Re: russian spam with only two lines in the body

2010-08-27 Thread Martin Gregorie
> Thus, based on my own observations, it looks like the value of rules in 
> this particular area is going to be in scoring stuff that arrives before 
> the domains show up in the various SURBLs.
> 
Quite possibly, though it seems to have been selectively targeted to
some extent: at least it doesn't seem to have shotgunned the entire
'net. I'm guessing that because: 

- it was bothering a few people on the list for a fair time
- it has apparently taken longer than that to get onto the SURBLS
  so presumably hadn't hit either their honeypots or any/many who
  would report it.
- I've never seen it here. I was simply feeling bored and wrote the
  set of patterns and meta as an exercise.


Martin




Re: russian spam with only two lines in the body

2010-08-27 Thread NFN Smith

Martin Gregorie wrote:



Alternatively, using a meta rule that combines the above pattern as a
sub-rule with two like this:

/[a-z]{7,8}[0-9]{4}/

that match against From: and Reply-To: headers  would appear to be
fairly specific and worthy of a big score, but of course you'll have
spotted that already.


That's the pattern I'm seeing on my own spamtraps -- messages that have 
4 numeric digits in both the From: and Reply-To: addresses.


However, in re-running some of my samples against rules that may do this 
kind of thing, I'm finding that all my samples are getting sufficient 
hits from external queries that the score is high enough to force 
rejection, anyway.


Thus, based on my own observations, it looks like the value of rules in 
this particular area is going to be in scoring stuff that arrives before 
the domains show up in the various SURBLs.


Smith



Re: russian spam with only two lines in the body

2010-08-25 Thread Karsten Bräckelmann
On Wed, 2010-08-25 at 21:31 +0100, Martin Gregorie wrote:
> On Wed, 2010-08-25 at 21:16 +0200, Karsten Bräckelmann wrote:
> > http://pastebin.com/JAEuCSnC
> 
> > Uhm, that's not typical spam. It's actually forum / blog comment spam,
> > helpfully and automatically converted to a mail.
> 
> Sure, but its off topic and, however ineptly, its certainly advertising.
> That makes it spam in my book, no matter how it got into the mail
> stream.

IMHO, this is not entirely correct.

SA and its rules are designed to identify spam sent by mail. Not forum
spam. The important difference is, that the latter is *only* the text.

As a consequence, none of the header checks possibly apply. Which is a
very vital part of identifying spam. No DNSBLs, no forged or mangled
headers, no ratware patterns. But a valid(!) sender. The only thing left
in this case is the body.

Effectively, you are trying to use SA as a spam filter for a forum.
Which pretty much equals the situation that has come up recently a few
times: Check text entered in web-form. That is not what SA is designed
to do.


> A high proportion of the spam I receive arrives via Wine mailing list,
> usually originating from the Wine forum or Nabble: stuff from the
> Codeweavers forum is rare. This is probably because none of the Wine
> moderators/maintainers seem to give a toss about spam filtering.

There's your problem.

The forum-to-mail gateway has generated a message you consider spam. The
spammer did not generate a mail message, and probably didn't even intend
it. It's just an additional bonus.


-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}



Re: russian spam with only two lines in the body

2010-08-25 Thread Martin Gregorie
On Wed, 2010-08-25 at 21:16 +0200, Karsten Bräckelmann wrote:
> http://pastebin.com/JAEuCSnC

> Uhm, that's not typical spam. It's actually forum / blog comment spam,
> helpfully and automatically converted to a mail.
>
Sure, but its off topic and, however ineptly, its certainly advertising.
That makes it spam in my book, no matter how it got into the mail
stream.

A high proportion of the spam I receive arrives via Wine mailing list,
usually originating from the Wine forum or Nabble: stuff from the
Codeweavers forum is rare. This is probably because none of the Wine
moderators/maintainers seem to give a toss about spam filtering.


Martin




Re: russian spam with only two lines in the body

2010-08-25 Thread Karsten Bräckelmann
On Wed, 2010-08-25 at 01:06 +0300, Ibrahim Harrani wrote:
> Recently, I am getting russian spam like at
> http://pastebin.com/Yf3AusJ4
> 
> All of their characteristic is that there are two line in the body.
> First is a sentence, second is url ending with .ru/

Hmm, I don't seem to have any problems with these. In fact, the samples
I just checked are scoring rather high. :)

Please do provide some full, raw samples with all headers, including the
SA headers. Without that information it is impossible to discuss
possible reasons.


-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}



Re: russian spam with only two lines in the body

2010-08-25 Thread Karsten Bräckelmann
On Wed, 2010-08-25 at 19:56 +0100, Martin Gregorie wrote:
> > > BTW, I'm now starting to see spam that doesn't contain any URIs or other
> > > ways of identifying a source for the goods being advertised. So far its
> > > been for examination aids and footware and has all been sent via a
> > > mailing list. Is anybody else seeing anything similar?

