Re: blogspot spam
On Friday 21 March 2008 04:27:05 Loren Wilton wrote:
body SOFTWARE_AD
/(?:|\bbezahlen.*runterladen|Windows\bund\bmit\bMacintosh|\bOriginalversion
en\b.*\blegal\b)/i
You probably want to adjust this a little bit. There are a few things here
that make me think you aren't getting quite what you expect.
1.Remove that first vertical bar. It serves no purpose.
right. i removed that right after i sent it to the ML ;)
2.You probably do not want \b between the words. This is a word-break
zero length character. You almost certainly don't want a zero-length
character, you want a space or something like that.
yeah just didnt figure out how
So the rule should probably look more like:
body SOFTWARE_AD
/(?:\bbezahlen.{0,50}runterladen|Windows\s+und\s+mit\s+Macintosh|\bOriginal
versionen\b.{0,100}\blegal\b)/i
Loren
awesome. thanks a lot
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
Re: blogspot spam
On Wed, March 19, 2008 13:21, James E. Pratt wrote: http://pastebin.com/m8520d64 http://pastebin.com/m159c02de http://www.gossamer-threads.com/lists/spamassassin/users/90664 Botnet plugin hits them nicely Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: blogspot spam
On Wednesday 19 March 2008 21:37:27 Loren Wilton wrote: This is just off the top of my head, and needs linting and maybe tweaking the scores. uriBAD_BLOGSPOTm'http://[a-z]+\d+\.blogspot\.com'i scoreBAD_BLOGSPOT1 body__SOFTWARES/(?:product|software|softs|opportunity|oem|best prices|low prices|discount|cheap)/i metaBLOG_SOFTWAREBAD_BLOGSPOT __SOFTWARES scoreBLOG_SOFTWARE3.5 Mind the wrap! yes! thanks a lot. based on that wrap i figured i could glue it with uri grey (yes uribl is listing geocities in grey now) body SOFTWARE_AD/(?:|\bbezahlen.*runterladen| Windows\bund\bmit\bMacintosh|\bOriginalversionen\b.*\blegal\b)/i scoreSOFTWARE_AD 0.5 describe SOFTWARE_AD advertising software meta SOFT_AND_URIGREY URIBL_GREY SOFTWARE_AD scoreSOFT_AND_URIGREY 3.0 describe SOFT_AND_URIGREY contains both an url in the URIBL greylist and software advertisement that helps a lot. Content analysis details: (10.5 points, 5.0 required) pts rule name description -- -- 0.5 SOFTWARE_ADBODY: advertising software 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [79.6.185.72 listed in dnsbl.sorbs.net] 3.1 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [79.6.185.72 listed in zen.spamhaus.org] 0.8 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL [79.6.185.72 listed in zen.spamhaus.org] 1.0 URIBL_GREY Contains an URL listed in the URIBL greylist [URIs: geocities.com] 3.0 SOFT_AND_URIGREY contains both an url in the URIBL greylist and software advertisement -- best regards/Mit freundlichen Grüßen Arvid Ephraim Picciani
Re: blogspot spam
body SOFTWARE_AD
/(?:|\bbezahlen.*runterladen|Windows\bund\bmit\bMacintosh|\bOriginalversionen\b.*\blegal\b)/i
You probably want to adjust this a little bit. There are a few things here
that make me think you aren't getting quite what you expect.
1.Remove that first vertical bar. It serves no purpose.
2.You probably do not want \b between the words. This is a word-break
zero length character. You almost certainly don't want a zero-length
character, you want a space or something like that.
So the rule should probably look more like:
body SOFTWARE_AD
/(?:\bbezahlen.{0,50}runterladen|Windows\s+und\s+mit\s+Macintosh|\bOriginalversionen\b.{0,100}\blegal\b)/i
Loren
Re: blogspot spam
On Wednesday 19 March 2008 13:21:20 James E. Pratt wrote: Hi. I'm seeing lots of these get by: http://pastebin.com/m8520d64 anyone have a rule for these? The last one I put up is at: http://pastebin.com/m159c02de Thanks, Jamie yeah exactly my issue. the site is in uribl already but sa doesn't work with uribl and subdomains. see previous posts. SARE_OEM helps a little. -- best regards Arvid Ephraim Picciani
Re: blogspot spam
On 3/19/2008 1:24 PM, Arvid Ephraim Picciani wrote: On Wednesday 19 March 2008 13:21:20 James E. Pratt wrote: Hi. I'm seeing lots of these get by: http://pastebin.com/m8520d64 anyone have a rule for these? The last one I put up is at: http://pastebin.com/m159c02de Thanks, Jamie yeah exactly my issue. the site is in uribl already but sa doesn't work with uribl and subdomains. see previous posts. SARE_OEM helps a little. it does work! if runing SA 3.2.3 add to local.cf: util_rb_2tld blogspot.com
RE: blogspot spam
