not use SARE tests, just check, read and try to follow what they > are doing). > Paul, I'm not really THAT badly off; I run all default 3.1.0 tests plus Bayes and DCC, three RBL's, URIBL/SURBL, some SARE rule sets and a bunch of local rules. I do MTA-level blocking with Spamhaus SBL-XBL, which knocks off at least half the junk before it reaches SA. But I don't run Razor or Pyzor, so never get DIGEST_MULTIPLE. Maybe I should change that. My point was, two people stated that SARE rules take care of this type of pill spam, and they don't. Pierre
RE: More spam getting through
>... >List Mail User wrote: >>> ... >>> >> I believe some people using the SARE rules report ~100 points for them >> (after half a day or so, they fail every net test, and very many >> "small" rules). Also, the typical ones are delivered by zombies, so >> often the DUL tests hit right away, and if you can afford to refuse >> bad DNS at the MTA level (many large sites can't), you'll never see >> most of them. >> >> The last one I got hit: >> BAYES_99,DIGEST_MULTIPLE,FORGED_MUA_IMS,HELO_DYNAMIC_COMCAST,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DSBL,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,URIBL_AB_SURBL,URIBL_COMPLETEWHOIS,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_RHS_ABUSE,URIBL_RHS_AHBL,URIBL_RHS_DSN,URIBL_RHS_NOCOMPLAINTS,URIBL_RHS_NOSTDMAIL,URIBL_RHS_POST,URIBL_RHS_URIBL_BLACK,URIBL_RHS_WHOIS,URIBL_SBL,URIBL_SBL_COMWHOIS,URIBL_SC_SURBL,URIBL_WS_SURBL,URIBL_XS_SURBL >> >> A slightly earlier one got a much lower score with: >> BAYES_99,DCC_CHECK,DIGEST_MULTIPLE,HTML_80_90,HTML_MESSAGE,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_XBL,UPPERCASE_25_50,URIBL_RHS_POST,URIBL_RHS_WHOIS >> > >Umm... I don't see any SARE rules in there. The fact is, SARE isn't terribly >effective against these 1-column drug spams. The only SARE hit I got was >SARE_SPEC_LEO_LINE03f with a whopping 0.18 points, or occasionally >SARE_SPEC_LEO_MEDS with 1.67 points. > >Sure, with every possible network test enabled you will catch most everything. > But some of us don't have unlimited resources. ;) > >Pierre > Pierre, You'll get a lot of mileage from the three common digests; Of the three DCC takes very little resources, but you really should read the docs to set it up. Razor seems that most common one people use (it is Perl and easy to setup) and only Pyzor takes significant resources (a copy of Python has to be running). As to the other net tests you see above, besides those enabled by default, there are really only two DNS lookups and some meta-rules. All of the rfci data is available from one DNS query on fulldom.rfc-ignorant and they are fairly effective (with low scores and meta-rules for multiple hits - e.g. the "URIBL_RHS_NOCOMPLAINTS") and the lookup on the completewhois HIB list also functions well as URI rules. If you are so limited that you are already disabling standard rules, then you are in a different situation. You do not see the "low return" net rules, like the DNS operators BLs that easyDNS maintains or many others. None of the URI rules or DNS lookups require much in the way of resources. If you are resource limited and can afford it with your user base, then MTA level rejection of bad DNS/rDNS will nearly wipe out most "zombie" deliveries (and mail from all too commonly misconfigured Exchange servers) and reduce your load greatly - then you'll be able to pile on far more tests yet. Also, blocking at the MTA level with the XBL will also remove a lot of the "zombie" spew (and quite safely for any environment). My point should have been just a well trained Bayes DB plus the digests will catch these for all but the few people at the very beginning of a run, and a short while later the SURBLs will kick in (yes, the digests do seem to have quicker update times than the BLs, especially DCC). If you don't have enough resources to run SURBLs, then it is quite unlikely that you can afford the memory usage of the SARE tests either (disclaimer: I do not use SARE tests, just check, read and try to follow what they are doing). Paul Shupak [EMAIL PROTECTED]
