Re: Need for a new rule?
On Wednesday, April 13, 2005, 1:42:10 PM, Stuart Johnston wrote: body L_STOX2 /st0ck\d{2}\s{0,[EMAIL PROTECTED],4}yahoo.com/i FWIW, the st0ckNN @ yahoo.com spammer seems to have changed back to 4 digits: If you wish to stop future mailings, or if you fee| you have been wrongful|y p|aced in our membership, p|ease go here or send a blank e mail with No Thanks in the subject to st0ck1007 @yahoo.com So it's time to adjust/modify that filter again. (I guess he was behind on his reading. Hi spammy! ;-) Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
RE: Need for a new rule?
-Original Message- From: Stuart Johnston [mailto:[EMAIL PROTECTED] Sent: 13 April 2005 21:42 To: Andreas Davour Cc: users@spamassassin.apache.org Subject: Re: Need for a new rule? Andreas Davour wrote: The following message have many characteristics in common with much spam I've been getting lately. It's about investments, often shares, stock options or oil. One odd thing about those messages is that they all, like the one quoted below, have the letter 'l' substituted for the pipe character i.e. '|'. Here we have a large number of obfuscated word rules, including a number that are related to stocks and shares. We need to be careful as we do receive legitimate 'forrrward loooking statements' (obfuscated in case you don't like the phrase) so tend to have things like (?!millions?)m[1i|][l1|][l1|][l1|][0o]n[5s]? (not checked) The basic rule is that real people don't try to hide what they are saying. There does exist a problem with other companies who use profanity filters. The sender beats their profanity filter by obfuscating the word, and we catch it because they obfuscated! --- This email from dns has been validated by dnsMSS Managed Email Security and is free from all known viruses. For further information contact [EMAIL PROTECTED]
Re: Need for a new rule?
Andreas Davour wrote: The following message have many characteristics in common with much spam I've been getting lately. It's about investments, often shares, stock options or oil. One odd thing about those messages is that they all, like the one quoted below, have the letter 'l' substituted for the pipe character i.e. '|'. Are there any rule for this? Would one be hard do design? I haven't seen anything about is in the documentation. OR, I haven't understood what I've read... /Andreas There have been several threads about this specific spammer in the last few months. Some of them with this exact question - mostly the answer is no. e mail with No Thanks in the subject to st0ck62 @ yahoo.com It is much easier to match on this email address with something like: body L_STOX2 /st0ck\d{2}\s{0,[EMAIL PROTECTED],4}yahoo.com/i
RE: Need for a new rule?
There have been several threads about this specific spammer in the last few months. Some of them with this exact question - mostly the answer is no. e mail with No Thanks in the subject to st0ck62 @ yahoo.com It is much easier to match on this email address with something like: body L_STOX2 /st0ck\d{2}\s{0,[EMAIL PROTECTED],4}yahoo.com/i That is what I do to foil this particular spammer. Hope he doesn't change is fake email address ;) I get millions (mil|ions?) of spams from this guy (well, not millions, but I have recieved 15 in the last 2 hours). While generic tests for character/letter obfuscation are difficult, this guy is pretty predictable. body SRH_PENNY2 /(?:e\s*mai\||mi[|l]{2}ions|resu\|ts|wi[|l]{2})/ Add your own l-| words to this list, although he hasn't failed to use one in the list above in each one of his spams. -steve
RE: Need for a new rule?
