Re: Rule for PDF and eCard Spam Needed

[Bill Randle]

On Sat, 2007-08-18 at 19:26 -0700, Jo Rhett wrote:
> Loren Wilton wrote:
> > From: "Jo Rhett" <[EMAIL PROTECTED]>
> > 
> >> So the only thing which is actually working to catch these is bayes 
> >> and bayes-based systems.  Not rules, and not AV.
> > 
> > Is that a statement about your own system?  MANY people have responded 
> > that quite a number of other things like pdfinfo and clamav and various 
> > rules are working just fine for them.  So youur statement would seem to 
> > be about your own system, rather than the ability in general to stop 
> > these things.
> 
> The comment was in response to the quoted text above it.
> 
> I have asked which alternate signatures, and everyone keeps popping up 
> saying stock clamav, which has no signatures for ecards.

The alternate signatures from Sane Security
 seem to be catching most of them
for me.

-Bill

Re: Rule for PDF and eCard Spam Needed

[Jo Rhett]

Loren Wilton wrote:

From: "Jo Rhett" <[EMAIL PROTECTED]>

So the only thing which is actually working to catch these is bayes 
and bayes-based systems.  Not rules, and not AV.


Is that a statement about your own system?  MANY people have responded 
that quite a number of other things like pdfinfo and clamav and various 
rules are working just fine for them.  So youur statement would seem to 
be about your own system, rather than the ability in general to stop 
these things.


The comment was in response to the quoted text above it.

I have asked which alternate signatures, and everyone keeps popping up 
saying stock clamav, which has no signatures for ecards.

Re: Rule for PDF and eCard Spam Needed

[John D. Hardin]

On Thu, 16 Aug 2007, Jo Rhett wrote:

> So the only thing which is actually working to catch these is
> bayes and bayes-based systems.  Not rules, and not AV.

The postcard spams? Modulo the fact that they are a whack-a-mole
solution, the Subject rules I maintain are apparently quite effective
in concert with Bayes.

  http://www.impsec.org/~jhardin/antispam/

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Men by their constitutions are naturally divided in to two parties:
  1. Those who fear and distrust the people and wish to draw all
  powers from them into the hands of the higher classes. 2. Those who
  identify themselves with the people, have confidence in them,
  cherish and consider them as the most honest and safe, although not
  the most wise, depository of the public interests.
  -- Thomas Jefferson
---
 9 days until The 1928th anniversary of the destruction of Pompeii

Re: Rule for PDF and eCard Spam Needed

[Loren Wilton]

From: "Jo Rhett" <[EMAIL PROTECTED]>

So the only thing which is actually working to catch these is bayes and 
bayes-based systems.  Not rules, and not AV.


Is that a statement about your own system?  MANY people have responded that 
quite a number of other things like pdfinfo and clamav and various rules are 
working just fine for them.  So youur statement would seem to be about your 
own system, rather than the ability in general to stop these things.


   Loren

Re: Rule for PDF and eCard Spam Needed

[Jo Rhett]

So the only thing which is actually working to catch these is bayes and 
bayes-based systems.  Not rules, and not AV.


Martin.Hepworth wrote:

Ecard spams get scored as follows.

5.40BAYES_99Bayesian spam probability is 99 to 100%
4.00DCC_CHECK   Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
0.77DIGEST_MULTIPLE Message hits more than one network digest check
0.90HOST_EQ_RO
4.00NORMAL_HTTP_TO_IP   Uses a dotted-decimal IP address in URL
0.96NO_REAL_NAMEFrom: does not include a real name
0.50RAZOR2_CF_RANGE_51_100  Razor2 gives confidence level above 50%
1.50RAZOR2_CF_RANGE_E8_51_100   Razor2 gives engine 8 confidence level 
above 50%
0.50RAZOR2_CHECKListed in Razor2 (http://razor.sf.net/)

Similar for postcard.exe's (which also trigger my AV).

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


-Original Message-
From: Jo Rhett [mailto:[EMAIL PROTECTED]
Sent: 15 August 2007 23:46
To: Arthur Dent
Cc: users@spamassassin.apache.org
Subject: Re: Rule for PDF and eCard Spam Needed

On Aug 15, 2007, at 12:47 AM, Arthur Dent wrote:

I am only a home user, but I have found that bog-standard clamAV
(updated with freshclam) has caught all but one of the greeting
card scams:

I'm using stock clamav with freshclam, and getting 10-12 an hour in
each maibox.  So no, stock clamav does not catch these.

