Re: "Nice girl like to chat" spam
Savoy, Jim wrote: I think you need to change: body NICE_GIRL_01 /Hello! I am (?:bored|tired) (?:today|this(?:afternoon|evening)|tonight)\./ to: body NICE_GIRL_01 /Hello! I am (?:bored|tired) (?:today|this (?:afternoon|evening)|tonight)\./ (ie add a after the word "this"). It probably got lost due to word wrap (I *did* warn about that in my original posting, didn't I?); the line is just over 100 characters long in my rule files. -kgd
RE: "Nice girl like to chat" spam
ItsMikeE wrote: > I have been running this rule for a day now, and am trapping > the spams with rules 1 and 2. I too just started running these rules, but noticed there were a lot more NICE_GIRL_02's than NICE_GIRL_01's being hit (about twice as many of the former). I think you need to change: body NICE_GIRL_01 /Hello! I am (?:bored|tired) (?:today|this(?:afternoon|evening)|tonight)\./ to: body NICE_GIRL_01 /Hello! I am (?:bored|tired) (?:today|this (?:afternoon|evening)|tonight)\./ (ie add a after the word "this"). to catch them all. NICE_GIRL_01 was only catching: Hello! I am bored today. Hello! I am bored tonight. Hello! I am tired today. Hello! I am tired tonight. But none of the afternoon/evening variations. - jim -
Re: "Nice girl like to chat" spam
On 18 Feb 2008, Jari Fredriksson told this: > All it takes is a Unix/Linux user who does not know about smart hosts Or who doesn't have one because it costs a lot extra and/or because the smarthost is unreliable (and, no, `just change ISP' doesn't work: in much of the world one ISP has a quasi-monopoly). -- `The rest is a tale of post and counter-post.' --- Ian Rawlings describes USENET
Re: "Nice girl like to chat" spam
On 2/23/2008 4:35 AM, [EMAIL PROTECTED] wrote: Say, if we're all getting the same spam, isn't that what we're paying sa-update to catch? :-) paying? who's charging you? what software/appliance/antispam device are you using?
Re: "Nice girl like to chat" spam
Say, if we're all getting the same spam, isn't that what we're paying sa-update to catch? :-)
Re: "Nice girl like to chat" spam
Joseph Brennan wrote:
This has worked very well here. This is more specific to the
sentence the "bored girl" always uses.
/Email me at [A-Za-z]{1,[EMAIL PROTECTED],25}\.info only/
I left my rule more non-specific because I saw a number of non-.info
domains early on. I also figured there was little point in stuffing in
all of the glop necessary to match an email address when the rest of the
message was so stable.
-kgd
Re: "Nice girl like to chat" spam
This has worked very well here. This is more specific to the
sentence the "bored girl" always uses.
/Email me at [A-Za-z]{1,[EMAIL PROTECTED],25}\.info only/
Joseph Brennan
Columbia University Information Technology
Re: "Nice girl like to chat" spam
Am 2008-02-18 17:26:57, schrieb ram: > you usually wait for the first mail and then block all mails containing > the domain I do this too and it works nicely... But sometimes I get the messages too fast in to put the new DOMAIN into the list which has now over 780 lines/domains. SO I have written a small script which write a logfile containing the serialtime and the domain found to let anoter tool analyze it to remove domains which are not more used since one year. Thanks, Greetings and nice Day Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # Michelle Konzack Apt. 917 ICQ #328449886 +49/177/935194750, rue de Soultz MSN LinuxMichi +33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Re: "Nice girl like to chat" spam
Randal, Phil skrev:
body NICE_GIRL_03 /Email me at .{,74} only, because I am writing
not from my personal email\./
Would do nicely.
No need to be too clever here.
Cheers,
Phil
Apparently that won't work on all systems... (And that's why I ran into
problems before..)
On my SUSE system, I have to add the 0 as well, simply {,74} won't do,
but {0,74} works just fine.
Anders.