> http://pastebin.com/JAEuCSnC

Uhm, that's not typical spam. It's actually forum / blog comment spam,
helpfully and automatically converted to a mail.

  Received: from www-data by wine.codeweavers.com with local (Exim 4.69)
   (envelope-from ) id 1Oo5Ji-0002X7-Gy
   for wine-us...@winehq.org; Tue, 24 Aug 2010 21:02:18 -0500

And indeed, the Wine Users forum description on http://forum.winehq.org/
reads: "This forum is linked to the wine-users mailing list."


-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}



Re: russian spam with only two lines in the body

2010-08-25 Thread Martin Gregorie
On Wed, 2010-08-25 at 20:04 +0200, Benny Pedersen wrote:
> On ons 25 aug 2010 13:37:57 CEST, Martin Gregorie wrote
> > BTW, I'm now starting to see spam that doesn't contain any URIs or other
> > ways of identifying a source for the goods being advertised. So far its
> > been for examination aids and footware and has all been sent via a
> > mailing list. Is anybody else seeing anything similar?
> >
> 
> i like to see them if possible
> 
> write REQUEST-81 case sensitive in body
> 
I've dug the most recent one out of my rule test messages collection:

http://pastebin.com/JAEuCSnC

I didn't keep the other recent one - it didn't contain anything
interesting apart from a good page of lines like:

ugg boots  ugg shoes  clark shoes


with typically 5 - 6 such phrases per line.


Martin




Re: russian spam with only two lines in the body

2010-08-25 Thread Martin Gregorie
On Wed, 2010-08-25 at 14:29 +1200, Jason Haar wrote:
> On 08/25/2010 10:06 AM, Ibrahim Harrani wrote:
> > Hi,
> >
> > Recently, I am getting russian spam like at http://pastebin.com/Yf3AusJ4
> >
> > All of their characteristic is that there are two line in the body.
> > First is a sentence, second is url ending with .ru/
> >
> This is an example of what I reported a couple of weeks ago, Subject:
> "short pharma spam shoots straight through"
> 
> The content changes per message, along with the link. The From and
> Subject lines intent scream "I am spam" - but are changed every time
> making blocking on string matches time consuming and a losing battle
> 
I've now tested the rule I published last night against my collection of
280 odd examples of spam. It seems as specific as I'd hoped. It hit all
four example texts and doesn't touch anything else in the collection.

BTW, I'm now starting to see spam that doesn't contain any URIs or other
ways of identifying a source for the goods being advertised. So far its
been for examination aids and footware and has all been sent via a
mailing list. Is anybody else seeing anything similar?


Martin




Re: russian spam with only two lines in the body

2010-08-24 Thread Benny Pedersen

On ons 25 aug 2010 04:29:02 CEST, Jason Haar wrote


It's nasty :-(


rules can be nasty to :)

#
# save into local_russian_domains.cf
#

uri __RU_TLD /\.ru\b/i
uri __RU_TLD_WHITE /\bexample\.ru\b/i

meta __URI_LISTED (URIBL_AB_SURBL || URIBL_WS_SURBL || URIBL_JP_SURBL  
|| URIBL_BLACK || URIBL_DBL_SPAM || URIBL_SBL || GREY_LISTED_LOCAL ||  
SPAM_LISTED_LOCAL)


meta MATCH_RU_TLD (__RU_TLD && !__URI_LISTED)
describe MATCH_RU_TLD Meta: ru tld matched (properly new spam domain)
score MATCH_RU_TLD 10

# meta MATCH_RU_TLD_WHITE (__RU_TLD_WHITE)
# describe MATCH_RU_TLD_WHITE Meta: ru tld matched (but verified not a  
spam domain)

# score MATCH_RU_TLD_WHITE -10

# thats my first version

# meta 2ND_MATCH_RU_TLD_WHITE (__RU_TLD && !__RU_TLD_WHITE)
# this version does not need the -10 score

# last version

if it does not work make it better

--
xpoint http://www.unicom.com/pw/reply-to-harmful.html



Re: russian spam with only two lines in the body

2010-08-24 Thread Jason Haar
 On 08/25/2010 10:06 AM, Ibrahim Harrani wrote:
> Hi,
>
> Recently, I am getting russian spam like at http://pastebin.com/Yf3AusJ4
>
> All of their characteristic is that there are two line in the body.
> First is a sentence, second is url ending with .ru/
>
This is an example of what I reported a couple of weeks ago, Subject:
"short pharma spam shoots straight through"

The content changes per message, along with the link. The From and
Subject lines intent scream "I am spam" - but are changed every time
making blocking on string matches time consuming and a losing battle

It's nasty :-(

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1



russian spam with only two lines in the body

2010-08-24 Thread Ibrahim Harrani
Hi,

Recently, I am getting russian spam like at http://pastebin.com/Yf3AusJ4

All of their characteristic is that there are two line in the body.
First is a sentence, second is url ending with .ru/

How can I write a rule for this type of spam. Or can spamassassin team write
a rule to distribute via sa-learn update?