-Original Message- From: Yet Another Ninja [mailto:[EMAIL PROTECTED] Sent: Thursday, 20 March 2008 1:48 a.m. To: Arvid Ephraim Picciani Cc: users@spamassassin.apache.org Subject: Re: blogspot spam On 3/19/2008 1:24 PM, Arvid Ephraim Picciani wrote: On Wednesday 19 March 2008 13:21:20 James E. Pratt wrote: Hi. I'm seeing lots of these get by: http://pastebin.com/m8520d64 anyone have a rule for these? The last one I put up is at: http://pastebin.com/m159c02de Thanks, Jamie yeah exactly my issue. the site is in uribl already but sa doesn't work with uribl and subdomains. see previous posts. SARE_OEM helps a little. it does work! if runing SA 3.2.3 add to local.cf: util_rb_2tld blogspot.com For those that don't run SA 3.2.3, you could test this rule: uri CST_URI_BLOGSPOTm,http://\w+\.blogspot\.com\b, describe CST_URI_BLOGSPOT blogspot.com throwaway URI score CST_URI_BLOGSPOT 3.4 A few people disagree with this, as it will score against legitimate email for some domains. I created it for our site as we do not receive newsletters with blogspot links, so we hose the emails with 3.4 points, which is enough to push them over the 5.0 threshold, as they score on other rules too. Be warned, beware, don't use this unless you're really sure you don't want blogspot links in emails. Customers might become annoyed. (Ours haven't, though, and it's been a month). Cheers, Mike
RE: blogspot spam
At 12:48 PM 3/19/2008, Michael Hutchinson wrote: For those that don't run SA 3.2.3, you could test this rule: uri CST_URI_BLOGSPOTm,http://\w+\.blogspot\.com\b, describe CST_URI_BLOGSPOT blogspot.com throwaway URI score CST_URI_BLOGSPOT 3.4 A few people disagree with this, as it will score against legitimate email for some domains. I created it for our site as we do not receive newsletters with blogspot links, so we hose the emails with 3.4 points, which is enough to push them over the 5.0 threshold, as they score on other rules too. Be warned, beware, don't use this unless you're really sure you don't want blogspot links in emails. Customers might become annoyed. (Ours haven't, though, and it's been a month). Blogspot is a spamhaven. I've been back and forth with their clueless abuse desk, and they've confirmed that basically if they shut down a blogspot site for spamming, there's nothing to prevent the spammer from creating the site again. Oh, sure, it may say This website has been disabled - until the spammer recreates the site. Kind of like throwing someone in jail, but not locking the cell, and then going home for the night. Yes, I've got blogspot spams I've reported 2+ years ago. Oldest one is 07/26/2005: http://1stpromotion.youknowtherest.com
Re: blogspot spam
On Wednesday 19 March 2008 20:48:00 Michael Hutchinson wrote: For those that don't run SA 3.2.3, you could test this rule: uri CST_URI_BLOGSPOTm,http://\w+\.blogspot\.com\b, describe CST_URI_BLOGSPOT blogspot.com throwaway URI score CST_URI_BLOGSPOT 3.4 thanks Mike, does that match bloglinks like myblog.blogspot.com/myentryxy ? if not it might be fine for around 1.0 points imo. i have sare_oem on 3.0 becouse our entire company runs linux, so we don't talk about windows software anyway :P i'd prefer a working uribl though :( -- best regards/Mit freundlichen Grüßen Arvid Ephraim Picciani
Re: blogspot spam
http://pastebin.com/m8520d64 http://pastebin.com/m159c02de This is just off the top of my head, and needs linting and maybe tweaking the scores. uriBAD_BLOGSPOTm'http://[a-z]+\d+\.blogspot\.com'i scoreBAD_BLOGSPOT1 body__SOFTWARES/(?:product|software|softs|opportunity|oem|best prices|low prices|discount|cheap)/i metaBLOG_SOFTWAREBAD_BLOGSPOT __SOFTWARES scoreBLOG_SOFTWARE3.5 Mind the wrap! Loren
RE: blogspot spam
-Original Message- From: Arvid Ephraim Picciani [mailto:[EMAIL PROTECTED] Sent: Thursday, 20 March 2008 9:04 a.m. To: users@spamassassin.apache.org Subject: Re: blogspot spam On Wednesday 19 March 2008 20:48:00 Michael Hutchinson wrote: For those that don't run SA 3.2.3, you could test this rule: uri CST_URI_BLOGSPOTm,http://\w+\.blogspot\.com\b, describe CST_URI_BLOGSPOT blogspot.com throwaway URI score CST_URI_BLOGSPOT 3.4 thanks Mike, does that match bloglinks like myblog.blogspot.com/myentryxy ? Apparently, yes :) I have not seen any come through since I employed the rule. I am sure you'd be able to modify the RegExp if required, making it match, say up to 12 characters (of anything) past the / after .com I'm pretty sure you wont need to do that. Employ it and score it at 0.01 to test it :) if not it might be fine for around 1.0 points imo. i have sare_oem on 3.0 becouse our entire company runs linux, so we don't talk about windows software anyway :P i'd prefer a working uribl though :( HEH, I've just gone thru and rescored a pile of URIBL stuff.. this combined with our recent addition of pyzor has started to score spam hard. Cheers, Mike