--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness







**
Confidentiality : This e-mail and any attachments are intended for the 
addressee only and may be confidential. If they come to you in error 
you must take no action based on them, nor must you copy or show them 
to anyone. Please advise the sender by replying to this e-mail 
immediately and then delete the original from your computer.
Opinion : Any opinions expressed in this e-mail are entirely those of 
the author and unless specifically stated to the contrary, are not 
necessarily those of the author's employer.
Security Warning : Internet e-mail is not necessarily a secure 
communications medium and can be subject to data corruption. We advise 
that you consider this fact when e-mailing us. 
Viruses : We have taken steps to ensure that this e-mail and any 
attachments are free from known viruses but in keeping with good 
computing practice, you should ensure that they are virus free.


Red Lion 49 Ltd T/A Solid State Logic
Registered as a limited company in England and Wales 
(Company No:5362730)
Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, 
United Kingdom

**




--
Jo Rhett
Net Consonance ... net philanthropy, open source and other randomness

Re: Rule for PDF and eCard Spam Needed

[John D. Hardin]

On Thu, 16 Aug 2007, Joe Zitnik wrote:

> I've been looking at the rule, and POSTCARD_02 and POSTCARD_03
> along with DQ_URI_ONLY_ARGS has no associated score line.  Is this
> an intentional omission?

Yes. That uses the default score of 1.0

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  I would buy a Mac today if I was not working at Microsoft.
  -- James Allchin, Microsoft VP of Platforms
---
 9 days until The 1928th anniversary of the destruction of Pompeii

Re: Rule for PDF and eCard Spam Needed

[Joe Zitnik]

>>> On 8/14/2007 at 6:31 PM, "John D. Hardin" <[EMAIL PROTECTED]>
wrote:
On Tue, 14 Aug 2007, Diego Pomatta wrote:

> and this ruleset for postcards&ecards  -> 
> http://www.impsec.org/~jhardin/antispam/postcards.cf 

We're starting to get into whack-a-mole territory with the postcard 
spams. There will be another update out tonight.

--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ 
[EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] 
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...every time I sit down in front of a Windows machine I feel as
  if the computer is just a place for the manufacturers to put their
  advertising.-- fwadling on Y! SCOX
--
Tomorrow: The 62nd anniversary of the end of World War II


John,
I've been looking at the rule, and POSTCARD_02 and POSTCARD_03 along
with DQ_URI_ONLY_ARGS  has no associated score line.  Is this an
intentional omission?

Re: Rule for PDF and eCard Spam Needed

[Justin Mason]

Jo Rhett writes:
> On Aug 15, 2007, at 2:26 AM, Justin Mason wrote:
> > We only do this with rules that people give us permission to use.
> > We can't take third-party rules without their developers'  
> > permission; on
> > top of this, many of the rulesets don't use a compatible license,  
> > or the
> > developers don't want them in SpamAssassin.
> 
> Thanks for that informative answer.  So the right way to get this  
> fixed is to ask the rule developer to provide them with a compatible  
> (or no) license?  In bugzilla or where do you want them?

Yep -- licensed under SpamAssassin's license (AL2.0), in bugzilla, as
attachments.

Re: Rule for PDF and eCard Spam Needed

[Kai Schaetzl]

[EMAIL PROTECTED]>
Reply-To: users@spamassassin.apache.org
X-Rcpt-To: 

Robert - elists wrote on Wed, 15 Aug 2007 18:12:28 -0700:

> consider helping Jo ?

I think Jo could help himself quite good if he wanted to.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

RE: Rule for PDF and eCard Spam Needed

[Martin.Hepworth]

Ecard spams get scored as follows.

5.40BAYES_99Bayesian spam probability is 99 to 100%
4.00DCC_CHECK   Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
0.77DIGEST_MULTIPLE Message hits more than one network digest check
0.90HOST_EQ_RO
4.00NORMAL_HTTP_TO_IP   Uses a dotted-decimal IP address in URL
0.96NO_REAL_NAMEFrom: does not include a real name
0.50RAZOR2_CF_RANGE_51_100  Razor2 gives confidence level above 50%
1.50RAZOR2_CF_RANGE_E8_51_100   Razor2 gives engine 8 confidence level 
above 50%
0.50RAZOR2_CHECKListed in Razor2 (http://razor.sf.net/)

Similar for postcard.exe's (which also trigger my AV).

