RE: rule secrecy *again* (Re: Well, that didn't take very bloody long)
Title: RE: rule secrecy *again* (Re: Well, that didn't take very bloody long) ho hum... here we go again. :( :) Secrecy is *NOT* an essential element of rule development. It seems logical to think it is, but evidence repeatedly demonstrates otherwise. You know I differ in that opinion. For some spammers, it may _help_ -- but not for all, so it's by no means essential. On the other hand, secrecy damages collaborative development, restricting rule refinement and improvement to a secret cabal. It's antithetical to open source development. If the rules are openly released, I don't see how its antithetical. Some of the background work is just done quietly. We don't restrict rule refinement and improvement to a secret cabal. I've helped people on the SATALK list test their rules. And I've had some offer tweaks to SARE rules. There is no one stopping anyone from writing a rule and submitting it to SA devs! IMHO, all of this could have been avoided if you had just kept the old SA logo ;) Thanks, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com
Re: Well, that didn't take very bloody long
From: Steve Lake [EMAIL PROTECTED]
Ok, remember that Name Wrote: :) emails? They've completely
changed. Now it's hi username instead. Joy, oh joy. Can anyone find
any common elements in these emails because whoever this putz is, they're
adapting a lot. They hit us, we adapt, they immediately change tactics and
come at us again. Now with all the brilliant minds on this mailing list,
we really should be able to find out who this putz is and nail all his
stuff regardless of what tactic he switches to.
I believe the record will show that I more or less predicted this with
the first postings of the wrote spam.
Obvious single features that are easily changeable are lousy for using
as rules. I figure they are digital prestidigitation - misdirect your
eye to where you want them to look so they don't notice the hard to
change features.
{^_-}
RE: Well, that didn't take very bloody long
But most of us aren't clever enough with Perl RE's to construct the rule to go with it. So where's the rule to match, folks? Cheers, Phil -Original Message- From: Tony Finch [mailto:[EMAIL PROTECTED] On Behalf Of Tony Finch Sent: Friday, November 10, 2006 9:49 PM To: Steve Lake Cc: users@spamassassin.apache.org Subject: Re: Well, that didn't take very bloody long On Fri, 10 Nov 2006, Steve Lake wrote: Ok, remember that Name Wrote: :) emails? They've completely changed. Now it's hi username instead. Joy, oh joy. Can anyone find any common elements in these emails because whoever this putz is, they're adapting a lot. http://article.gmane.org/gmane.mail.spam.spamassassin.general/90322 Tony. -- f.a.n.finch [EMAIL PROTECTED] http://dotat.at/ VIKING: SOUTHERLY VEERING WESTERLY 6 TO GALE 8, OCCASIONALLY SEVERE GALE 9. HIGH. RAIN THEN SHOWERS. MODERATE OR GOOD.
rule secrecy *again* (Re: Well, that didn't take very bloody long)
Loren Wilton writes: Ok, remember that Name Wrote: :) emails? They've completely changed. Now it's hi username instead. Joy, oh joy. Can anyone find any common elements in these emails because whoever this putz is, they're adapting a lot. They hit us, we adapt, they immediately change tactics and come at us again. Now with all the brilliant minds on this mailing list, we really should be able to find out who this putz is and nail all his stuff regardless of what tactic he switches to. The reason they adapt is because there are detailed announcements on the mailing list of the things that are easy to spot. The guy sending these is on the list too, so as soon as the oversight or excessive cleverness is announced to the world, he knows what he has to fix. ho hum... here we go again. :( As I've noted several times recently -- these *are* being caught by rules which were developed in the open -- namely RCVD_FORGED_WROTE, which has been sitting in my sandbox for several weeks, was announced in a checkin message (with diffs!), and is currently live in both trunk and 3.1.x rule updates. The rule has been visible since: r465179 | jm | 2006-10-18 10:11:15 +0100 (Wed, 18 Oct 2006) | 1 line add rule to catch 'Subject: foo wrote:' stock spam Take a look at the graph of hit-rates over time in everyone's corpora: http://ruleqa.spamassassin.org/last-night/RCVD_FORGED_WROTE?s_detail=ons_g_over_time=1s_zero=onsrcpath=#over_time_anchor There's been no change in hitrates since 2006-10-18 -- in fact, in cthielen and zmi's corpora, they rose *dramatically*. Secrecy is *NOT* an essential element of rule development. It seems logical to think it is, but evidence repeatedly demonstrates otherwise. For some spammers, it may _help_ -- but not for all, so it's by no means essential. On the other hand, secrecy damages collaborative development, restricting rule refinement and improvement to a secret cabal. It's antithetical to open source development. --j.