Thanks.


Re: Russian spam

2010-01-25 Thread Matus UHLAR - fantomas
> On 1-25-2010 8:42 AM, Richard Smits wrote:
>> Does anyone knows any tricks to fight russian spam ? We are getting a  
>> lot of this for the last weeks.

On 25.01.10 08:56, Dan Schaefer wrote:
> I have dealt with Russian spam by using on "en" in the ok_languages  
> variable and increasing the score for "UNWANTED_LANGUAGE_BODY" to 10. I  
> also increased the "CHARSET_FARAWAY" and "CHARSET_FARAWAY_HEADER"  
> scores. However, the email addresses on the server I manage are all  
> English speaking people, so be careful with the changes you make.

I think that properly configured ok_locales and ok_languages should catch
most of russian spam, of course unless you put 'ru' there :)

It's also never bad to train those as spam...

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fucking windows! Bring Bill Gates! (Southpark the movie)


Re: Russian spam

2010-01-25 Thread Dan Schaefer

On 1-25-2010 8:42 AM, Richard Smits wrote:
Does anyone knows any tricks to fight russian spam ? We are getting a 
lot of this for the last weeks.
I have dealt with Russian spam by using on "en" in the ok_languages 
variable and increasing the score for "UNWANTED_LANGUAGE_BODY" to 10. I 
also increased the "CHARSET_FARAWAY" and "CHARSET_FARAWAY_HEADER" 
scores. However, the email addresses on the server I manage are all 
English speaking people, so be careful with the changes you make.


Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.



Russian spam

2010-01-25 Thread Richard Smits

Hello,

Does anyone knows any tricks to fight russian spam ? We are getting a 
lot of this for the last weeks.


I am looking at the RelayCountry plugin, but am worried that our russian 
customers will get more false positives.


It is difficult because SA does not recognize the russian charset, but 
are there some secret tricks i should know about ?


Greetings, Richard ...


Re: Eliminating russian spam

2009-09-22 Thread Makoev Alan
Thank you, John!
Both "how-to" (http://sa-russian.narod.ru/no_russian.html) and the ruleset 
(http://sa-russian.narod.ru/files/20090916/99_no_russian_mail.cf) are updated.


Re: Eliminating russian spam

2009-09-21 Thread John Hardin

On Tue, 22 Sep 2009, Makoev Alan wrote:

I've written brief "how-to" for blocking E-mail in Russian. It's 
intended for those who are confident that any message in Russian sent to 
them is nothing but spam. See it here: 
http://sa-russian.narod.ru/no_russian.html I'd like to see SA experts 
opinions and advices.


  However, the message can be a MIME "multipart" one with charset
  declarations preceding the parts within the body, so this should be
  "full message" rule:

Not true, and bad advice (at least from a performance standpoint). Take a 
look at the mimeheader plugin and avoid using "full" rules.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Ignorance doesn't make stuff not exist.   -- Bucky Katt
---
 19 days since a sunspot last seen - EPA blames CO2 emissions


Re: Russian spam

2009-01-15 Thread Michael Scheidell
> Anyone know of any good rule-sets to block this sort of spam?
> 
> http://www.unchartedbackwaters.co.uk/files/russian_spam.txt
> 
I get 17 points on that one. And looked the ip up manually on xbl and it is
there because its on cbl:

http://cbl.abuseat.org/lookup.cgi?ip=84.16.105.146

pts rule name  description
 --
--
 3.3 TVD_RCVD_IP4   TVD_RCVD_IP4
 1.6 TVD_RCVD_IPTVD_RCVD_IP
 3.2 CHARSET_FARAWAY_HEADER A foreign language charset used in headers
 2.8 UNWANTED_LANGUAGE_BODY BODY: Message written in an undesired language
 3.2 CHARSET_FARAWAYBODY: Character set indicates a foreign language
 2.5 MIME_CHARSET_FARAWAY   MIME character set indicates foreign language

-- 
Michael Scheidell, CTO
>|SECNAP Network Security
Winner 2008 Network Products Guide Hot Companies
FreeBSD SpamAssassin Ports maintainer