-Original Message-
From: Kris Deugau [mailto:[EMAIL PROTECTED]
Sent: 19 February 2008 21:16
To: users@spamassassin.apache.org
Subject: Re: "Nice girl like to chat" spam
ItsMikeE wrote:
For some time now I have been getting spams that look like
"Hello! I am tired this evening. I am nice girl that would
like to chat with
you. Email me at [EMAIL PROTECTED] only, because I am using
my friend's email
to write this. To see my pics"
They are still not being picked up, despite me passing them
to be learnt for
the bayes DB.
Has anyone written a rule to filter these out?
I've actually been running this set of 5 rules on several of the ISP
mail systems I've got my fingers in (watch for line wrap, sorry):
# "Nice girl" wants to send pics, but only if you email the
address in
the body
# start scoring at .5, see how that whacks'em.
body NICE_GIRL_01 /Hello! I am (?:bored|tired) (?:today|this
(?:afternoon|evening)|tonight)\./
describe NICE_GIRL_01 Nice girls don't spam
score NICE_GIRL_01 0.8
body NICE_GIRL_02 /I am nice girl that would like to
chat with you\./
describe NICE_GIRL_02 Nice girls don't spam
score NICE_GIRL_02 0.8
body NICE_GIRL_03 /Email me at [^\s]{,74} only, because I am
writing not from my personal email\./
describe NICE_GIRL_03 Nice girls don't spam
score NICE_GIRL_03 0.8
# not actually the same spam, but same class/type
body NICE_GIRL_04 /I will respond right away and send a pic and
some of my info right away/
score NICE_GIRL_04 0.8
describe NICE_GIRL_04 Nice girls don't spam
body NICE_GIRL_05 /Reply to me and tell me about
yourself if you
want to chat/
score NICE_GIRL_05 0.8
describe NICE_GIRL_05 Nice girls don't spam
I've also bumped BAYES_99 to 4.8 (and IIRC bumped scores on
BAYES_90 and
BAYES_95 as well). For some reason I've been too lazy to bother
tracking down, I usually only see two rules hitting on these
messages -
more than enough to push them over the stock threshold of 5
(I've found
it better to tune rules and Bayes than fiddle with the
threshold score).
-kgd
RE: "Nice girl like to chat" spam
body NICE_GIRL_03 /Email me at .{,74} only, because I am writing
not from my personal email\./
Would do nicely.
No need to be too clever here.
Cheers,
Phil
--
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
> -Original Message-
> From: Kris Deugau [mailto:[EMAIL PROTECTED]
> Sent: 19 February 2008 21:16
> To: users@spamassassin.apache.org
> Subject: Re: "Nice girl like to chat" spam
>
> ItsMikeE wrote:
> > For some time now I have been getting spams that look like
> > "Hello! I am tired this evening. I am nice girl that would
> like to chat with
> > you. Email me at [EMAIL PROTECTED] only, because I am using
> my friend's email
> > to write this. To see my pics"
> >
> > They are still not being picked up, despite me passing them
> to be learnt for
> > the bayes DB.
> >
> > Has anyone written a rule to filter these out?
>
> I've actually been running this set of 5 rules on several of the ISP
> mail systems I've got my fingers in (watch for line wrap, sorry):
>
> # "Nice girl" wants to send pics, but only if you email the
> address in
> the body
> # start scoring at .5, see how that whacks'em.
> body NICE_GIRL_01 /Hello! I am (?:bored|tired) (?:today|this
> (?:afternoon|evening)|tonight)\./
> describe NICE_GIRL_01 Nice girls don't spam
> score NICE_GIRL_01 0.8
> body NICE_GIRL_02 /I am nice girl that would like to
> chat with you\./
> describe NICE_GIRL_02 Nice girls don't spam
> score NICE_GIRL_02 0.8
> body NICE_GIRL_03 /Email me at [^\s]{,74} only, because I am
> writing not from my personal email\./
> describe NICE_GIRL_03 Nice girls don't spam
> score NICE_GIRL_03 0.8
> # not actually the same spam, but same class/type
> body NICE_GIRL_04 /I will respond right away and send a pic and
> some of my info right away/
> score NICE_GIRL_04 0.8
> describe NICE_GIRL_04 Nice girls don't spam
> body NICE_GIRL_05 /Reply to me and tell me about
> yourself if you
> want to chat/
> score NICE_GIRL_05 0.8
> describe NICE_GIRL_05 Nice girls don't spam
>
> I've also bumped BAYES_99 to 4.8 (and IIRC bumped scores on
> BAYES_90 and
> BAYES_95 as well). For some reason I've been too lazy to bother
> tracking down, I usually only see two rules hitting on these
> messages -
> more than enough to push them over the stock threshold of 5
> (I've found
> it better to tune rules and Bayes than fiddle with the
> threshold score).