Re: rule secrecy *again* (Re: Well, that didn't take very bloody long)
At 12:27 PM 11/11/2006 +, Justin Mason wrote: ho hum... here we go again. :( As I've noted several times recently -- these *are* being caught by rules which were developed in the open -- namely RCVD_FORGED_WROTE, which has been sitting in my sandbox for several weeks, was announced in a checkin message (with diffs!), and is currently live in both trunk and 3.1.x rule updates. Yeah, I pushed my updates for SA and now it seems that those spams aren't getting through anymore. heh. I can't wait for this spam war to end so I can go back to my more laid back 3 month cycle of updates instead of 3-4x's a day. :( Steven Lake Owner/Technical Writer Raiden's Realm www.raiden.net A friendly web community
Re: rule secrecy *again* (Re: Well, that didn't take very bloody long)
From: Justin Mason [EMAIL PROTECTED]
Loren Wilton writes:
Ok, remember that Name Wrote: :) emails? They've completely
changed. Now it's hi username instead. Joy, oh joy. Can anyone find
any common elements in these emails because whoever this putz is, they're
adapting a lot. They hit us, we adapt, they immediately change tactics
and come at us again. Now with all the brilliant minds on this mailing
list, we really should be able to find out who this putz is and nail all
his stuff regardless of what tactic he switches to.
The reason they adapt is because there are detailed announcements on the
mailing list of the things that are easy to spot. The guy sending these is
on the list too, so as soon as the oversight or excessive cleverness is
announced to the world, he knows what he has to fix.
ho hum... here we go again. :(
As I've noted several times recently -- these *are* being caught by rules
which were developed in the open -- namely RCVD_FORGED_WROTE, which has
been sitting in my sandbox for several weeks, was announced in a checkin
message (with diffs!), and is currently live in both trunk and 3.1.x
rule updates.
The rule has been visible since:
r465179 | jm | 2006-10-18 10:11:15 +0100 (Wed, 18 Oct 2006) | 1 line
add rule to catch 'Subject: foo wrote:' stock spam
Take a look at the graph of hit-rates over time in everyone's corpora:
http://ruleqa.spamassassin.org/last-night/RCVD_FORGED_WROTE?s_detail=ons_g_over_time=1s_zero=onsrcpath=#over_time_anchor
There's been no change in hitrates since 2006-10-18 -- in fact, in
cthielen and zmi's corpora, they rose *dramatically*.
Secrecy is *NOT* an essential element of rule development. It seems
logical to think it is, but evidence repeatedly demonstrates otherwise.
Indeed - if you have a rule that depends on secrecy then it is too
fragile to have a long life. Good rules have long usable lifetimes.
{^_^}
Re: Well, that didn't take very bloody long
Steve Lake wrote: Ok, remember that Name Wrote: :) emails? They've completely changed. Now it's hi username instead. After feeding 10 or 20 into Bayes, they're no longer showing up in *my* inbox, nor customer inboxes based on the lack of forwarded copies. g (The ones I've been seeing are basically text-only, thus the effective Bayes-beating. The SARE stock rules are helping too.) This is still SA2.64, too. Upgrading would make the server roll over and die, unfortunately. The *ONLY* spams I've been having any great ongoing trouble with are the image-based ones. -kgd
RE: Well, that didn't take very bloody long
Title: RE: Well, that didn't take very bloody long -Original Message- From: Steve Lake [mailto:[EMAIL PROTECTED]] Sent: Friday, November 10, 2006 12:52 PM To: users@spamassassin.apache.org Subject: Well, that didn't take very bloody long Ok, remember that Name Wrote: :) emails? They've completely changed. Now it's hi username instead. Joy, oh joy. Can anyone find any common elements in these emails because whoever this putz is, they're adapting a lot. They hit us, we adapt, they immediately change tactics and come at us again. Now with all the brilliant minds on this mailing list, we really should be able to find out who this putz is and nail all his stuff regardless of what tactic he switches to. Ahahaha... I went and looked at mine that are being caught. Found one of my old rules is tagging some of these. I about spit up my NE Chowder! pts rule name description -- -- 1.2 MY_DSL Contains likely dsl address in header 0.3 MY_HELO May be valid but catches most. 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 1.7 SARE_MLB_Stock1 BODY: SARE_MLB_Stock1 1.7 SARE_MLB_Stock5 BODY: Mentions stock symbol, tickers, or OTC. 0.6 MY_PHRS_LOW BODY: low scoring phrases found 1.7 SARE_CSBIG BODY: Only Mexican food gives me an Explosive Gain. I crack myself up! --Chris
Re: Well, that didn't take very bloody long
Chris Santerre wrote: -Original Message- From: Steve Lake [mailto:[EMAIL PROTECTED] Sent: Friday, November 10, 2006 12:52 PM To: users@spamassassin.apache.org Subject: Well, that didn't take very bloody long Ok, remember that Name Wrote: :) emails? They've completely changed. Now it's hi username instead. Joy, oh joy. Can anyone find any common elements in these emails because whoever this putz is, they're adapting a lot. They hit us, we adapt, they immediately change tactics and come at us again. Now with all the brilliant minds on this mailing list, we really should be able to find out who this putz is and nail all his stuff regardless of what tactic he switches to. Ahahaha... I went and looked at mine that are being caught. Found one of my old rules is tagging some of these. I about spit up my NE Chowder! pts rule name description -- -- 1.2 MY_DSL Contains likely dsl address in header 0.3 MY_HELOMay be valid but catches most. 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 1.7 SARE_MLB_Stock1BODY: SARE_MLB_Stock1 1.7 SARE_MLB_Stock5BODY: Mentions stock symbol, tickers, or OTC. 0.6 MY_PHRS_LOWBODY: low scoring phrases found 1.7 SARE_CSBIG BODY: Only Mexican food gives me an Explosive Gain. I crack myself up! --Chris haha damn that is pretty funny. Explosive gain? Am i the only one who thinks toilets should come with handles? haha -Jim