RE: More spam getting through
From: Loren Wilton [mailto:[EMAIL PROTECTED] > > > If anyone can formulate a regex to catch these letters in any > > order, while avoiding a repeating sequence like "A A A A A ", it > > would make this a safer rule. > > SARE has quite a number of rules specifically to catch these table > drug spams. Which rulesets are they in? I already have almost all of the safe rulesets. Bowie
RE: More spam getting through
List Mail User wrote: >> ... >> > I believe some people using the SARE rules report ~100 points for them > (after half a day or so, they fail every net test, and very many > "small" rules). Also, the typical ones are delivered by zombies, so > often the DUL tests hit right away, and if you can afford to refuse > bad DNS at the MTA level (many large sites can't), you'll never see > most of them. > > The last one I got hit: > BAYES_99,DIGEST_MULTIPLE,FORGED_MUA_IMS,HELO_DYNAMIC_COMCAST,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DSBL,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,URIBL_AB_SURBL,URIBL_COMPLETEWHOIS,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_RHS_ABUSE,URIBL_RHS_AHBL,URIBL_RHS_DSN,URIBL_RHS_NOCOMPLAINTS,URIBL_RHS_NOSTDMAIL,URIBL_RHS_POST,URIBL_RHS_URIBL_BLACK,URIBL_RHS_WHOIS,URIBL_SBL,URIBL_SBL_COMWHOIS,URIBL_SC_SURBL,URIBL_WS_SURBL,URIBL_XS_SURBL > > A slightly earlier one got a much lower score with: > BAYES_99,DCC_CHECK,DIGEST_MULTIPLE,HTML_80_90,HTML_MESSAGE,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_XBL,UPPERCASE_25_50,URIBL_RHS_POST,URIBL_RHS_WHOIS > Umm... I don't see any SARE rules in there. The fact is, SARE isn't terribly effective against these 1-column drug spams. The only SARE hit I got was SARE_SPEC_LEO_LINE03f with a whopping 0.18 points, or occasionally SARE_SPEC_LEO_MEDS with 1.67 points. Sure, with every possible network test enabled you will catch most everything. But some of us don't have unlimited resources. ;) Pierre
RE: More spam getting through
I only got my hands on 3 of those, and they all have a very similar Message-IDs Message-ID: <[EMAIL PROTECTED]> Message-ID: <[EMAIL PROTECTED]> Message-ID: <[EMAIL PROTECTED]> I have put the following on 2 of our SA servers, thanks for your contribution: bodyL_DRUGS11 /([CVAXP] ){5}/ Header L_DRUGS12MESSAGEID =~ /^<[EMAIL PROTECTED]>/ metaL_DRUGS1L_DRUGS11 && L_DRUGS12 score L_DRUGS15 describe L_DRUGS1 Strange Message-ID and Spam signature in body. - Ríkharður -Original Message- From: Pierre Thomson [mailto:[EMAIL PROTECTED] Sent: 08 November, 2005 4:14 PM To: Bowie Bailey; Spamassassin List (E-mail) Subject: RE: More spam getting through Bowie Bailey wrote: > > Some of the medication spams are using an obnoxious html table > structure that makes the contents of each cell print vertically. > > For example: > > > a d g > b e h > c f i > > <\tr> > > > This results in: > a b c > d e f > g h i > > Has anyone else been having this problem? Any rules to catch > medication names in those types of tables? > Here's a simple rule I wrote a couple days ago: body PT_DRUG1 /([CVAXP] ){5}/ describe PT_DRUG1 Drug names in table of 1-letter columns score PT_DRUG1 3.0 It works for me, no FP's yet that I am aware of. There are also variants for 2-letter and 3-letter bits of the same drug names. Good luck Pierre Thomson BIC
Re: More spam getting through
> I'm not sure if Loren's rules made it into any particular > ruleset or if Leo "morph"'d too often to bother; Maybe someone They were in specific.cf as I recall. Yes, they were in there, and yes, Leo tended to get around them every few days. A couple of them are still there and still hit occasionally; some have been removed completely. However, a bunch of the other ninjas have gotten a thing against Leo, and it isn't unusual to see 5-10 mass checks a day against various Leo rules. I suspect that many of these may in fact be targeting some of Leo's competators as much as Leo himself - we really don't try to figure out who is sending this trash, just what we can find to catch it. If you have RDJ installed and correct and pulling down SARE rules, then you should be doing moderately well against most of these table spams. Of course, the urls are going to end up in SURBL before most of you get the spams, so those will aslo keep them away from the inbox. Loren
