RE: {SPAM} Drug SPAM problem..any fixes?
-Original Message- From: martin smith [mailto:[EMAIL PROTECTED] Sent: Saturday, May 14, 2005 12:43 PM To: Spamassassin Subject: RE: {SPAM} Drug SPAM problem..any fixes? M-Original Message- MFrom: Matt Kettler [mailto:[EMAIL PROTECTED] MSent: 14 May 2005 18:37 MTo: Dan Simmons MCc: users@spamassassin.apache.org MSubject: Re: {SPAM} Drug SPAM problem..any fixes? M MDan Simmons wrote: M Hi All, M M I am having an issue with the following DRUG related spam. Does M anyone have any rules to catch this? M M Environment: SA 3.0.2 with network tests and the following MSARE rule sets: Msnip M X-SA-SysThreshold: 6.0 M 0.8 HTML_IMAGE_ONLY_20 BODY: HTML: images with M1600-2000 bytes of words M 0.1 HTML_40_50 BODY: Message is 40% to 50% HTML M 0.0 HTML_MESSAGE BODY: HTML included in message M M MFor your message I got the following (SA 2.64 with Mail::SpamCopURI) M MSpamAssassin (score=7.908, required 5, AB_URI_RBL M1.00, BAYES_00 -4.90, MBLACK_URI_RBL 2.00, HTML_MESSAGE 0.10, HTTP_ESCAPED_HOST 1.51, MINFO_GREYLIST_NOTDELAYED -0.00, JP_URI_RBL 1.00, OB_URI_RBL M2.10, SPAMCOP_URI_RBL 3.00, WS_URI_RBL 2.10) M MMost of that is URI blacklists from surbl (supported by SA M3.x by default), as well as uribl.com (not supported in Mdefault config but I added it by hand) M Trouble is with the SURBL is that you can receive a lot of these spams before they get listed, they also seem to change domain name twice a day or more to keep ahead of the listing, that's why I wanted something to block them if they don't hit any black lists. URIBL.com is currently testing some ideas to get them listed before they are even used. Needs more time to test. Kinds tricky to nail down ;) --Chris
Re: {SPAM} Drug SPAM problem..any fixes?
Dan Simmons wrote: Hi All, I am having an issue with the following DRUG related spam. Does anyone have any rules to catch this? Environment: SA 3.0.2 with network tests and the following SARE rule sets: snip X-SA-SysThreshold: 6.0 0.8 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words 0.1 HTML_40_50 BODY: Message is 40% to 50% HTML 0.0 HTML_MESSAGE BODY: HTML included in message For your message I got the following (SA 2.64 with Mail::SpamCopURI) SpamAssassin (score=7.908, required 5, AB_URI_RBL 1.00, BAYES_00 -4.90, BLACK_URI_RBL 2.00, HTML_MESSAGE 0.10, HTTP_ESCAPED_HOST 1.51, INFO_GREYLIST_NOTDELAYED -0.00, JP_URI_RBL 1.00, OB_URI_RBL 2.10, SPAMCOP_URI_RBL 3.00, WS_URI_RBL 2.10) Most of that is URI blacklists from surbl (supported by SA 3.x by default), as well as uribl.com (not supported in default config but I added it by hand) I'd check to see if your URIBL's are working. SA 3.x supports them by default, but you need a relatively recent Net::DNS for them to work. Also, if you're using a ported package for your OS distribution instead of the official SA packages, make sure you've got an init.pre file in your configuration. If you don't, the URIBL plugin won't load.
RE: {SPAM} Drug SPAM problem..any fixes?
M-Original Message- MFrom: Matt Kettler [mailto:[EMAIL PROTECTED] MSent: 14 May 2005 18:37 MTo: Dan Simmons MCc: users@spamassassin.apache.org MSubject: Re: {SPAM} Drug SPAM problem..any fixes? M MDan Simmons wrote: M Hi All, M M I am having an issue with the following DRUG related spam. Does M anyone have any rules to catch this? M M Environment: SA 3.0.2 with network tests and the following MSARE rule sets: Msnip M X-SA-SysThreshold: 6.0 M 0.8 HTML_IMAGE_ONLY_20 BODY: HTML: images with M1600-2000 bytes of words M 0.1 HTML_40_50 BODY: Message is 40% to 50% HTML M 0.0 HTML_MESSAGE BODY: HTML included in message M M MFor your message I got the following (SA 2.64 with Mail::SpamCopURI) M MSpamAssassin (score=7.908, required 5,AB_URI_RBL M1.00, BAYES_00 -4.90, MBLACK_URI_RBL 2.00, HTML_MESSAGE 0.10, HTTP_ESCAPED_HOST 1.51, MINFO_GREYLIST_NOTDELAYED -0.00, JP_URI_RBL 1.00, OB_URI_RBL M2.10, SPAMCOP_URI_RBL 3.00, WS_URI_RBL 2.10) M MMost of that is URI blacklists from surbl (supported by SA M3.x by default), as well as uribl.com (not supported in Mdefault config but I added it by hand) M Trouble is with the SURBL is that you can receive a lot of these spams before they get listed, they also seem to change domain name twice a day or more to keep ahead of the listing, that's why I wanted something to block them if they don't hit any black lists. Martin
Re: {SPAM} Drug SPAM problem..any fixes?
martin smith wrote: Trouble is with the SURBL is that you can receive a lot of these spams before they get listed, they also seem to change domain name twice a day or more to keep ahead of the listing, that's why I wanted something to block them if they don't hit any black lists. Martin True, which is part of why I use some greylisting.. it helps the blacklist hit rates. I really don't know of any good static rule that works consistently for these that won't just nail every email with embedded images. One thing you might look at is this part: 8l4d7o2r6u7d8h4j4q6v8w5o8f6k5g6r5v3g9a2j9d2f2s9a9k5c4m3z8q1b4w2t8y9k1a7s3z7k8h3n3q1c6t3c2v5q2i8h4f5o1f9u7t2t8k5o6v6v3i5a8l7t4d1z5t9r2t8i7m7c5m Note that after the first 3 numbers, it's an alternating sequence random lower-case letters and numbers. The repeating part is 140 characters long, or 70 repeats.. You could probably pick out 50 or so of these with low FP rate: body L_STRANGE_ID /(?:\d[a-z]){50}/ score L_STRANGE_ID 0.1 Another tool to try here, which has the same drawbacks as surbl, is razor. Razor can pick up on the hash of the embedded image, text, or URI so this way you're forcing them to change three things: domains, images and body text. (Razor hashes each mime part and each URI separately, so spam can be identified by any one of these, not just the combined whole of the message.) While not perfect, at least this gets you 3 shots at the message based on content.
Re: {SPAM} Drug SPAM problem..any fixes?
Let me just suggest that there are all kinds of catchable keys in the spam you posted. I don't really want to post rules for these, since as soon as rules get posted here the keys disappear from the spams. Loren
Re: {SPAM} Drug SPAM problem..any fixes?
On Saturday, May 14, 2005, 10:43:08 AM, martin smith wrote: MFrom: Matt Kettler [mailto:[EMAIL PROTECTED] MMost of that is URI blacklists from surbl (supported by SA M3.x by default), as well as uribl.com (not supported in Mdefault config but I added it by hand) M Trouble is with the SURBL is that you can receive a lot of these spams before they get listed, they also seem to change domain name twice a day or more to keep ahead of the listing, that's why I wanted something to block them if they don't hit any black lists. We're working on reducing the latency of SURBLs. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/