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

> -Original Message-
> From: Jo Rhett [mailto:[EMAIL PROTECTED]
> Sent: 15 August 2007 23:46
> To: Arthur Dent
> Cc: users@spamassassin.apache.org
> Subject: Re: Rule for PDF and eCard Spam Needed
>
> On Aug 15, 2007, at 12:47 AM, Arthur Dent wrote:
> > I am only a home user, but I have found that bog-standard clamAV
> > (updated with freshclam) has caught all but one of the greeting
> > card scams:
>
> I'm using stock clamav with freshclam, and getting 10-12 an hour in
> each maibox.  So no, stock clamav does not catch these.
>
> --
> Jo Rhett
> Net Consonance : consonant endings by net philanthropy, open source
> and other randomness
>





**
Confidentiality : This e-mail and any attachments are intended for the 
addressee only and may be confidential. If they come to you in error 
you must take no action based on them, nor must you copy or show them 
to anyone. Please advise the sender by replying to this e-mail 
immediately and then delete the original from your computer.
Opinion : Any opinions expressed in this e-mail are entirely those of 
the author and unless specifically stated to the contrary, are not 
necessarily those of the author's employer.
Security Warning : Internet e-mail is not necessarily a secure 
communications medium and can be subject to data corruption. We advise 
that you consider this fact when e-mailing us. 
Viruses : We have taken steps to ensure that this e-mail and any 
attachments are free from known viruses but in keeping with good 
computing practice, you should ensure that they are virus free.

Red Lion 49 Ltd T/A Solid State Logic
Registered as a limited company in England and Wales 
(Company No:5362730)
Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, 
United Kingdom
**

Re: Rule for PDF and eCard Spam Needed

[Jo Rhett]

Jo Rhett wrote on Wed, 15 Aug 2007 15:47:37 -0700:
The SA-team has an environment designed to do this, I don't.  Nor do  
most people on this list.


Kai Schaetzl wrote:

Sigh, I give up.


I find it vastly amusing that when there is real work to do (ie fix a 
broken rule) the list grows very silent.   But when there is an 
opportunity to be rude to someone, people just can't wait to do so.


Priorities are a bit off, wouldn't you think?

--
Jo Rhett
Net Consonance ... net philanthropy, open source and other randomness

RE: Rule for PDF and eCard Spam Needed

[Robert - elists]

> 
> I'm using stock clamav with freshclam, and getting 10-12 an hour in
> each maibox.  So no, stock clamav does not catch these.
> 
> --
> Jo Rhett

Hmm interesting

I was telling the same thing recently on this same thread.

YES, they do catch and quarantine them all them rotten buggers.

When I do my clamav, i roll my own rpm and use a spec file from crash-hat

http://crash.fce.vutbr.cz/crash-hat/5/clamav/

I used to just use his and re-roll yet I do not have time to wait when there
are clamav updates.

He (petr) does it differently than DAG as near as I can tell.

Maybe you can have time and can check out the particulars and if it will
help you.

I know we do not actively go snag the clamav extra sigs

Ummm, here is how we originally used to roll our own from someone elses...

http://qmail.jms1.net/clamav/rpm.shtml

again, now I just snag source and mod the .spec etc and do it that way...

 - rh

RE: Rule for PDF and eCard Spam Needed

[Robert - elists]

> 
> Sigh, I give up.
> 
> Kai
> 

Give up what? 

Trying to run destructive interference or consider helping Jo ?

:-)

 - rh
 

RE: Rule for PDF and eCard Spam Needed

[Robert - elists]

> 
> I'm using stock clamav with freshclam, and getting 10-12 an hour in
> each maibox.  So no, stock clamav does not catch these.
> 
> --
> Jo Rhett

Hmm interesting

I was telling the same thing recently on this same thread.

YES, they do catch and quarantine them all them rotten buggers.

When I do my clamav, i roll my own rpm and use a spec file from crash-hat

http://crash.fce.vutbr.cz/crash-hat/5/clamav/

I used to just use his and re-roll yet I do not have time to wait when there
are clamav updates.