Re: More spam getting through
> If anyone can formulate a regex to catch these letters in any order, while avoiding a > repeating sequence like "A A A A A ", it would make this a safer rule. SARE has quite a number of rules specifically to catch these table drug spams. Loren
RE: More spam getting through
>... >From: List Mail User [mailto:[EMAIL PROTECTED] >> >> >... >> >I'm running SA 3.1 and I have started to notice more spam come through >> >recently. >> >[snip - original table drug spam] >> > >> >Has anyone else been having this problem? Any rules to catch medication >> >names in those types of tables? >> >> They should hit a well trained BAYES, and both Pyzor and DCC as >> well as Razor2 (your site may not be able to use them due to licensing >>[snip - original reply] > >I have a trained Bayes DB, but I didn't get anything from it. I'm >running Razor, but not Pyzor or DCC. I've got the default blacklists >and a bunch of SARE rules, but I'm not sure if I've got the one you >are referring to. > >Here's my current list (updated via RDJ): >70_sare_adult.cf >70_sare_evilnum0.cf >70_sare_genlsubj0.cf >70_sare_header0.cf >70_sare_html0.cf >70_sare_obfu0.cf >70_sare_random.cf >70_sare_specific.cf >70_sare_spoof.cf >70_sare_unsub.cf >70_sare_uri0.cf >70_sare_whitelist_rcvd.cf >70_sare_whitelist_spf.cf >99_sare_fraud_post25x.cf >chickenpox.cf >weeds.cf > >I don't have one to look at right now, but from memory, there was just >Razor and chickenpox that hit. > >No Bayes mention at all, which is odd now that you mention it. Maybe >I should check to make sure everything is working properly. > >Bowie > I'm not sure if Loren's rules made it into any particular ruleset or if Leo "morph"'d too often to bother; Maybe someone else could speak up who is using them (I seem to remember the first few cuts would only work for a few days, then were "beaten"). I'd expect the SARE set to be 70_sare_drugs.cf, but that one may now be obsolete or not appropriate for 3.1 (or possible even earlier, I admit I often read the SARE rules, but don't actually use them). If you're not using Pyzor, it is a bit of a memory hog (need to keep a copy of python running), but is a very valuable addition. Likewise, if you can accept the licensing run DCC - If you don't like or can't use it because of the license, consider running version 1.2.72 which generally works well and had the old license terms (i.e. basically unrestricted free, but no longer supported though it does work). Also, do check your Bayes DB - with a bunch of examples, if you run sa-learn on them, you should quickly get to where they trigger BAYES_99. A high Bayes score and one or two digest hits will stop them in most environments; Anything else is just icing and makes them easier still. Because of the nature of zombie delivery, it is important to hand train your Bayes DB even if you do enable auto-learning (i.e. they will often have too few header or body points to trigger auto-learn). Also, try to feed some old ones back into "spamassassin -t" and see if they now are hitting net tests; If they do now, but didn't when you received them, you had the misfortune to be at the start of a spam run (net tests are very, very helpful and good for everybody except the few people who get the spam first - they are the ones who report the spam and then "save" everyone else who gets it later - it is good altruistic behavior for everyone to report spam as much as possible to get it into the BL databases - i.e. SpamCop, etc. and digest reporting). Paul Shupak [EMAIL PROTECTED]
Re: More spam getting through
