RE: {SPAM} Drug SPAM problem..any fixes?
-Original Message-
From: martin smith [mailto:[EMAIL PROTECTED]
Sent: Saturday, May 14, 2005 12:43 PM
To: Spamassassin
Subject: RE: {SPAM} Drug SPAM problem..any fixes?
M-Original Message-
MFrom: Matt Kettler [mailto:[EMAIL PROTECTED]
MSent: 14 May 2005 18:37
MTo: Dan Simmons
MCc: users@spamassassin.apache.org
MSubject: Re: {SPAM} Drug SPAM problem..any fixes?
M
MDan Simmons wrote:
M Hi All,
M
M I am having an issue with the following DRUG related spam. Does
M anyone have any rules to catch this?
M
M Environment: SA 3.0.2 with network tests and the following
MSARE rule sets:
Msnip
M X-SA-SysThreshold: 6.0
M 0.8 HTML_IMAGE_ONLY_20 BODY: HTML: images with
M1600-2000 bytes of words
M 0.1 HTML_40_50 BODY: Message is 40% to 50% HTML
M 0.0 HTML_MESSAGE BODY: HTML included in message
M
M
MFor your message I got the following (SA 2.64 with Mail::SpamCopURI)
M
MSpamAssassin (score=7.908, required 5, AB_URI_RBL
M1.00, BAYES_00 -4.90,
MBLACK_URI_RBL 2.00, HTML_MESSAGE 0.10, HTTP_ESCAPED_HOST 1.51,
MINFO_GREYLIST_NOTDELAYED -0.00, JP_URI_RBL 1.00, OB_URI_RBL
M2.10, SPAMCOP_URI_RBL 3.00, WS_URI_RBL 2.10)
M
MMost of that is URI blacklists from surbl (supported by SA
M3.x by default), as well as uribl.com (not supported in
Mdefault config but I added it by hand)
M
Trouble is with the SURBL is that you can receive a lot of these spams
before they get listed, they also seem to change domain name
twice a day or
more to keep ahead of the listing, that's why I wanted
something to block
them if they don't hit any black lists.
URIBL.com is currently testing some ideas to get them listed before they are
even used. Needs more time to test. Kinds tricky to nail down ;)
--Chris
Re: {SPAM} Drug SPAM problem..any fixes?
Dan Simmons wrote: Hi All, I am having an issue with the following DRUG related spam. Does anyone have any rules to catch this? Environment: SA 3.0.2 with network tests and the following SARE rule sets: snip X-SA-SysThreshold: 6.0 0.8 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words 0.1 HTML_40_50 BODY: Message is 40% to 50% HTML 0.0 HTML_MESSAGE BODY: HTML included in message For your message I got the following (SA 2.64 with Mail::SpamCopURI) SpamAssassin (score=7.908, required 5, AB_URI_RBL 1.00, BAYES_00 -4.90, BLACK_URI_RBL 2.00, HTML_MESSAGE 0.10, HTTP_ESCAPED_HOST 1.51, INFO_GREYLIST_NOTDELAYED -0.00, JP_URI_RBL 1.00, OB_URI_RBL 2.10, SPAMCOP_URI_RBL 3.00, WS_URI_RBL 2.10) Most of that is URI blacklists from surbl (supported by SA 3.x by default), as well as uribl.com (not supported in default config but I added it by hand) I'd check to see if your URIBL's are working. SA 3.x supports them by default, but you need a relatively recent Net::DNS for them to work. Also, if you're using a ported package for your OS distribution instead of the official SA packages, make sure you've got an init.pre file in your configuration. If you don't, the URIBL plugin won't load.
RE: {SPAM} Drug SPAM problem..any fixes?
M-Original Message-
MFrom: Matt Kettler [mailto:[EMAIL PROTECTED]
MSent: 14 May 2005 18:37
MTo: Dan Simmons
MCc: users@spamassassin.apache.org
MSubject: Re: {SPAM} Drug SPAM problem..any fixes?