Re: Well, that didn't take very bloody long
also, RCVD_FORGED_WROTE is still hitting them. (my motto: aim for the Received headers ;) --j. Chris Santerre writes: -Original Message- From: Steve Lake [mailto:[EMAIL PROTECTED] Sent: Friday, November 10, 2006 12:52 PM To: users@spamassassin.apache.org Subject: Well, that didn't take very bloody long Ok, remember that Name Wrote: :) emails? They've completely changed. Now it's hi username instead. Joy, oh joy. Can anyone find any common elements in these emails because whoever this putz is, they're adapting a lot. They hit us, we adapt, they immediately change tactics and come at us again. Now with all the brilliant minds on this mailing list, we really should be able to find out who this putz is and nail all his stuff regardless of what tactic he switches to. Ahahaha... I went and looked at mine that are being caught. Found one of my old rules is tagging some of these. I about spit up my NE Chowder! pts rule name description -- -- 1.2 MY_DSL Contains likely dsl address in header 0.3 MY_HELOMay be valid but catches most. 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 1.7 SARE_MLB_Stock1BODY: SARE_MLB_Stock1 1.7 SARE_MLB_Stock5BODY: Mentions stock symbol, tickers, or OTC. 0.6 MY_PHRS_LOWBODY: low scoring phrases found 1.7 SARE_CSBIG BODY: Only Mexican food gives me an Explosive Gain. I crack myself up! --Chris
Re: Well, that didn't take very bloody long
Steve Lake wrote: Ok, remember that Name Wrote: :) emails? They've completely changed. Now it's hi username instead. Joy, oh joy. Can anyone find any common elements in these emails because whoever this putz is, they're adapting a lot. They hit us, we adapt, they immediately change tactics and come at us again. I wrote a couple of rules for the first two rounds -- name wrote: and it's name :) I've stopped bothering. Between the SARE stock rules, header checks, and Bayes -- especially Bayes -- the only place I'm seeing these show up uncaught now is my spamtraps, and those haven't been run through SA in the first place. I've concluded the subject line is a trap. They make it so consistent that it just begs to be targeted, then they change it to another consistent rule just to yank our chains and keep us busy. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Well, that didn't take very bloody long
Kelson wrote: Steve Lake wrote: Ok, remember that Name Wrote: :) emails? They've completely changed. Now it's hi username instead. Joy, oh joy. Can anyone find any common elements in these emails because whoever this putz is, they're adapting a lot. They hit us, we adapt, they immediately change tactics and come at us again. I wrote a couple of rules for the first two rounds -- name wrote: and it's name :) I've stopped bothering. Between the SARE stock rules, header checks, and Bayes -- especially Bayes -- the only place I'm seeing these show up uncaught now is my spamtraps, and those haven't been run through SA in the first place. Most of mine here are hitting with Bayes as well. I've only seen a couple make it through. All others have been routed to my local folder for Spam. Here is the scores from one such: X-Spam-Level: xxx X-Spam-Status: Hits:15.0 Learn:no Tests:BAYES_99, DATE_IN_FUTURE_06_12,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100, RAZOR2_CHECK,SARE_CSBIG,SARE_MLB_Stock1,SARE_MLB_Stock5,TVD_STOCK1 I've concluded the subject line is a trap. They make it so consistent that it just begs to be targeted, then they change it to another consistent rule just to yank our chains and keep us busy.
Re: Well, that didn't take very bloody long
On Fri, 10 Nov 2006, Steve Lake wrote: Ok, remember that Name Wrote: :) emails? They've completely changed. Now it's hi username instead. Joy, oh joy. Can anyone find any common elements in these emails because whoever this putz is, they're adapting a lot. http://article.gmane.org/gmane.mail.spam.spamassassin.general/90322 Tony. -- f.a.n.finch [EMAIL PROTECTED] http://dotat.at/ VIKING: SOUTHERLY VEERING WESTERLY 6 TO GALE 8, OCCASIONALLY SEVERE GALE 9. HIGH. RAIN THEN SHOWERS. MODERATE OR GOOD.
Re: Well, that didn't take very bloody long
Steve Lake wrote: Ok, remember that Name Wrote: :) emails? They've completely changed. Now it's hi username instead. Joy, oh joy. Can anyone find any common elements in these emails because whoever this putz is, they're adapting a lot. They hit us, we adapt, they immediately change tactics and come at us again. Now with all the brilliant minds on this mailing list, we really should be able to find out who this putz is and nail all his stuff regardless of what tactic he switches to. Try the RelayChecker plugin. Look in the message archive for this list, for subjects containing RelayChecker. RelayChecker looks for things that the spammers can't control (the hostnames of the botnets they infect).
