RE: Spam with Re[2]: or Re[4]:
Loren: Thanks for the suggestion. I tried it but I am getting a parsing error with no details when I do a spamassassin --lint. I am running on 2.64. Is this rule using something that is not in that version ? Thanks, Ron Ron Nutter [EMAIL PROTECTED] Network Infrastructure & Security Manager Information Technology Services(502)863-7002 Georgetown College Georgetown, KY40324-1696 -Original Message- From: Loren Wilton [mailto:[EMAIL PROTECTED] Sent: Saturday, September 17, 2005 8:19 AM To: users@spamassassin.apache.org Subject: Re: Spam with Re[2]: or Re[4]: Subject: RE: Spam with Re[2]: or Re[4]: Using the following as a rule set, spam with the above subject line is still getting through - # Check for bad RE[ tag header BAD_RE_TAG Subject =~ /\b"Re"\[\b/i score BAD_RE_TAG 6.0 What am I doing wrong ? Probably severa things, starting with the quotation marks. Try the following, but give it a low score to start - I almost guarantee it will FP! headerMY_BAD_RESubject =~ /^\s{0,10}Re\s{0,5}\[\d+(?:\/\d+)?\]/i Loren (BTW, that is untested, so may have problems.)
Re: Spam with Re[2]: or Re[4]:
Subject: RE: Spam with Re[2]: or Re[4]: Using the following as a rule set, spam with the above subject line is still getting through - # Check for bad RE[ tag header BAD_RE_TAG Subject =~ /\b"Re"\[\b/i score BAD_RE_TAG 6.0 What am I doing wrong ? Probably severa things, starting with the quotation marks. Try the following, but give it a low score to start - I almost guarantee it will FP! headerMY_BAD_RESubject =~ /^\s{0,10}Re\s{0,5}\[\d+(?:\/\d+)?\]/i Loren (BTW, that is untested, so may have problems.)
Re: Spam with Re[2]: or Re[4]:
Stucki gave a good regex to match this a couple of days ago. As well as an good explanation of what the regex was constructed to do. Perhaps you missed it: http://marc.theaimsgroup.com/?l=spamassassin-users&m=112681463528425&w=2 Mike Robert Menschel wrote: Hello Ronald, Friday, September 16, 2005, 4:46:38 AM, you wrote: RIN> Using the following as a rule set, spam with the above subject line RIN> is still getting through - RIN> # Check for bad RE[ tag RIN> header BAD_RE_TAG Subject =~ /\b"Re"\[\b/i RIN> score BAD_RE_TAG 6.0 RIN> What am I doing wrong ? You're not matching the subject correctly? I don't remember every seeing "Re" with quotes in any subject. Re is common, but not "Re" Perhaps if you gave us a full sample of what you're trying to match... Bob Menschel
Re[2]: Spam with Re[2]: or Re[4]:
Hello Ronald, Friday, September 16, 2005, 4:46:38 AM, you wrote: RIN> Using the following as a rule set, spam with the above subject line RIN> is still getting through - RIN> # Check for bad RE[ tag RIN> header BAD_RE_TAG Subject =~ /\b"Re"\[\b/i RIN> score BAD_RE_TAG 6.0 RIN> What am I doing wrong ? You're not matching the subject correctly? I don't remember every seeing > "Re" with quotes in any subject. > Re is common, but not > "Re" Perhaps if you gave us a full sample of what you're trying to match... Bob Menschel
Re: Spam with Re[2]: or Re[4]:
Run 3.04 or 3.10 on a test machine for a few willing accounts. Once you see if all your desired features seem to be working then roll it into production. Since Loren writes SARE rules and needs to see a version of the body that matches what the body rules test against a feature that was in 2.64 and removed from 3.04 has magically reappeared in my version of 3.04. I also removed the silly tests designed to avoid wraps at 80 characters in reports. Other than that and selecting the correct rule sets I've had no problems at all.) {^_^} - Original Message - From: "Ronald I. Nutter" <[EMAIL PROTECTED]> I am at 2.6.4. After seeing all the horror stories of upgrades and my lesser knowledge of Linux as compare to most on this forum, I was reluctant to go forward with the upgrade. Ron Ron Nutter [EMAIL PROTECTED] Network Infrastructure & Security Manager Information Technology Services(502)863-7002 Georgetown College Georgetown, KY40324-1696 -Original Message- From: Chris [mailto:[EMAIL PROTECTED] On Thursday 15 September 2005 10:11 am, Ronald I. Nutter wrote: I am trying to write a rule to block these based on subject line but keep getting regex errors. It seems to be related to trying to put in the [ character/symbol. Can someone provide an example of how they did it? Thanks, Ron Ron, these are caught with the standard rulesets, network tests and RBL tests here with SA 3.0.4: Re[9]: Content analysis details: (22.7 points, 5.0 required) pts rule name description -- -- 1.7 SARE_ADULT2 BODY: Contains adult material 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50% [cf: 100] 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.6 MY_XXX_BODY RAW: XXX terms in body. 