Re: FW: Mit unseren Tabs kannst Du viel mehr im Bett

2011-05-31 Thread Yet Another Ninja 

put ow.ly in a URI rule



On 2011-05-31 8:58, Lars Jørgensen wrote:

Hi,

We don't get much spam through the spamassassin filter, but we do get a bit of 
german spam which only seems to trigger RVCD_IN_XBL and thus not get a high 
enough score to be discarded. I have included a sample below (hoping that I 
don't offend anyone and that it'll get through people's spam filters). Has 
anybody seen these and know of a good rule to catch them?


Lars

From: Brenton Hanna [mailto:currycomb...@polysto.com]
Sent: Tuesday, May 31, 2011 7:33 AM
Subject: Mit unseren Tabs kannst Du viel mehr im Bett

Mit unseren Tabs kannst Du viel mehr im Bett

Das geht wirklich jetzt und hier. Nur legale Plilen jetzt und hier bestlelen. 
Sparen ohne Ende.
Jetzt ist die Zeit, um bei Kauf der Plilen richtig zu sparen. Jetzt 
ausprobieren, sehr schnelle Lieferung.



If you would, however, prefer not to receive these mailings in the future, you can 
unsubscribe here  or update your email preferences.

Re: FW: Mit unseren Tabs kannst Du viel mehr im Bett

2011-05-31 Thread John Hardin 

On Tue, 31 May 2011, Lars Jørgensen wrote:

We don't get much spam through the spamassassin filter, but we do get a 
bit of german spam which only seems to trigger RVCD_IN_XBL and thus not 
get a high enough score to be discarded. I have included a sample below 
(hoping that I don't offend anyone and that it'll get through people's 
spam filters).


It's much better practice to post the complete spam, including _all_ 
headers (not just the ones your mail client shows you by default) to a 
website you control or to someplace like pastebin, and then send the URL 
for that to the list.


If you can post a version of the message that's gone through your SA so 
that we can see what version you're running and what rules it hit, that 
helps even more.


Sending spams to the list can fall afoul of spam filters, but it also is 
generally not a complete message (including all the headers), and sending 
it through the mail system again can alter it and remove important spam 
indicators (or insert new false ones).


Has anybody seen these and know of a good rule to catch 
them?


Please provide a complete sample as above and we'll be better able to 
help.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Mine eyes have seen the horror of the voting of the horde;
  They've looted the fromagerie where guv'ment cheese is stored;
  If war's not won before the break they grow so quickly bored;
  Their vote counts as much as yours.  -- Tam
---
 6 days until the 67th anniversary of D-Day