_
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
_


Re: Russian spam

2009-01-15 Thread Stefan Luetje
Am 15. Jan 2009 um 01:35 CET schrieb Francis Russell:
> Anyone know of any good rule-sets to block this sort of spam?
> 
> http://www.unchartedbackwaters.co.uk/files/russian_spam.txt

,
| X-Spam-Flag: YES
| X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on debian64.potato.lan
| X-Spam-Level: *
| X-Spam-Status: Yes, score=37.7 required=5.0 tests=BAYES_60,BOTNET,
|   CHARSET_FARAWAY,CHARSET_FARAWAY_HEADER,KAM_THEBAT,LOCAL_CHARSET_SUBJECT,
|   MIME_CHARSET_FARAWAY,RCVD_IN_BRBL,RCVD_IN_XBL,SAGREY,SARE_SUB_ENC_KOI8R,
|   TVD_RCVD_IP,TVD_RCVD_IP4,URICOUNTRY_RU,VERYBADRELAY,YAHOO_FILTER
|   autolearn=spam version=3.2.5
| X-Spam-Flag: YES
| X-Spam-Relay-Country: CZ CZ CZ
| X-Spam-Report: 
|   *  3.0 URICOUNTRY_RU Contains a URI hosted in Russland
|   *  2.5 YAHOO_FILTER von YAHOO als Spam erkannt
|   *  1.5 KAM_THEBAT Abused X-Mailer Header for The Bat! MUA
|   *  3.0 LOCAL_CHARSET_SUBJECT Contains charsets we don't accept
|   *  0.7 SARE_SUB_ENC_KOI8R Subject specifies display in non-English lang
|   *  1.9 TVD_RCVD_IP TVD_RCVD_IP
|   *  3.2 TVD_RCVD_IP4 TVD_RCVD_IP4
|   *  3.0 RCVD_IN_XBL RBL: Transportiert via Rechner in XBL-Liste
|   *  (http://www.spamhaus.org/xbl/)
|   *  [84.16.105.146 listed in zen.spamhaus.org]
|   *  2.0 RCVD_IN_BRBL RBL: Received via a relay in Barracuda BRBL
|   *  [84.16.105.146 listed in bb.barracudacentral.org]
|   *  3.0 BOTNET Relay might be a spambot or virusbot
|   *  
[botnet0.8,ip=84.16.105.146,rdns=84.16.105.146,baddns,client,ipinhostname]
|   *  3.2 CHARSET_FARAWAY_HEADER Fremdsprachlicher Zeichensatz in 
Kopfzeilen
|   *  benutzt
|   *  1.0 BAYES_60 BODY: Spamwahrscheinlichkeit nach Bayes-Test: 60-80%
|   *  [score: 0.6228]
|   *  3.2 CHARSET_FARAWAY BODY: Zeichensatz deutet auf fremde Sprache hin
|   *  3.0 VERYBADRELAY very bad Relay
|   *  2.5 MIME_CHARSET_FARAWAY MIME-Zeichensatz deutet auf fremde Sprache 
hin
|   *  1.0 SAGREY Adds 1.0 to spam from first-time senders
`

My user_prefs:



Gruß
Stefan
 
-- 
,-.
|Stefan Lütje   | "Boah, die Schweine - haben mir tatsächlich  |
| stefan.lue...@t-online.de |   Alkohol ins Bier geschmuggelt!" Stromberg  |
`Key fingerprint = BCB2 48E4 9211 C975 5A3F  B192 9B6E CCCF 99CC 44FA-'



signature.asc
Description: Digital signature


Re: Russian spam

2009-01-14 Thread Francis Russell
Benny Pedersen wrote:

Unfortunately, these two are because I receive mail via BT/Yahoo who
never do a PTR lookup on the IP.

>  3.3 TVD_RCVD_IP4   TVD_RCVD_IP4
>  1.6 TVD_RCVD_IPTVD_RCVD_IP

Oddly, I cant get this one to fire on my SA install.

>  2.0 FROM_EXCESS_BASE64 From: base64 encoded unnecessarily

Francis


Re: Russian spam

2009-01-14 Thread Ned Slider

Michael Hutchinson wrote:

Hello,

Be careful with the character-set matching rules. I was using some of them and 
got a high rate of FP's - it was mainly because of the koi8-r charset, and 
scoring against that meant I was also scoring against perfectly legitimate 
technical resource newsletters that are in English.

Cheers,
Mike




Indeed Mike. I've noticed the occasional FP in English written mails 
from Russian companies such as the AV vendor Kaspersky. In general 
though I find they hit for spam than ham for me - YMMV.