He (petr) does it differently than DAG as near as I can tell.

Maybe you can have time and can check out the particulars and if it will
help you.

I know we do not actively go snag the clamav extra sigs

Ummm, here is how we originally used to roll our own from someone elses...

http://qmail.jms1.net/clamav/rpm.shtml

again, now I just snag source and mod the .spec etc and do it that way...

 - rh

Re: Rule for PDF and eCard Spam Needed

[Kai Schaetzl]

Jo Rhett wrote on Wed, 15 Aug 2007 15:47:37 -0700:

> The SA-team has an environment designed to do this, I don't.  Nor do  
> most people on this list.

Sigh, I give up.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: Rule for PDF and eCard Spam Needed

[Jo Rhett]

On Aug 15, 2007, at 2:26 AM, Justin Mason wrote:

We only do this with rules that people give us permission to use.
We can't take third-party rules without their developers'  
permission; on
top of this, many of the rulesets don't use a compatible license,  
or the

developers don't want them in SpamAssassin.


Thanks for that informative answer.  So the right way to get this  
fixed is to ask the rule developer to provide them with a compatible  
(or no) license?  In bugzilla or where do you want them?


--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source  
and other randomness

Re: Rule for PDF and eCard Spam Needed

[Jo Rhett]

On Aug 15, 2007, at 3:31 AM, Kai Schaetzl wrote:

I can just tell you what *I* would do.

- test the rules
- test the rules
- test the rules
- gather statistics about hits, FPs and FNs


The SA-team has an environment designed to do this, I don't.  Nor do  
most people on this list.


--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source  
and other randomness

Re: Rule for PDF and eCard Spam Needed

[Jo Rhett]

On Aug 15, 2007, at 12:47 AM, Arthur Dent wrote:
I am only a home user, but I have found that bog-standard clamAV  
(updated with freshclam) has caught all but one of the greeting  
card scams:


I'm using stock clamav with freshclam, and getting 10-12 an hour in  
each maibox.  So no, stock clamav does not catch these.


--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source  
and other randomness

Re: Rule for PDF and eCard Spam Needed

[Justin Mason]

Kai Schaetzl writes:
> Jo Rhett wrote on Tue, 14 Aug 2007 17:42:02 -0700:
> 
> > People refer to rulesets they've created.  I am not an SA committer,  
> > so I can't run these through their test environment and them commit  
> > them to the tree.  So I'm asking someone who is if they'd be willing  
> > to do this.
> 
> I can just tell you what *I* would do.
> 
> - test the rules
> - test the rules
> - test the rules
> - gather statistics about hits, FPs and FNs
> - ask the author of the rule to submit as a feature request or whatever 
> else is available for stuff like this on the bugzilla.
> 
> But maybe that's the wrong way.

No, that's right... and that's what we've been doing (although maybe we
need to refresh the request). so:

If any of the rule authors *are* interested in getting their rules tested
for inclusion in the official ruleset -- please submit them as an
attachment on bugzilla, and we'll test them out, and hopefully add them.

--j.

Re: Rule for PDF and eCard Spam Needed

[Justin Mason]

Jo Rhett writes:
> 
> On Aug 14, 2007, at 2:31 PM, Kai Schaetzl wrote:
> >> What can be done to get these tested and included in the main  
> >> ruleset?
> >
> > What is "these"? I don't see that you offered any rules catching that
> > stuff. So, what do you want the developers or anyone to test?
> 
> People refer to rulesets they've created.  I am not an SA committer,  
> so I can't run these through their test environment and them commit  
> them to the tree.  So I'm asking someone who is if they'd be willing  
> to do this.

We only do this with rules that people give us permission to use.
We can't take third-party rules without their developers' permission; on
top of this, many of the rulesets don't use a compatible license, or the
developers don't want them in SpamAssassin.

--j.

Re: Rule for PDF and eCard Spam Needed

[Kai Schaetzl]

Jo Rhett wrote on Tue, 14 Aug 2007 17:42:02 -0700:

> People refer to rulesets they've created.  I am not an SA committer,  
> so I can't run these through their test environment and them commit  
> them to the tree.  So I'm asking someone who is if they'd be willing  
> to do this.