>
> -kgd
>
Re: "Nice girl like to chat" spam
I have been running this rule for a day now, and am trapping the spams with
rules 1 and 2.
Curiously I have now starting picking these up on Bayes as well.
Thanks for your help, and to everyone who responded.
Kris Deugau wrote:
>
> # "Nice girl" wants to send pics, but only if you email the address in
> the body
> # start scoring at .5, see how that whacks'em.
> body NICE_GIRL_01 /Hello! I am (?:bored|tired) (?:today|this
> (?:afternoon|evening)|tonight)\./
> describe NICE_GIRL_01 Nice girls don't spam
> score NICE_GIRL_01 0.8
> body NICE_GIRL_02 /I am nice girl that would like to chat with
> you\./
> describe NICE_GIRL_02 Nice girls don't spam
> score NICE_GIRL_02 0.8
> body NICE_GIRL_03 /Email me at [^\s]{,74} only, because I am
> writing not from my personal email\./
> describe NICE_GIRL_03 Nice girls don't spam
> score NICE_GIRL_03 0.8
> # not actually the same spam, but same class/type
> body NICE_GIRL_04 /I will respond right away and send a pic and
> some of my info right away/
> score NICE_GIRL_04 0.8
> describe NICE_GIRL_04 Nice girls don't spam
> body NICE_GIRL_05 /Reply to me and tell me about yourself if you
> want to chat/
> score NICE_GIRL_05 0.8
> describe NICE_GIRL_05 Nice girls don't spam
>
--
View this message in context:
http://www.nabble.com/%22Nice-girl-like-to-chat%22-spam-tp15542352p15607229.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: "Nice girl like to chat" spam
Michael Hutchinson wrote: body NICE_GIRL_01 /Hello! I am (?:bored|tired) (?:today|this (?:afternoon|evening)|tonight)\./ Forgive my ignorance, but what does the question mark and colon do at the start of the brackets? I have (bored|tired) in my own rules, so how does (?:bored|tired) affect the outcome? It doesn't, but it *does* avoid a bit of a speed penalty. See Bob Proulx's message for more detail. -kgd
Re: "Nice girl like to chat" spam
Michael Hutchinson wrote: > > body NICE_GIRL_01 /Hello! I am (?:bored|tired) (?:today|this > > (?:afternoon|evening)|tonight)\./ > > Forgive my ignorance, but what does the question mark and colon do at > the start of the brackets? I have (bored|tired) in my own rules, so how > does (?:bored|tired) affect the outcome? Using (?: avoids creating backreferences. It should be slightly faster if the backreference is not used. (?:bored|tired) Is the same as: (bored|tired) But without creating \1 or $1 reference to it. SpamAssassin is written in Perl and uses PCRE (Perl Compatible Regular Expressions). Those are not quite the same as standard Extended Regular Expressions. For a full description see the 'perlre' man page. man perlre "(?:pattern)" "(?imsx-imsx:pattern)" This is for clustering, not capturing; it groups subexpressions like "()", but doesn’t make backreferences as "()" does. So @fields = split(/\b(?:a|b|c)\b/) is like @fields = split(/\b(a|b|c)\b/) but doesn’t spit out extra fields. It’s also cheaper not to capture characters if you don’t need to. Any letters between "?" and ":" act as flags modifiers as with "(?imsx-imsx)". For example, /(?s-i:more.*than).*million/i is equivalent to the more verbose /(?:(?s-i)more.*than).*million/i HTH, Bob
RE: "Nice girl like to chat" spam
> I've actually been running this set of 5 rules on several of the ISP
> mail systems I've got my fingers in (watch for line wrap, sorry):
>
> # "Nice girl" wants to send pics, but only if you email the address in
> the body
> # start scoring at .5, see how that whacks'em.