Re: Russian spam

2009-01-14 Thread Benny Pedersen

On Thu, January 15, 2009 01:35, Francis Russell wrote:

> http://www.unchartedbackwaters.co.uk/files/russian_spam.txt

Content analysis details:   (12.6 points, 5.0 required)

 pts rule name  description
 --
-
 1.5 URICOUNTRY_RU  Contains a URI hosted in RU
 3.3 TVD_RCVD_IP4   TVD_RCVD_IP4
 1.6 TVD_RCVD_IPTVD_RCVD_IP
 2.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
[84.16.105.146 listed in zen.spamhaus.org]
 2.0 FROM_EXCESS_BASE64 From: base64 encoded unnecessarily
 1.3 SAGREY Adds score to spam from first-time senders

-- 
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098



RE: Russian spam

2009-01-14 Thread Michael Hutchinson
Hello,

Be careful with the character-set matching rules. I was using some of them and 
got a high rate of FP's - it was mainly because of the koi8-r charset, and 
scoring against that meant I was also scoring against perfectly legitimate 
technical resource newsletters that are in English.

Cheers,
Mike


-Original Message-
From: Ned Slider [mailto:n...@unixmail.co.uk] 
Sent: Thursday, 15 January 2009 2:04 p.m.
To: users@spamassassin.apache.org
Subject: Re: Russian spam

Francis Russell wrote:
> Anyone know of any good rule-sets to block this sort of spam?
> 
> http://www.unchartedbackwaters.co.uk/files/russian_spam.txt
> 
> I find that Pyzor and Razor completely miss it as well as the DNS
> blacklists (although I believe this one has a relay in one of the
> Spamhaus ones now). I'm aware of the language whitelisting feature but
> presumably there is a better way then just assuming everything in
> language x is spam?
> 
> Francis
> 

If you want something that's language specific, checking for koi8-r can 
be quite effective, but if you do receive legitimate Russian mail then 
it may lead to FPs. Anyway, here's a rule to check the subject that 
would hit your example:

header  LOCAL_CHARSET_SUBJECT   Subject:raw =~ 
/\=\?(koi8-r|windows-1251|iso-2022-jp|gb2312)\?/i

There's a few other foreign character sets  thrown in there that I also 
reject - edit to suit your needs.

Looking at the rest of the mail, I have a few other custom rules that 
fire on your example:


header  LOCAL_THEBAT_MUAX-Mailer =~ /^The Bat!/

uri LOCAL_URI_RUm{https?://.{1,40}\.ru\b}
uri LOCAL_URI_CHAT_RU   m{https?://.{1,40}\.chat\.ru\b}

I score against The Bat MUA, and also against any [dot] ru domains, plus 
an additional (additive) score for [dot] chat [dot] ru  URIs. I have no 
legitimate use for these in emails (I also have a similar rule for 
Chinese domains that's very popular!)

So I have 4 or 5 custom rules that all score against your example and 
add a little to the score taking it well over the spam threshold.






Re: Russian spam

2009-01-14 Thread Ned Slider

Francis Russell wrote:

Anyone know of any good rule-sets to block this sort of spam?

http://www.unchartedbackwaters.co.uk/files/russian_spam.txt

I find that Pyzor and Razor completely miss it as well as the DNS
blacklists (although I believe this one has a relay in one of the
Spamhaus ones now). I'm aware of the language whitelisting feature but
presumably there is a better way then just assuming everything in
language x is spam?

Francis



If you want something that's language specific, checking for koi8-r can 
be quite effective, but if you do receive legitimate Russian mail then 
it may lead to FPs. Anyway, here's a rule to check the subject that 
would hit your example:


header		LOCAL_CHARSET_SUBJECT	Subject:raw =~ 
/\=\?(koi8-r|windows-1251|iso-2022-jp|gb2312)\?/i


There's a few other foreign character sets  thrown in there that I also 
reject - edit to suit your needs.


Looking at the rest of the mail, I have a few other custom rules that 
fire on your example:



header  LOCAL_THEBAT_MUAX-Mailer =~ /^The Bat!/

uri LOCAL_URI_RUm{https?://.{1,40}\.ru\b}
uri LOCAL_URI_CHAT_RU   m{https?://.{1,40}\.chat\.ru\b}

I score against The Bat MUA, and also against any [dot] ru domains, plus 
an additional (additive) score for [dot] chat [dot] ru  URIs. I have no 
legitimate use for these in emails (I also have a similar rule for 
Chinese domains that's very popular!)


So I have 4 or 5 custom rules that all score against your example and 
add a little to the score taking it well over the spam threshold.







RE: Russian spam

2009-01-14 Thread Michael Hutchinson
Hello,

You could write a Meta rule that contained two sub rules - one for matching 
"The Bat!" mailer, and the other matching the "chat.ru" link at the bottom. 
Fire a score if both rules hit. It may not be optimal, but it got rid of that 
Spam for me, and I haven't had a FP yet.