I can just tell you what *I* would do.

- test the rules
- test the rules
- test the rules
- gather statistics about hits, FPs and FNs
- ask the author of the rule to submit as a feature request or whatever 
else is available for stuff like this on the bugzilla.

But maybe that's the wrong way.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: Rule for PDF and eCard Spam Needed

[Arthur Dent]

On Tue, Aug 14, 2007 at 07:53:56PM -0700, Robert - elists wrote:
> 
> > Apparently with alternate virus files, which I had not yet tested.
> > Someone mentioned that earlier today and I'm investigating it.
> > 
> > --
> > Jo Rhett
> 
> Jo
> 
> I don't use alternative files that I am aware of anyways... just stock
> clamav
> 

Me too

I am only a home user, but I have found that bog-standard clamAV (updated with 
freshclam) has caught all but one of the greeting card scams:
Subject: You've received a postcard from a Colleague!
X-Virus-Status: Yes
X-Virus-Report: Email.Phishing.RB-1223 FOUND 
X-Virus-Checker-Version: clamassassin 1.2.4 with clamscan / ClamAV 
0.91.1/3848/Thu Aug  2 21:22:06 2007

I use clamav via procmail *before* SA and any positives identified by clamav 
get whisked off into a quarantine folder so I don't know whether SA would have 
caught them or not.

...just my £0.02...

Best Regards

AD



pgpQPnv4vgqBB.pgp
Description: PGP signature

Re: Rule for PDF and eCard Spam Needed

[Jo Rhett]

Robert - elists wrote:

I don't use alternative files that I am aware of anyways... just stock
clamav


the ecard stuff is not the normal clamav virus databases.


And... I hear ya, yet clamav  plugin *integration* into SA scores as I
understand it, where stock clamav quarantines


We use amavis which integrates them cleanly.


Therefore you can score high and smtp reject as opposed to just quarantine
and some other email event for admin or rcpt person(s)...


We never quarantine.  Reject or tag and pass through depending on the 
user's settings.  Quarantine requires someone to go clean it up, etc.


--
Jo Rhett
Net Consonance ... net philanthropy, open source and other randomness

RE: Rule for PDF and eCard Spam Needed

[Robert - elists]

> 
> Apparently with alternate virus files, which I had not yet tested.
> Someone mentioned that earlier today and I'm investigating it.
> 
> --
> Jo Rhett

Jo

I don't use alternative files that I am aware of anyways... just stock
clamav

And... I hear ya, yet clamav  plugin *integration* into SA scores as I
understand it, where stock clamav quarantines

http://wiki.apache.org/spamassassin/ClamAVPlugin

I haven't figured it out yet as there appears to be some good and bad
experiences and differing outlooks on this solution

Therefore you can score high and smtp reject as opposed to just quarantine
and some other email event for admin or rcpt person(s)...

Maybe I am wrong...

Just food for thought.

 - rh

Re: Rule for PDF and eCard Spam Needed

[Jo Rhett]

On Aug 14, 2007, at 2:31 PM, Kai Schaetzl wrote:
What can be done to get these tested and included in the main  
ruleset?


What is "these"? I don't see that you offered any rules catching that
stuff. So, what do you want the developers or anyone to test?


People refer to rulesets they've created.  I am not an SA committer,  
so I can't run these through their test environment and them commit  
them to the tree.  So I'm asking someone who is if they'd be willing  
to do this.


--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source  
and other randomness

Re: Rule for PDF and eCard Spam Needed

[Jo Rhett]

On Aug 14, 2007, at 2:22 PM, Robert - elists wrote:
You might consider the clamav integration into SA, as clamav is  
catching all

the ecard ones


Apparently with alternate virus files, which I had not yet tested.   
Someone mentioned that earlier today and I'm investigating it.


--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source  
and other randomness

Re: Rule for PDF and eCard Spam Needed

[John D. Hardin]

On Tue, 14 Aug 2007, Diego Pomatta wrote:

> and this ruleset for postcards&ecards  -> 
> http://www.impsec.org/~jhardin/antispam/postcards.cf 

We're starting to get into whack-a-mole territory with the postcard 
spams. There will be another update out tonight.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...every time I sit down in front of a Windows machine I feel as
  if the computer is just a place for the manufacturers to put their
  advertising.-- fwadling on Y! SCOX
--
 Tomorrow: The 62nd anniversary of the end of World War II

Re: Rule for PDF and eCard Spam Needed

[Kai Schaetzl]

Jo Rhett wrote on Tue, 14 Aug 2007 13:27:20 -0700:

> Well first I don't think many of us want to waste CPU cycles trying  
> to analyze the contents of PDF files.