> body NICE_GIRL_01 /Hello! I am (?:bored|tired) (?:today|this
> (?:afternoon|evening)|tonight)\./
> describe NICE_GIRL_01 Nice girls don't spam
> score NICE_GIRL_01 0.8
> body NICE_GIRL_02 /I am nice girl that would like to chat with
> you\./
> describe NICE_GIRL_02 Nice girls don't spam
> score NICE_GIRL_02 0.8
> body NICE_GIRL_03 /Email me at [^\s]{,74} only, because I am
> writing not from my personal email\./
> describe NICE_GIRL_03 Nice girls don't spam
> score NICE_GIRL_03 0.8
> # not actually the same spam, but same class/type
> body NICE_GIRL_04 /I will respond right away and send a pic and
> some of my info right away/
> score NICE_GIRL_04 0.8
> describe NICE_GIRL_04 Nice girls don't spam
> body NICE_GIRL_05 /Reply to me and tell me about yourself if
you
> want to chat/
> score NICE_GIRL_05 0.8
> describe NICE_GIRL_05 Nice girls don't spam
>
> body NICE_GIRL_01 /Hello! I am (?:bored|tired) (?:today|this
> (?:afternoon|evening)|tonight)\./
Forgive my ignorance, but what does the question mark and colon do at
the start of the brackets? I have (bored|tired) in my own rules, so how
does (?:bored|tired) affect the outcome?
Cheers,
Mike
Re: "Nice girl like to chat" spam
ItsMikeE wrote:
For some time now I have been getting spams that look like
"Hello! I am tired this evening. I am nice girl that would like to chat with
you. Email me at [EMAIL PROTECTED] only, because I am using my friend's email
to write this. To see my pics"
They are still not being picked up, despite me passing them to be learnt for
the bayes DB.
Has anyone written a rule to filter these out?
I've actually been running this set of 5 rules on several of the ISP
mail systems I've got my fingers in (watch for line wrap, sorry):
# "Nice girl" wants to send pics, but only if you email the address in
the body
# start scoring at .5, see how that whacks'em.
body NICE_GIRL_01 /Hello! I am (?:bored|tired) (?:today|this
(?:afternoon|evening)|tonight)\./
describe NICE_GIRL_01 Nice girls don't spam
score NICE_GIRL_01 0.8
body NICE_GIRL_02 /I am nice girl that would like to chat with you\./
describe NICE_GIRL_02 Nice girls don't spam
score NICE_GIRL_02 0.8
body NICE_GIRL_03 /Email me at [^\s]{,74} only, because I am
writing not from my personal email\./
describe NICE_GIRL_03 Nice girls don't spam
score NICE_GIRL_03 0.8
# not actually the same spam, but same class/type
body NICE_GIRL_04 /I will respond right away and send a pic and
some of my info right away/
score NICE_GIRL_04 0.8
describe NICE_GIRL_04 Nice girls don't spam
body NICE_GIRL_05 /Reply to me and tell me about yourself if you
want to chat/
score NICE_GIRL_05 0.8
describe NICE_GIRL_05 Nice girls don't spam
I've also bumped BAYES_99 to 4.8 (and IIRC bumped scores on BAYES_90 and
BAYES_95 as well). For some reason I've been too lazy to bother
tracking down, I usually only see two rules hitting on these messages -
more than enough to push them over the stock threshold of 5 (I've found
it better to tune rules and Bayes than fiddle with the threshold score).