On Tuesday 08 November 2005 08:57 am, Bowie Bailey wrote: > I'm running SA 3.1 and I have started to notice more spam come through > recently. > > Some are porn and some are medication. They don't hit much of anything > beyond Razor2 and Chickenpox, which isn't enough to mark them as spam. > > Some of the medication spams are using an obnoxious html table structure > that makes the contents of each cell print vertically. > > For example: > > > a d g > b e h > c f i > > <\tr> > > > This results in: > a b c > d e f > g h i > > Has anyone else been having this problem? Any rules to catch medication > names in those types of tables? > > Bowie I've had a couple of these wind up just under my cutoff (5.0). What I've done is run spamassassin -r and once they make it to dcc/pyzor/razor the score jumps up quite a bit. -- Chris Registered Linux User 283774 http://counter.li.org 20:35:12 up 33 days, 57 min, 2 users, load average: 2.17, 1.60, 1.00 Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk
RE: More spam getting through
From: List Mail User [mailto:[EMAIL PROTECTED] > > >... > >I'm running SA 3.1 and I have started to notice more spam come through > >recently. > > > >Some are porn and some are medication. They don't hit much of anything > >beyond Razor2 and Chickenpox, which isn't enough to mark them as spam. > > > >Some of the medication spams are using an obnoxious html table structure > >that makes the contents of each cell print vertically. > > > >For example: > > > > > > a d g > > b e h > > c f i > > > ><\tr> > > > > > >This results in: > >a b c > >d e f > >g h i > > > >Has anyone else been having this problem? Any rules to catch medication > >names in those types of tables? > > They should hit a well trained BAYES, and both Pyzor and DCC as > well as Razor2 (your site may not be able to use them due to licensing > issues). I believe that Loren has written some SARE rules for these > also (check the archives). These are Leo Kuvayev's pill spams, and > also very often fail many net tests (XBL, SBL, etc. and after a while > they will hit the SURBLs and other URI tests as long as you are not > at the very start of a spam run). They tend to run > 20 points here, > peaking over 40 points at the end of a run (or a subsequent spam run). > I believe some people using the SARE rules report ~100 points for them > (after half a day or so, they fail every net test, and very > many "small" > rules). Also, the typical ones are delivered by zombies, so often the > DUL tests hit right away, and if you can afford to refuse bad DNS at > the MTA level (many large sites can't), you'll never see most of them. > > The last one I got hit: > BAYES_99,DIGEST_MULTIPLE,FORGED_MUA_IMS,HELO_DYNAMIC_COMCAST, > PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET, > RCVD_IN_DSBL,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,URIBL_AB_SURBL, > URIBL_COMPLETEWHOIS,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_RHS_ABUSE, > URIBL_RHS_AHBL,URIBL_RHS_DSN,URIBL_RHS_NOCOMPLAINTS,URIBL_RHS_NOSTDMAIL, > URIBL_RHS_POST,URIBL_RHS_URIBL_BLACK,URIBL_RHS_WHOIS,URIBL_SBL, > URIBL_SBL_COMWHOIS,URIBL_SC_SURBL,URIBL_WS_SURBL,URIBL_XS_SURBL > > A slightly earlier one got a much lower score with: > BAYES_99,DCC_CHECK,DIGEST_MULTIPLE,HTML_80_90,HTML_MESSAGE,PYZ > OR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_BL_SPAMCO > P_NET,RCVD_IN_XBL,UPPERCASE_25_50,URIBL_RHS_POST,URIBL_RHS_WHOIS > > In both cases local URI rules increased the score, but were not > needed (i.e. they would be over most "reasonable" limits anyway). I have a trained Bayes DB, but I didn't get anything from it. I'm running Razor, but not Pyzor or DCC. I've got the default blacklists and a bunch of SARE rules, but I'm not sure if I've got the one you are referring to. Here's my current list (updated via RDJ): 70_sare_adult.cf 70_sare_evilnum0.cf 70_sare_genlsubj0.cf 70_sare_header0.cf 70_sare_html0.cf 70_sare_obfu0.cf 70_sare_random.cf 70_sare_specific.cf 70_sare_spoof.cf 70_sare_unsub.cf 70_sare_uri0.cf 70_sare_whitelist_rcvd.cf 70_sare_whitelist_spf.cf 99_sare_fraud_post25x.cf chickenpox.cf weeds.cf I don't have one to look at right now, but from memory, there was just Razor and chickenpox that hit. No Bayes mention at all, which is odd now that you mention it. Maybe I should check to make sure everything is working properly. Bowie