Right, and not only of PDFs. That's why "many of us" reject this stuff 
already at MTA for technical reasons and thus rarely see this stuff. 
Problem solved. Without complaining.
But if you don't want to detect with SA you *have* to analyze the PDF as 
the spammy content is in the PDF and not elsewhere. You cannot rely on 
some signs in the mail itself as they may easily change from day to day.

> What can be done to get these tested and included in the main ruleset?

What is "these"? I don't see that you offered any rules catching that 
stuff. So, what do you want the developers or anyone to test?


Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

RE: Rule for PDF and eCard Spam Needed

[Robert - elists]

> 
> Just to make it clear what I and others keep saying on this topic:
> I'm using 4 different systems that have various 3.x versions of
> spamassassin, all of which use sa-update, and none of which are doing
> an adequate job of catching gif, pdf or ecard spam.  It's upwards of
> 20 an hour on several systems.
> 
> I think that rules which did a better job on these messages would be
> greatly appreciated.
> 
> See my other post about the PDF not matching, with an example spam
> included.
> 
> --
> Jo Rhett

Jo,

Dunno if this is the best option...

And food for thought only...

You might consider the clamav integration into SA, as clamav is catching all
the ecard ones

 - rh

Re: Rule for PDF and eCard Spam Needed

[Jo Rhett]

Jo Rhett escribió:
I think that rules which did a better job on these messages would  
be greatly appreciated.


On Aug 14, 2007, at 12:42 PM, Diego Pomatta wrote:

I use PDFinfo plugin from http://rulesemporium.com/plugins.htm


Well first I don't think many of us want to waste CPU cycles trying  
to analyze the contents of PDF files.  Very rarely am I sent PDF  
files, and those would be handled by other rules.  Frankly I could  
just add 3 points for PDF or GIF attachments.


That said, it doesn't work for all people.

and this ruleset for postcards&ecards  -> http://www.impsec.org/ 
~jhardin/antispam/postcards.cf 

which I customised a bit myself,
and they are catching like 98% of all pdf and greeting cards spam,  
if not more. Haven't really done the math, but that kind of spam  
was a real pain in the butt, and now I'd almost forgotten about it. :p


And again, your message proves that the supplied SA rules aren't  
catching these messages.


What can be done to get these tested and included in the main ruleset?

--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source  
and other randomness

Re: Rule for PDF and eCard Spam Needed

[Diego Pomatta]

Interesting Tech Republic article, Putting a stop to PDF spam 


which mentions the pdfinfo plugin for SA.

Re: Rule for PDF and eCard Spam Needed

[Diego Pomatta]

Jo Rhett escribió:

On Aug 14, 2007, at 8:22 AM, Loren Wilton wrote:
PDFinfo plugin from SARE helps a lot with the pdf mess.  Theo has 
also published a number of rules that catch them, I believe.  You can 
get them form one of the standard SA update channels.
I suppose we ought to publish some SARE rules for the greeting cards, 
although our experience is they tend to get caught pretty well 
without help. Apparently though others need more help :-)


Just to make it clear what I and others keep saying on this topic: I'm 
using 4 different systems that have various 3.x versions of 
spamassassin, all of which use sa-update, and none of which are doing 
an adequate job of catching gif, pdf or ecard spam.  It's upwards of 
20 an hour on several systems.


I think that rules which did a better job on these messages would be 
greatly appreciated.