-kgd
{Spam?} RE: "Nice girl like to chat" spam
Unfortunately she changes the .info domain as often as she changes her knickers. :-p Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -Original Message- > From: Michael Hutchinson [mailto:[EMAIL PROTECTED] > Sent: 18 February 2008 20:10 > To: users@spamassassin.apache.org > Subject: FW: "Nice girl like to chat" spam > > > -Original Message- > > From: ItsMikeE [mailto:[EMAIL PROTECTED] > > Sent: Monday, 18 February 2008 11:33 p.m. > > To: users@spamassassin.apache.org > > Subject: "Nice girl like to chat" spam > > > > > > For some time now I have been getting spams that look like > > "Hello! I am tired this evening. I am nice girl that would like to > chat > > with > > you. Email me at [EMAIL PROTECTED] only, because I am using > my friend's > > email > > to write this. To see my pics" > > > > They are still not being picked up, despite me passing them to be > learnt > > for > > the bayes DB. > > > > Has anyone written a rule to filter these out? > > -- > > View this message in context: > http://www.nabble.com/%22Nice-girl-like-to- > > chat%22-spam-tp15542352p15542352.html > > Sent from the SpamAssassin - Users mailing list archive at > Nabble.com. > > > Yes, I've got rules against that spam! They were sending us a > ton of it > so I wrote some local.cf rules: > > body __NICEGIRL_SPAM_1 /Hello! I am (tired|bored) this > afternoon/ > body __NICEGIRL_SPAM_2 /I am nice girl that would > like to chat > with you/ > body __NICEGIRL_SPAM_3 /[EMAIL PROTECTED]/ > meta CST_NICEGRL_SPAM (((1.0* __NICEGIRL_SPAM_1) + (1.0* > __NICEGIRL_SPAM_2) + (2 * __NICEGIRL_SPAM_3)) > 1) > score CST_NICEGRL_SPAM 7.0 > describe CST_NICEGRL_SPAM Want-to-chat SPAM > > With this, the first two rules have to match for it to trigger, or the > 3rd rule by itself can trigger it too (email link to > TheHealCare.info). > > Works rather well, haven't seen any of that spam lately. Matching > phrases works really well in SA but you have to watch out for the > spammers that are onto changing the way words are spelt, and > intentionally mis-spelling words to bypass rules, hence the > (tired|bored) part may need to become (tireed|tired|bored) etc. > > > Cheers, > Mike >
Re: "Nice girl like to chat" spam
Resolved. Cleared my sa-keys directory and re-imported them all. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - "--[ UxBoD ]--" <[EMAIL PROTECTED]> wrote: > sa-update --gpgkey 6C6191E3 --channel sought.rules.yerp.org > error: GPG validation failed! > The update downloaded successfully, but it was not signed with a > trusted GPG > key. Instead, it was signed with the following keys: > > 6C6191E3 > > I recall seeing this on the list a while ago. How do you fix it ? > > Regards, -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: "Nice girl like to chat" spam
sa-update --gpgkey 6C6191E3 --channel sought.rules.yerp.org error: GPG validation failed! The update downloaded successfully, but it was not signed with a trusted GPG key. Instead, it was signed with the following keys: 6C6191E3 I recall seeing this on the list a while ago. How do you fix it ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - "Justin Mason" <[EMAIL PROTECTED]> wrote: > Chris writes: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: "Nice girl like to chat" spam
Chris writes: > On Monday 18 February 2008 6:29 am, ram wrote: > > On Mon, 2008-02-18 at 06:14 -0600, Chris wrote: > > > On Monday 18 February 2008 4:33 am, ItsMikeE wrote: > > > > For some time now I have been getting spams that look like > > > > "Hello! I am tired this evening. I am nice girl that would like to chat > > > > with you. Email me at [EMAIL PROTECTED] only, because I am using my > > > > friend's email to write this. To see my pics" > > > > > > > > They are still not being picked up, despite me passing them to be > > > > learnt for the bayes DB. > > > > > > > > Has anyone written a rule to filter these out? by the way, just to get back to this original topic -- my "sought.cf" ruleset has caught these nicely for months. It's very good for this kind of spam: http://taint.org/2007/08/15/004348a.html --j.