Re: More spam getting through
>... >I'm running SA 3.1 and I have started to notice more spam come through >recently. > >Some are porn and some are medication. They don't hit much of anything >beyond Razor2 and Chickenpox, which isn't enough to mark them as spam. > >Some of the medication spams are using an obnoxious html table structure >that makes the contents of each cell print vertically. > >For example: > > > a d g > b e h > c f i > ><\tr> > > >This results in: >a b c >d e f >g h i > >Has anyone else been having this problem? Any rules to catch medication >names in those types of tables? > >Bowie > They should hit a well trained BAYES, and both Pyzor and DCC as well as Razor2 (your site may not be able to use them due to licensing issues). I believe that Loren has written some SARE rules for these also (check the archives). These are Leo Kuvayev's pill spams, and also very often fail many net tests (XBL, SBL, etc. and after a while they will hit the SURBLs and other URI tests as long as you are not at the very start of a spam run). They tend to run > 20 points here, peaking over 40 points at the end of a run (or a subsequent spam run). I believe some people using the SARE rules report ~100 points for them (after half a day or so, they fail every net test, and very many "small" rules). Also, the typical ones are delivered by zombies, so often the DUL tests hit right away, and if you can afford to refuse bad DNS at the MTA level (many large sites can't), you'll never see most of them. The last one I got hit: BAYES_99,DIGEST_MULTIPLE,FORGED_MUA_IMS,HELO_DYNAMIC_COMCAST,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DSBL,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,URIBL_AB_SURBL,URIBL_COMPLETEWHOIS,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_RHS_ABUSE,URIBL_RHS_AHBL,URIBL_RHS_DSN,URIBL_RHS_NOCOMPLAINTS,URIBL_RHS_NOSTDMAIL,URIBL_RHS_POST,URIBL_RHS_URIBL_BLACK,URIBL_RHS_WHOIS,URIBL_SBL,URIBL_SBL_COMWHOIS,URIBL_SC_SURBL,URIBL_WS_SURBL,URIBL_XS_SURBL A slightly earlier one got a much lower score with: BAYES_99,DCC_CHECK,DIGEST_MULTIPLE,HTML_80_90,HTML_MESSAGE,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_XBL,UPPERCASE_25_50,URIBL_RHS_POST,URIBL_RHS_WHOIS In both cases local URI rules increased the score, but were not needed (i.e. they would be over most "reasonable" limits anyway). Paul Shupak [EMAIL PROTECTED]
RE: More spam getting through
Pierre Thomson wrote: > Bowie Bailey wrote: >> >> Some of the medication spams are using an obnoxious html table >> structure that makes the contents of each cell print vertically. >> >> For example: >> >> >> a d g >> b e h >> c f i >> >> <\tr> >> >> >> This results in: >> a b c >> d e f >> g h i >> >> Has anyone else been having this problem? Any rules to catch >> medication names in those types of tables? >> > > Here's a simple rule I wrote a couple days ago: > > body PT_DRUG1 /([CVAXP] ){5}/ > describe PT_DRUG1 Drug names in table of 1-letter columns > score PT_DRUG1 3.0 > > It works for me, no FP's yet that I am aware of. There are also > variants for 2-letter and 3-letter bits of the same drug names. > If anyone can formulate a regex to catch these letters in any order, while avoiding a repeating sequence like "A A A A A ", it would make this a safer rule. Pierre
RE: More spam getting through
Bowie Bailey wrote: > > Some of the medication spams are using an obnoxious html table > structure that makes the contents of each cell print vertically. > > For example: > > > a d g > b e h > c f i > > <\tr> > > > This results in: > a b c > d e f > g h i > > Has anyone else been having this problem? Any rules to catch > medication names in those types of tables? > Here's a simple rule I wrote a couple days ago: body PT_DRUG1 /([CVAXP] ){5}/ describe PT_DRUG1 Drug names in table of 1-letter columns score PT_DRUG1 3.0 It works for me, no FP's yet that I am aware of. There are also variants for 2-letter and 3-letter bits of the same drug names. Good luck Pierre Thomson BIC