M
MDan Simmons wrote:
M Hi All,
M
M I am having an issue with the following DRUG related spam. Does
M anyone have any rules to catch this?
M
M Environment: SA 3.0.2 with network tests and the following
MSARE rule sets:
Msnip
M X-SA-SysThreshold: 6.0
M 0.8 HTML_IMAGE_ONLY_20 BODY: HTML: images with
M1600-2000 bytes of words
M 0.1 HTML_40_50 BODY: Message is 40% to 50% HTML
M 0.0 HTML_MESSAGE BODY: HTML included in message
M
M
MFor your message I got the following (SA 2.64 with Mail::SpamCopURI)
M
MSpamAssassin (score=7.908, required 5,AB_URI_RBL
M1.00, BAYES_00 -4.90,
MBLACK_URI_RBL 2.00, HTML_MESSAGE 0.10, HTTP_ESCAPED_HOST 1.51,
MINFO_GREYLIST_NOTDELAYED -0.00, JP_URI_RBL 1.00, OB_URI_RBL
M2.10, SPAMCOP_URI_RBL 3.00, WS_URI_RBL 2.10)
M
MMost of that is URI blacklists from surbl (supported by SA
M3.x by default), as well as uribl.com (not supported in
Mdefault config but I added it by hand)
M
Trouble is with the SURBL is that you can receive a lot of these spams
before they get listed, they also seem to change domain name twice a day or
more to keep ahead of the listing, that's why I wanted something to block
them if they don't hit any black lists.
Martin
Re: {SPAM} Drug SPAM problem..any fixes?
martin smith wrote:
Trouble is with the SURBL is that you can receive a lot of these spams
before they get listed, they also seem to change domain name twice a day or
more to keep ahead of the listing, that's why I wanted something to block
them if they don't hit any black lists.
Martin
True, which is part of why I use some greylisting.. it helps the blacklist hit
rates.
I really don't know of any good static rule that works consistently for these
that won't just nail every email with embedded images.
One thing you might look at is this part:
8l4d7o2r6u7d8h4j4q6v8w5o8f6k5g6r5v3g9a2j9d2f2s9a9k5c4m3z8q1b4w2t8y9k1a7s3z7k8h3n3q1c6t3c2v5q2i8h4f5o1f9u7t2t8k5o6v6v3i5a8l7t4d1z5t9r2t8i7m7c5m
Note that after the first 3 numbers, it's an alternating sequence random
lower-case letters and numbers. The repeating part is 140 characters long, or 70
repeats..
You could probably pick out 50 or so of these with low FP rate:
body L_STRANGE_ID /(?:\d[a-z]){50}/
score L_STRANGE_ID 0.1
Another tool to try here, which has the same drawbacks as surbl, is razor.
Razor can pick up on the hash of the embedded image, text, or URI so this way
you're forcing them to change three things: domains, images and body text.
(Razor hashes each mime part and each URI separately, so spam can be identified
by any one of these, not just the combined whole of the message.)
While not perfect, at least this gets you 3 shots at the message based on
content.
Re: {SPAM} Drug SPAM problem..any fixes?
Let me just suggest that there are all kinds of catchable keys in the spam you posted. I don't really want to post rules for these, since as soon as rules get posted here the keys disappear from the spams. Loren
Re: {SPAM} Drug SPAM problem..any fixes?
On Saturday, May 14, 2005, 10:43:08 AM, martin smith wrote: MFrom: Matt Kettler [mailto:[EMAIL PROTECTED] MMost of that is URI blacklists from surbl (supported by SA M3.x by default), as well as uribl.com (not supported in Mdefault config but I added it by hand) M Trouble is with the SURBL is that you can receive a lot of these spams before they get listed, they also seem to change domain name twice a day or more to keep ahead of the listing, that's why I wanted something to block them if they don't hit any black lists. We're working on reducing the latency of SURBLs. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