Re: "Nice girl like to chat" spam
On Monday 18 February 2008 6:29 am, ram wrote: > On Mon, 2008-02-18 at 06:14 -0600, Chris wrote: > > On Monday 18 February 2008 4:33 am, ItsMikeE wrote: > > > For some time now I have been getting spams that look like > > > "Hello! I am tired this evening. I am nice girl that would like to chat > > > with you. Email me at [EMAIL PROTECTED] only, because I am using my > > > friend's email to write this. To see my pics" > > > > > > They are still not being picked up, despite me passing them to be > > > learnt for the bayes DB. > > > > > > Has anyone written a rule to filter these out? > > > > My box catches these with the below and this is what ClamAv tags it as: > > > > X-Spam-Virus: Yes (MSRBL-SPAM.NiceGirl.2697) > > > > Content analysis details: (37.5 points, 5.0 required) > > > > So even without running the ClamAv plug-in this would still get 27 > > points. > > > > HTH > > Chris > > scoring BOTNET at 5.0 dont you get far too many FP's > Besides how do you get clamav to score a plain text mail. Are you using > the clam signatures for spam Not at all, I've yet to get an FP because of Botnet. As far as ClamAv I'm using the plug-in with these signature files: honeynet.hdb mbl.db MSRBL-Images.hdb MSRBL-SPAM.ndb phish.ndb scam.ndb securiteinfo.hdb vx.hdb -- Chris KeyID 0xE372A7DA98E6705C pgpACW4AsGyXg.pgp Description: PGP signature
Re: "Nice girl like to chat" spam
> On Mon, 2008-02-18 at 06:14 -0600, Chris wrote: > > > scoring BOTNET at 5.0 dont you get far too many FP's > Besides how do you get clamav to score a plain text mail. > Are you using the clam signatures for spam Botnet "as is" is way dangerous for an ISP, but for personal defence it works fine. I have it at 4.0 and have got no false positives because of it. All it takes is a Unix/Linux user who does not know about smart hosts to get tagged as an FP... but I do not now such. If some of my friends got tagged because of that, I would tell him about the dangers about having an own mail server w/o a smarthost... and then whitelist him. But so far, no false positives. Botnet gets lots of spam and no false positives. But then again, if I were an ISP I would set the score to .1 or something.
RE: "Nice girl like to chat" spam
This rule should be resistant to FPs:
body HC_GIRL/\bnice girl that would like to chat.{1,16}Email
me at \
.{1,32}\.info.{1,120}\bpic(ture)?s\b/
describe HC_GIRLGirl with pics scam
scoreHC_GIRL5
Mind the linebreak :-)
Cheers,
Phil
--
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Sent: 18 February 2008 16:35
> To: users@spamassassin.apache.org
> Subject: Re: "Nice girl like to chat" spam
>
> I just use in user_prefs
> body J_GIRL /\bgirl.*\bpic(ture)?s\b/
> score J_GIRL 5
>
RE: "Nice girl like to chat" spam
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: 2008-02-18 11:35 > To: users@spamassassin.apache.org > Subject: Re: "Nice girl like to chat" spam > > > I just use in user_prefs > body J_GIRL /\bgirl.*\bpic(ture)?s\b/ > score J_GIRL 5 While this rule will catch the spams you are looking for, IMHO the FP rate will be quite high. I would avoid using * and try to place boundries in this rule. In short, no way I would use this on my system. Just my opinion. Thanks, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com
Re: "Nice girl like to chat" spam
I just use in user_prefs body J_GIRL /\bgirl.*\bpic(ture)?s\b/ score J_GIRL 5
Re: "Nice girl like to chat" spam