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars 1.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 3.5 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 1.0 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: efficacies.net] 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: efficacies.net] 3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist [URIs: efficacies.net] 3.0 URIBL_SC2_SURBL Has URI in SC2 at http://www.surbl.org/lists.html [URIs: efficacies.net] 0.1 DIGEST_MULTIPLE Message hits more than one network digest check 1.0 SAGREY Adds 1.0 to spam from first-time senders -- Chris Registered Linux User 283774 http://counter.li.org 21:01:02 up 5 days, 9:13, 1 user, load average: 1.92, 1.20, 1.28 Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk
Re: Spam with Re[2]: or Re[4]:
On Friday 16 September 2005 06:42 am, Ronald I. Nutter wrote: > I am at 2.6.4. After seeing all the horror stories of upgrades and my > lesser knowledge of Linux as compare to most on this forum, I was reluctant > to go forward with the upgrade. > > Ron > > > I do all my SA installs/upgrades via CPAN and have yet to have any problems. -- Chris Registered Linux User 283774 http://counter.li.org 13:48:33 up 6 days, 2:01, 1 user, load average: 0.66, 0.59, 0.35 Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk
RE: Spam with Re[2]: or Re[4]:
From: Ronald I. Nutter [mailto:[EMAIL PROTECTED] > > I am at 2.6.4. After seeing all the horror stories of upgrades and > my lesser knowledge of Linux as compare to most on this forum, I was > reluctant to go forward with the upgrade. The thing with all the upgrade horror stories is that there are many times more people who upgraded with no problems and just didn't post about it. Human nature says that people complain when things go wrong, but take it for granted when things work properly. I have kept my systems up to date since I originally installed SA 2.55. I'm currently running 3.0.4 and I'll move up to 3.1 in a week or so once everyone else has ironed out any problems. :) I use CPAN to do the upgrades and I have never had any problems with them. The last upgrade required me to change my Bayes learning scripts to use the new option names, but that's it. CPAN works for me, but you should stick with your original install method (rpm, yum, build from tarball, etc) to avoid problems. Different install methods place files in different locations, so if you mix them, it can cause problems. Go ahead and upgrade. The benefits usually outweigh the risks. Just make sure to read the README, INSTALL, and UPGRADE documentation so that you are aware of any changes in structure, options, requirements, or features. It's also a good idea to run through the list of required Perl modules and make sure you have the latest version of all of them. As far as a lesser knowledge of Linux, that's not really an issue here. If I remember correctly, most of the upgrade problems were related to Bayes database issues. So the worst case is that you delete the database and start Bayes from scratch. With all of the other enhancements in SA 3.1, that's not a bad deal even if it were guaranteed to happen. Bowie
RE: Spam with Re[2]: or Re[4]:
Using the following as a rule set, spam with the above subject line is still getting through - # Check for bad RE[ tag header BAD_RE_TAG Subject =~ /\b"Re"\[\b/i score BAD_RE_TAG 6.0 What am I doing wrong ? I am using the default spam level of 5.0 with 2.6.4. Ron Ron Nutter [EMAIL PROTECTED] Network Infrastructure & Security Manager Information Technology Services(502)863-7002 Georgetown College Georgetown, KY40324-1696
RE: Spam with Re[2]: or Re[4]:
I am at 2.6.4. After seeing all the horror stories of upgrades and my lesser knowledge of Linux as compare to most on this forum, I was reluctant to go forward with the upgrade. Ron Ron Nutter [EMAIL PROTECTED] Network Infrastructure & Security Manager Information Technology Services(502)863-7002 Georgetown College Georgetown, KY40324-1696 -Original Message- From: Chris [mailto:[EMAIL PROTECTED] Sent: Thursday, September 15, 2005 10:07 PM To: users@spamassassin.apache.org Cc: Ronald I. Nutter Subject: Re: Spam with Re[2]: or Re[4]: On Thursday 15 September 2005 10:11 am, Ronald I. Nutter wrote: > I am trying to write a rule to block these based on subject line but > keep getting regex errors. It seems to be related to trying to put in > the [ character/symbol. Can someone provide an example of how they > did it? > > Thanks, > Ron > Ron, these are caught with the standard rulesets, network tests and RBL tests here with SA 3.0.4: Re[9]: Content analysis details: (22.7 points, 5.0 required) pts rule name description -- -- 1.7 SARE_ADULT2 BODY: Contains adult material 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50% [cf: 100] 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.6 MY_XXX_BODY RAW: XXX terms in body. 