If you check out the meta that was posted on here not long ago to do with the 
"Spaces Live" Spam, that has a very similar concept, involving The Bat mailer 
and Spaces Live links at the bottom of the Spam.

Cheers,
Mike


-Original Message-
From: Francis Russell [mailto:francis+saus...@unchartedbackwaters.co.uk] 
Sent: Thursday, 15 January 2009 1:35 p.m.
To: users@spamassassin.apache.org
Subject: Russian spam

Anyone know of any good rule-sets to block this sort of spam?

http://www.unchartedbackwaters.co.uk/files/russian_spam.txt

I find that Pyzor and Razor completely miss it as well as the DNS
blacklists (although I believe this one has a relay in one of the
Spamhaus ones now). I'm aware of the language whitelisting feature but
presumably there is a better way then just assuming everything in
language x is spam?

Francis


Russian spam

2009-01-14 Thread Francis Russell
Anyone know of any good rule-sets to block this sort of spam?

http://www.unchartedbackwaters.co.uk/files/russian_spam.txt

I find that Pyzor and Razor completely miss it as well as the DNS
blacklists (although I believe this one has a relay in one of the
Spamhaus ones now). I'm aware of the language whitelisting feature but
presumably there is a better way then just assuming everything in
language x is spam?

Francis


RE: russian spam

2007-12-05 Thread Jean-Paul Natola



Jean-Paul Natola schrieb:
> Hi all,
> 
> Is there a plugin and/or rule to block  russian spam?
> 
> Here's a sample

[...]

> Jean-Paul

I think the key is to give special score for "cyrillic chars" (unless 
this doesnt affect your regular mails).

Perhaps:

ok_locales

e.g:
ok_locales en

But i dont expect too much of it ;-)
(ok_languages is afair not that reliable, cmiiw).

Perhaps the URICountryPlugin could help too.

There was a message with a similar problem on the list but i dont find 


We get email  ONLY in English/Spanish/French- 

I can safely block all others 




Re: russian spam

2007-12-05 Thread Matthias Haegele

Jean-Paul Natola schrieb:

Hi all,

Is there a plugin and/or rule to block  russian spam?

Here's a sample


[...]


Jean-Paul


I think the key is to give special score for "cyrillic chars" (unless 
this doesnt affect your regular mails).


Perhaps:

ok_locales

e.g:
ok_locales en

But i dont expect too much of it ;-)
(ok_languages is afair not that reliable, cmiiw).

Perhaps the URICountryPlugin could help too.

There was a message with a similar problem on the list but i dont find 
it now ...


--
Grüsse/Greetings
MH


Dont send mail to: [EMAIL PROTECTED]
--



russian spam

2007-12-05 Thread Jean-Paul Natola
Hi all,

Is there a plugin and/or rule to block  russian spam?

Here's a sample

Новейшие базы данных

*   Физические лица Москвы и М О 2006 г. (телефоны, прописка,
собственность) 2000 р.
*   ГАИ Москвы и М О и Р Ф (авто, владельцы, вод/уд, ДТП, ПДД, розыск)
2007 г. 2000 руб.
*   Пенсионный фонд (налоговая по физ.лицам - место работы, жительства,
доход) 2000 руб.
*   Юр.лица и предприятия Москвы и Р Ф 2006 г. (регистрационные и
фактические данные) 2000 руб.
*   ГТК. Внешнеэкономическая деятельность 1999- 2007 г.г. РФ и Украина.
*   Антикриминал полный сборник по криминальной тематике. по2007 г.г.
2000 руб.
*   Регионы России (физ. и юр. лица крупнейших городов России). Полный
сборник 3000 руб.
*   Банковские переводы (данные РКЦ ЦБ) 6000 руб.







Jean-Paul



Re: Russian Spam

2006-04-15 Thread mouss

Kristopher Austin wrote:

I have received several copies of a spam message that is in Russian (I think 
it's Russian).  I get maybe 1 or 2 a week.  I wish I could block all Russian 
messages, but we are a University and could easily have Russian students.  I am 
unable to read this message and therefore have no ideas on how to block this.  
Can anyone help me out with suggestions?

I apologize if this has been discussed in the last week.  I haven't had time to 
catch up on list messages over the last couple of days and didn't see anything 
skimming the subjects of recent threads.