M-Original Message- MFrom: Andreas Davour [mailto:[EMAIL PROTECTED] MSent: 13 April 2005 21:23 MCc: users@spamassassin.apache.org MSubject: Need for a new rule? M M MThe following message have many characteristics in common with much Mspam I've been getting lately. It's about investments, often shares, Mstock options or oil. One odd thing about those messages is that they Mall, like the one quoted below, have the letter 'l' substituted for Mthe pipe character i.e. '|'. M MAre there any rule for this? Would one be hard do design? I haven't Mseen anything about is in the documentation. OR, I haven't understood Mwhat I've read... M M/Andreas I have a couple of rules I have written to catch these spams, still catching plenty right now but who knows how long for:- body MS_Hide_Yahoo /(?: [EMAIL PROTECTED]|\@ yahoo.com\b)/i score MS_Hide_Yahoo 4.5 describe MS_Hide_Yahoo Attempt to hide yahoo email address body __MS_Oil_Stock1 /\bo.l and gas\b/i body __MS_Oil_Stock2 /(?:\b\(?EOGI|\b\(?MOGI|\b\(?TDCP|\b\(?MEGJ)/i body __MS_Oil_Stock3 /(?:\bEmerson|\bmontana|\bAdeptrader|\bAtheletic)/i uri __MS_Oil_Stock4 /http\:\/\/finance\.yahoo\.com/i body __MS_Ins_Stock1 /(?:\bGRDX|\b3DIcon|\bConclusion|\binvestments?|\bmarket value)/i body __MS_Ins_Stock2 /(?:\bPenny St.ck|\bBuy Low|\bCurrent Price)/i body __MS_Ins_Stock3 /(?:jeff.[0-9]{1,[EMAIL PROTECTED]|\bst(?:0|o)cks?[0-9]{0,[EMAIL PROTECTED]|\bNo Thanks)/i body __MS_Ins_Stock4 /(?:\bst0ck|\bprice \$|\bdollars)/i meta MS_Stock ((__MS_Oil_Stock1 + __MS_Oil_Stock2 + __MS_Oil_Stock3 + __MS_Oil_Stock4 + __MS_Ins_Stock1 + __MS_Ins_Stock2 + __MS_Ins_Stock3 + __MS_Ins_Stock4) 2) score MS_Stock 5.0 describe MS_Stock Investment Stock Spam Make allowance for word-wrap, not sure how legible they will be. Martin
RE: Need for a new rule?
While generic tests for character/letter obfuscation are difficult, this guy is pretty predictable. body SRH_PENNY2 /(?:e\s*mai\||mi[|l]{2}ions|resu\|ts|wi[|l]{2})/ Add your own l-| words to this list, although he hasn't failed to use one in the list above in each one of his spams. -steve Replying to myself (ps. drink more coffee). That should read: body SRH_PENNY2 /(?:e\s*mai\||mi\|lions|mil\|ions|resu\|ts|wil\|wi\|l)/i
Re: Need for a new rule?
On Apr 13, 2005, at 3:49 PM, SRH-Lists wrote: There have been several threads about this specific spammer in the last few months. Some of them with this exact question - mostly the answer is no. e mail with No Thanks in the subject to st0ck62 @ yahoo.com It is much easier to match on this email address with something like: body L_STOX2 /st0ck\d{2}\s{0,[EMAIL PROTECTED],4}yahoo.com/i I added this rule a while back and removed the yahoo and it seems to help--but only adds 1.0 to the score and it wasn't enough to put the mail over my threshold of 3.5. How would I increase the scor it adds? Joe Kletch
Re: Need for a new rule?
Joe Kletch wrote: body L_STOX2 /st0ck\d{2}\s{0,[EMAIL PROTECTED],4}yahoo.com/i I added this rule a while back and removed the yahoo and it seems to help--but only adds 1.0 to the score and it wasn't enough to put the mail over my threshold of 3.5. How would I increase the scor it adds? Joe Kletch Change the score line for L_STOX2... and if you don't have one.. add one for crying out loud! All your rules should have a matching score line, unless they are meta-sub-tests and their names start with double underscore (__). Otherwise you're just relying on SA to assign it a default score, which happens to be 1.0. score L_STOX2 1.2