I use PDFinfo plugin from http://rulesemporium.com/plugins.htm

and this ruleset for postcards&ecards  -> 
http://www.impsec.org/~jhardin/antispam/postcards.cf 


which I customised a bit myself,

and they are catching like 98% of all pdf and greeting cards spam, if 
not more. Haven't really done the math, but that kind of spam was a real 
pain in the butt, and now I'd almost forgotten about it. :p


/Regards

Re: Rule for PDF and eCard Spam Needed

[John Rudd]

Jo Rhett wrote:

On Aug 14, 2007, at 8:22 AM, Loren Wilton wrote:
PDFinfo plugin from SARE helps a lot with the pdf mess.  Theo has also 
published a number of rules that catch them, I believe.  You can get 
them form one of the standard SA update channels.
I suppose we ought to publish some SARE rules for the greeting cards, 
although our experience is they tend to get caught pretty well without 
help. Apparently though others need more help :-)


Just to make it clear what I and others keep saying on this topic: I'm 
using 4 different systems that have various 3.x versions of 
spamassassin, all of which use sa-update, and none of which are doing an 
adequate job of catching gif, pdf or ecard spam.  It's upwards of 20 an 
hour on several systems.


I think that rules which did a better job on these messages would be 
greatly appreciated.


See my other post about the PDF not matching, with an example spam 
included.




Have you tried BOTNET?

Have you tried clamav with sanesecurity?

Re: Rule for PDF and eCard Spam Needed

[Jo Rhett]

On Aug 14, 2007, at 8:22 AM, Loren Wilton wrote:
PDFinfo plugin from SARE helps a lot with the pdf mess.  Theo has  
also published a number of rules that catch them, I believe.  You  
can get them form one of the standard SA update channels.
I suppose we ought to publish some SARE rules for the greeting  
cards, although our experience is they tend to get caught pretty  
well without help. Apparently though others need more help :-)


Just to make it clear what I and others keep saying on this topic:  
I'm using 4 different systems that have various 3.x versions of  
spamassassin, all of which use sa-update, and none of which are doing  
an adequate job of catching gif, pdf or ecard spam.  It's upwards of  
20 an hour on several systems.


I think that rules which did a better job on these messages would be  
greatly appreciated.


See my other post about the PDF not matching, with an example spam  
included.


--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source  
and other randomness

Re: Rule for PDF and eCard Spam Needed

[John Rudd]

Doc Schneider wrote:

Loren Wilton wrote:

PDFinfo plugin from SARE helps a lot with the pdf mess.


I found that ClamAV catches most all those greeting card spamscam viruses.

But the PDFInfo from SARE works GREAT!



ClamAV does even better if you use the Sanesecurity, MSRBL, and MBL 
signatures in addition to the main ClamAV signatures.  We went from 
rejecting a few thousand "viruses" a day with just the base ClamAV 
signatures, to rejecting high 10's of thousands of messages a day 
(mostly due to Sanesecurity).  No complaints about false positives yet.

Re: Rule for PDF and eCard Spam Needed

[Doc Schneider]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Loren Wilton wrote:
> PDFinfo plugin from SARE helps a lot with the pdf mess.  Theo has also
> published a number of rules that catch them, I believe.  You can get
> them form one of the standard SA update channels.
> 
> I suppose we ought to publish some SARE rules for the greeting cards,
> although our experience is they tend to get caught pretty well without
> help. Apparently though others need more help :-)
> 
> There have been 3-4 rules in various emails about these things over the
> last week or two.  Scan back in the archives of the list for greeting
> cards and you will probably find some good rules.
> 
>Loren
> 

I found that ClamAV catches most all those greeting card spamscam viruses.

But the PDFInfo from SARE works GREAT!

- --

 -Doc

 Penguins: Do it on the ice.
   8:44am  up 4 days, 16:55, 17 users,  load average: 0.18, 0.30, 0.37

 SARE HQ  http://www.rulesemporium.com/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org

iD8DBQFGwcm+qOEeBwEpgcsRApTfAJwK8MsCtvSzVGGHnD6M2kZJ6qLgLQCgmFDm
PTAamwOZZpn4ASetvokjZ7E=
=bEzA
-END PGP SIGNATURE-

Re: Rule for PDF and eCard Spam Needed

[Loren Wilton]

PDFinfo plugin from SARE helps a lot with the pdf mess.  Theo has also 
published a number of rules that catch them, I believe.  You can get them 
form one of the standard SA update channels.


I suppose we ought to publish some SARE rules for the greeting cards, 
although our experience is they tend to get caught pretty well without help. 
Apparently though others need more help :-)


There have been 3-4 rules in various emails about these things over the last 
week or two.  Scan back in the archives of the list for greeting cards and 
you will probably find some good rules.


   Loren