Thanks,
Kris

Message with full headers below:

Microsoft Mail Internet Headers Version 2.0
Received: from gateway3.oc.edu ([205.143.222.12]) by fsmail.oc.edu with 
Microsoft SMTPSVC(6.0.3790.211);
 Thu, 13 Apr 2006 08:50:17 -0500
Received: from ip-189.net-82-216-33.toulouse.rev.numericable.fr 
([82.216.33.189])(helo=ip-189.net-82-216-33.toulouse.rev.numericable.fr)
by gateway3.oc.edu with smtp (Exim 4.54)
id 1FU2CH-0008JS-AY
for [EMAIL PROTECTED]; Thu, 13 Apr 2006 08:49:43 -0500



so you got the mail from
ip-189.net-82-216-33.toulouse.rev.numericable.fr
you could greylist (or just block?) mail from such clients.


Re: Russian Spam

2006-04-14 Thread Philip Prindeville
Are you running Mimedefang?

It might be a start.

We block email from subscriber addresses at networks that are known to be
large sources of spam.

See:

http://www.mimedefang.org/kwiki/index.cgi?PhilipsWorkingFilter

in particular, how %bad_tld's is used.

-Philip


Kristopher Austin wrote:

>I have received several copies of a spam message that is in Russian (I think 
>it's Russian).  I get maybe 1 or 2 a week.  I wish I could block all Russian 
>messages, but we are a University and could easily have Russian students.  I 
>am unable to read this message and therefore have no ideas on how to block 
>this.  Can anyone help me out with suggestions?
>
>I apologize if this has been discussed in the last week.  I haven't had time 
>to catch up on list messages over the last couple of days and didn't see 
>anything skimming the subjects of recent threads.
>
>Thanks,
>Kris
>
>Message with full headers below:
>
>Microsoft Mail Internet Headers Version 2.0
>Received: from gateway3.oc.edu ([205.143.222.12]) by fsmail.oc.edu with 
>Microsoft SMTPSVC(6.0.3790.211);
>Thu, 13 Apr 2006 08:50:17 -0500
>Received: from ip-189.net-82-216-33.toulouse.rev.numericable.fr 
>([82.216.33.189])(helo=ip-189.net-82-216-33.toulouse.rev.numericable.fr)
>   by gateway3.oc.edu with smtp (Exim 4.54)
>   id 1FU2CH-0008JS-AY
>   for [EMAIL PROTECTED]; Thu, 13 Apr 2006 08:49:43 -0500
>From: "Litvinova Elena" <[EMAIL PROTECTED]>
>To: "Samusenko Tat'jana" <[EMAIL PROTECTED]>
>Date: Thu, 13 Apr 2006 13:50:06 +
>Message-ID: <[EMAIL PROTECTED]>
>MIME-Version: 1.0
>Content-Type: text/plain;
>   format=flowed;
>   charset="koi8-r";
>   reply-type=original
>Content-Transfer-Encoding: 8bit
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Mailer: Microsoft Outlook Express 6.00.2800.1441
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
>X-SA-Exim-Connect-IP: 82.216.33.189
>X-SA-Exim-Rcpt-To: [EMAIL PROTECTED]
>X-SA-Exim-Mail-From: [EMAIL PROTECTED]
>X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on gateway3.oc.edu
>X-Spam-Level: 
>X-Spam-Status: No, score=0.3 required=5.0 tests=DNS_FROM_AHBL_RHSBL,RELAY_FR 
>   autolearn=disabled version=3.1.0
>Subject: Re[6]: =?koi8-r?B?9Nkgzc7Px88gxMzRIM3FztEg2s7B3snb2A==?= davavsheju
>X-SA-Exim-Version: 4.2 (built Thu, 03 Mar 2005 10:44:12 +0100)
>X-SA-Exim-Scanned: Yes (on gateway3.oc.edu)
>Return-Path: [EMAIL PROTECTED]
>X-OriginalArrivalTime: 13 Apr 2006 13:50:17.0572 (UTC) 
>FILETIME=[32A1FA40:01C65F01]
>
>Рад Вас снова видеть!
>
>Вы собираетесь в США? Хотите свободно работать
>с технической документацией? Расширить свой кругозор?
>
>Центр Американского Английского
>приглашает выучить английский язык!!!
>Все стадии обучения - от нуля до высшего. Ассоциативно-
>образная методика. Преподаватели из США.
>
>Без больших скидок не уйдёте! :)
>
>Наши телефоны в Москве:
>105 пять-один-восемь-шесть
>два-три-восемь-три-три-восемь-шесть
>
>
>Не хотите получать информацию от Центра? Отправьте свой адрес нам:
>[EMAIL PROTECTED]
>
>
>
>сил. Но он не мог понять того, -- вдруг как бы вырвавшимся тонким голосом
>закричал князь Андрей, -- но он не мог понять, что мы в первый раз дрались
>там за русскую землю, что в войсках был такой дух, какого никогда я не
>видал, что мы два дня сряду отбивали французов и что этот успех удесятерял
>наши силы. Он велел отступать, и все усилия и потери пропали даром. Он не
>думал об измене, он старался все сделать как можно лучше, он все обдум
>от этого-то он и не годится. Он не годится теперь именно потому, что он все
>обдумывает очень основательно и аккуратно, как и следует всякому немцу. Как
>бы тебе сказать... Ну, у отца твоего немец-лакей, и он прекрасный лакей и
>удовлетворит всем его нуждам лучше тебя, и пускай он служит; но ежели отец
>при смерти болен, ты прогонишь лакея и своими непривычными, неловкими 
>станешь ходить за отцом и лучше успокоишь его, чем искусный, но чужой
>человек. Так и сделали с Барклаем. Пока Россия была здорова, ей мог служить
>
>  
>