On Mon, 2008-02-18 at 06:14 -0600, Chris wrote: > On Monday 18 February 2008 4:33 am, ItsMikeE wrote: > > For some time now I have been getting spams that look like > > "Hello! I am tired this evening. I am nice girl that would like to chat > > with you. Email me at [EMAIL PROTECTED] only, because I am using my friend's > > email to write this. To see my pics" > > > > They are still not being picked up, despite me passing them to be learnt > > for the bayes DB. > > > > Has anyone written a rule to filter these out? > > My box catches these with the below and this is what ClamAv tags it as: > > X-Spam-Virus: Yes (MSRBL-SPAM.NiceGirl.2697) > > Content analysis details: (37.5 points, 5.0 required) > > pts rule name description > -- -- > 5.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100% > [score: 1.] > 1.0 RELAY_CN Relayed through china > 5.0 BOTNET Relay might be a spambot or virusbot > [botnet0.8,ip=218.70.128.105,maildomain=800mhz.com,nordns] > 4.5 LOGINHASH BODY: iXhash says its spam > 2.5 IXHASH BODY: iXhash says its spam > 2.5 LOGINHASH2 BODY: iXhash says its spam > 3.7 PYZOR_CHECKListed in Pyzor (http://pyzor.sf.net/) > 2.2 DCC_CHECK listed in DCC (http://rhyolite.com/anti-spam/dcc/) > [cpollock 1201; Body=26 Fuz1=375] > [Fuz2=many] > 10 CLAMAV Clam AntiVirus detected a virus > 0.0 DIGEST_MULTIPLEMessage hits more than one network digest check > 0.1 RDNS_NONE Delivered to trusted network by a host with no > rDNS > 1.0 SAGREY Adds 1.0 to spam from first-time senders > > So even without running the ClamAv plug-in this would still get 27 points. > > HTH > Chris > scoring BOTNET at 5.0 dont you get far too many FP's Besides how do you get clamav to score a plain text mail. Are you using the clam signatures for spam
Re: "Nice girl like to chat" spam
On Monday 18 February 2008 4:33 am, ItsMikeE wrote: > For some time now I have been getting spams that look like > "Hello! I am tired this evening. I am nice girl that would like to chat > with you. Email me at [EMAIL PROTECTED] only, because I am using my friend's > email to write this. To see my pics" > > They are still not being picked up, despite me passing them to be learnt > for the bayes DB. > > Has anyone written a rule to filter these out? My box catches these with the below and this is what ClamAv tags it as: X-Spam-Virus: Yes (MSRBL-SPAM.NiceGirl.2697) Content analysis details: (37.5 points, 5.0 required) pts rule name description -- -- 5.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 1.0 RELAY_CN Relayed through china 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.8,ip=218.70.128.105,maildomain=800mhz.com,nordns] 4.5 LOGINHASH BODY: iXhash says its spam 2.5 IXHASH BODY: iXhash says its spam 2.5 LOGINHASH2 BODY: iXhash says its spam 3.7 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) 2.2 DCC_CHECK listed in DCC (http://rhyolite.com/anti-spam/dcc/) [cpollock 1201; Body=26 Fuz1=375] [Fuz2=many] 10 CLAMAV Clam AntiVirus detected a virus 0.0 DIGEST_MULTIPLE Message hits more than one network digest check 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS 1.0 SAGREY Adds 1.0 to spam from first-time senders So even without running the ClamAv plug-in this would still get 27 points. HTH Chris -- Chris KeyID 0xE372A7DA98E6705C pgpw4tpzzcJCu.pgp Description: PGP signature
Re: "Nice girl like to chat" spam
On Mon, 2008-02-18 at 02:33 -0800, ItsMikeE wrote: > For some time now I have been getting spams that look like > "Hello! I am tired this evening. I am nice girl that would like to chat with > you. Email me at [EMAIL PROTECTED] only, because I am using my friend's email > to write this. To see my pics" > > They are still not being picked up, despite me passing them to be learnt for > the bayes DB. > > Has anyone written a rule to filter these out? you usually wait for the first mail and then block all mails containing the domain --- rawbody CHAT_TEMP m/\b(?:NaturalImprove.info|allcanheal.info| HonorDays.info|EHealThies.info|TheHealCare.info|IndividualImprove.info| TheDoorwayBeyond.info|ThePaganDoorway.info)\b/i score CHAT_TEMP 6.0 -- Besides this I have other rules that look for "am a? ?nice girl" etc , I use them in combination. But those are too YMMV types Thanks Ram