Re: Need for a new rule?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andreas Davour wrote: [snip] | Are there any rule for this? Would one be hard do design? I haven't seen | anything about is in the documentation. OR, I haven't understood what | I've read... I just wrote a bunch of obfu-rules with negative lookaheads and made meta-rules out of them, nails anything like this because there is generally no need to people to spell dollar with 2 |'s (or will, overall etc.) Anyway, the attached might help a bit (with apologies for all the SA installs which it may trigger)... Pointers, corrections etc. welcome as always. Regards, Craig. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFCXZmkMDDagS2VwJ4RAohYAKDx631Ya2sxgwJ76vLCHFKgYwTLEQCeMkxE IdzMVRyuNtJb+XR8x27k22Y= =+tzz -END PGP SIGNATURE- # Local rules for stocks and shares scams # ### # body LOCAL_STOCK_ACT/The Private Securities Litigation Reform Act/i describe LOCAL_STOCK_ACTMentions the Reform Act body LOCAL_STOCK_NOVICE /is not an investment expert/i describe LOCAL_STOCK_NOVICE Not an investment expert body LOCAL_STOCK_BULL_1 /bu[1\|l][1\|l] market/i describe LOCAL_STOCK_BULL_1 Bull market body LOCAL_STOP_MAILINGS/t[0o] st[0o]p future mai[\|l]ings?/i describe LOCAL_STOP_MAILINGSLink or mail to stop future mailings #OBFU Rules body __LOCAL_OBF_BULL /(?!bull)bu[1\|l][1\|l]/i describe __LOCAL_OBF_BULL Bull-OBFU body __LOCAL_OBF_WILL /(?!will)wi[1\|l][1\|l]/i describe __LOCAL_OBF_WILL Will-OBFU body __LOCAL_OBF_DOLLAR /(?!dollar)do[1\|l][1\|l]ar/i describe __LOCAL_OBF_DOLLAR Dollar-OBFU body __LOCAL_OBF_ALL/(?!all)a[1\|l][1\|l]/i describe __LOCAL_OBF_ALLAll-OBFU body __LOCAL_OBF_WELL /(?!well)we[1\|l][1\|l]/i describe __LOCAL_OBF_WELL Well-OBFU body __LOCAL_OBF_OVERALL/(?!overall)[0o]vera[1\|l][1\|l]/i describe __LOCAL_OBF_OVERALLOverall-OBFU body __LOCAL_OBF_OIL/(?!oil)[0o]i[1\|l]/i describe __LOCAL_OBF_OILOil-OBFU meta LOCAL_OBF_1 (( __LOCAL_OBF_BULL + __LOCAL_OBF_WILL + __LOCAL_OBF_DOLLAR + __LOCAL_OBF_ALL + __LOCAL_OBF_WELL + __LOCAL_OBF_OVERALL + __LOCAL_OBF_OIL) 0) describe LOCAL_OBF_1 Found 1 obfuscated word #meta LOCAL_OBF_2 (( __LOCAL_OBF_BULL + __LOCAL_OBF_WILL + __LOCAL_OBF_DOLLAR + __LOCAL_OBF_ALL + __LOCAL_OBF_WELL + __LOCAL_OBF_OVERALL + __LOCAL_OBF_OIL) 1) #describe LOCAL_OBF_2 Found 2 obfuscated words #meta LOCAL_OBF_3 (( __LOCAL_OBF_BULL + __LOCAL_OBF_WILL + __LOCAL_OBF_DOLLAR + __LOCAL_OBF_ALL + __LOCAL_OBF_WELL + __LOCAL_OBF_OVERALL + __LOCAL_OBF_OIL) 2) #describe LOCAL_OBF_3 Found 3 obfuscated words meta LOCAL_OBF_4 (( __LOCAL_OBF_BULL + __LOCAL_OBF_WILL + __LOCAL_OBF_DOLLAR + __LOCAL_OBF_ALL + __LOCAL_OBF_WELL + __LOCAL_OBF_OVERALL + __LOCAL_OBF_OIL) 3) describe LOCAL_OBF_4 Found 4 obfuscated words #meta LOCAL_OBF_5 (( __LOCAL_OBF_BULL + __LOCAL_OBF_WILL + __LOCAL_OBF_DOLLAR + __LOCAL_OBF_ALL + __LOCAL_OBF_WELL + __LOCAL_OBF_OVERALL + __LOCAL_OBF_OIL) 4) describe LOCAL_OBF_5 Found 5 obfuscated words #meta LOCAL_OBF_6 (( __LOCAL_OBF_BULL + __LOCAL_OBF_WILL + __LOCAL_OBF_DOLLAR + __LOCAL_OBF_ALL + __LOCAL_OBF_WELL + __LOCAL_OBF_OVERALL + __LOCAL_OBF_OIL) 5) describe LOCAL_OBF_6 Found 6 obfuscated words meta LOCAL_OBF_7 (( __LOCAL_OBF_BULL + __LOCAL_OBF_WILL + __LOCAL_OBF_DOLLAR + __LOCAL_OBF_ALL + __LOCAL_OBF_WELL + __LOCAL_OBF_OVERALL + __LOCAL_OBF_OIL) 6) describe LOCAL_OBF_7 Found 7 obfuscated words score LOCAL_STOCK_ACT 1.5 score LOCAL_STOCK_NOVICE0.6 score LOCAL_STOCK_BULL 0.6 score LOCAL_STOP_MAILINGS 0.6 score LOCAL_OBF_1 1 #score LOCAL_OBF_2 2 #score LOCAL_OBF_3 2 score LOCAL_OBF_4 3 #score LOCAL_OBF_5 3 #score LOCAL_OBF_6 4 score LOCAL_OBF_7 4