Russian Spam

2006-04-13 Thread Kristopher Austin
I have received several copies of a spam message that is in Russian (I think 
it's Russian).  I get maybe 1 or 2 a week.  I wish I could block all Russian 
messages, but we are a University and could easily have Russian students.  I am 
unable to read this message and therefore have no ideas on how to block this.  
Can anyone help me out with suggestions?

I apologize if this has been discussed in the last week.  I haven't had time to 
catch up on list messages over the last couple of days and didn't see anything 
skimming the subjects of recent threads.

Thanks,
Kris

Message with full headers below:

Microsoft Mail Internet Headers Version 2.0
Received: from gateway3.oc.edu ([205.143.222.12]) by fsmail.oc.edu with 
Microsoft SMTPSVC(6.0.3790.211);
 Thu, 13 Apr 2006 08:50:17 -0500
Received: from ip-189.net-82-216-33.toulouse.rev.numericable.fr 
([82.216.33.189])(helo=ip-189.net-82-216-33.toulouse.rev.numericable.fr)
by gateway3.oc.edu with smtp (Exim 4.54)
id 1FU2CH-0008JS-AY
for [EMAIL PROTECTED]; Thu, 13 Apr 2006 08:49:43 -0500
From: "Litvinova Elena" <[EMAIL PROTECTED]>
To: "Samusenko Tat'jana" <[EMAIL PROTECTED]>
Date: Thu, 13 Apr 2006 13:50:06 +
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="koi8-r";
reply-type=original
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1441
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
X-SA-Exim-Connect-IP: 82.216.33.189
X-SA-Exim-Rcpt-To: [EMAIL PROTECTED]
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on gateway3.oc.edu
X-Spam-Level: 
X-Spam-Status: No, score=0.3 required=5.0 tests=DNS_FROM_AHBL_RHSBL,RELAY_FR 
autolearn=disabled version=3.1.0
Subject: Re[6]: =?koi8-r?B?9Nkgzc7Px88gxMzRIM3FztEg2s7B3snb2A==?= davavsheju
X-SA-Exim-Version: 4.2 (built Thu, 03 Mar 2005 10:44:12 +0100)
X-SA-Exim-Scanned: Yes (on gateway3.oc.edu)
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 13 Apr 2006 13:50:17.0572 (UTC) 
FILETIME=[32A1FA40:01C65F01]

Рад Вас снова видеть!

Вы собираетесь в США? Хотите свободно работать
с технической документацией? Расширить свой кругозор?

Центр Американского Английского
приглашает выучить английский язык!!!
Все стадии обучения - от нуля до высшего. Ассоциативно-
образная методика. Преподаватели из США.

Без больших скидок не уйдёте! :)

Наши телефоны в Москве:
105 пять-один-восемь-шесть
два-три-восемь-три-три-восемь-шесть


Не хотите получать информацию от Центра? Отправьте свой адрес нам:
[EMAIL PROTECTED]



сил. Но он не мог понять того, -- вдруг как бы вырвавшимся тонким голосом
закричал князь Андрей, -- но он не мог понять, что мы в первый раз дрались
там за русскую землю, что в войсках был такой дух, какого никогда я не
видал, что мы два дня сряду отбивали французов и что этот успех удесятерял
наши силы. Он велел отступать, и все усилия и потери пропали даром. Он не
думал об измене, он старался все сделать как можно лучше, он все обдум
от этого-то он и не годится. Он не годится теперь именно потому, что он все
обдумывает очень основательно и аккуратно, как и следует всякому немцу. Как
бы тебе сказать... Ну, у отца твоего немец-лакей, и он прекрасный лакей и
удовлетворит всем его нуждам лучше тебя, и пускай он служит; но ежели отец
при смерти болен, ты прогонишь лакея и своими непривычными, неловкими 
станешь ходить за отцом и лучше успокоишь его, чем искусный, но чужой
человек. Так и сделали с Барклаем. Пока Россия была здорова, ей мог служить