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars 1.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 3.5 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 1.0 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: efficacies.net] 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: efficacies.net] 3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist [URIs: efficacies.net] 3.0 URIBL_SC2_SURBL Has URI in SC2 at http://www.surbl.org/lists.html [URIs: efficacies.net] 0.1 DIGEST_MULTIPLE Message hits more than one network digest check 1.0 SAGREY Adds 1.0 to spam from first-time senders -- Chris Registered Linux User 283774 http://counter.li.org 21:01:02 up 5 days, 9:13, 1 user, load average: 1.92, 1.20, 1.28 Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk
Re: Spam with Re[2]: or Re[4]:
On Thursday 15 September 2005 10:11 am, Ronald I. Nutter wrote: > I am trying to write a rule to block these based on subject line but > keep getting regex errors. It seems to be related to trying to put in > the [ character/symbol. Can someone provide an example of how they did > it? > > Thanks, > Ron > Ron, these are caught with the standard rulesets, network tests and RBL tests here with SA 3.0.4: Re[9]: Content analysis details: (22.7 points, 5.0 required) pts rule name description -- -- 1.7 SARE_ADULT2 BODY: Contains adult material 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50% [cf: 100] 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.6 MY_XXX_BODY RAW: XXX terms in body. 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars 1.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 3.5 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 1.0 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: efficacies.net] 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: efficacies.net] 3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist [URIs: efficacies.net] 3.0 URIBL_SC2_SURBL Has URI in SC2 at http://www.surbl.org/lists.html [URIs: efficacies.net] 0.1 DIGEST_MULTIPLE Message hits more than one network digest check 1.0 SAGREY Adds 1.0 to spam from first-time senders -- Chris Registered Linux User 283774 http://counter.li.org 21:01:02 up 5 days, 9:13, 1 user, load average: 1.92, 1.20, 1.28 Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk
Re: Spam with Re[2]: or Re[4]:
Just a heads up in case any of you aren't aware. There's an annoying "auto-bcc" plugin for Microsoft Outlook that adds similar numbers after the 'Re'. So to a message titled "Blah" you'll get a reply titled: "Re[1]: Blah". With the number increasing with every subsequent reply to same subject thread. As such, I wouldn't be scoring a rule that looks for something similar too high. Daryl
Re: Spam with Re[2]: or Re[4]:
On Thu, Sep 15, 2005 at 03:42:42PM -0400, Ronald I. Nutter wrote: > # Check for bad Re: tag > header BAD_RECOLON_TAG Subject =~ /\b"Re:"\b/i > > stopping email with something past the Re:. Is my concern valid and how > do I allow the email to get through that has something after Re: ? I assume you want to catch Mails with 'Re:', but 'only without any further contents'? Then you'd need to use '$'(line end) instead of the second '\b'(word end) giving: header BAD_RECOLON_TAG Subject =~ /\b"Re:"$i This will be DANGEROUS IF mail-programs automatically add 'Re:' to empty Subjects! Then you'll possibly get false positives. OH, by the way, what are the double-quotes for? I think they would be seached for! So the pattern will not work as assumed? In an exim4-filter (it uses PCRE Patterns just like perl) I just wrote/tested a pattern against the 'Re...'-Spams analogous/rewritten to spamassassin: header BAD_RECOLON_TAG Subject =~ /^re:?\s*\[\d+\]:?\s*$/i Which is: re the characters :* the colon (possibly) \s* whitespace (possibly) \[ the left bracket (the typical case) \d+ one ore more digits (from 2 to 111 I saw random numbers) \] the closing bracket (all my spams had it) :? another colon (I really saw those Re:[1] and Re[2]:) \s* possibly more whitespace up to $ the end of the Subject: If anything (except more whitespace) follows the tag this pattern fails. So writing 'Re: [2] something' goes without hitting the rule. Stucki -- Christoph von Stuckrad * * |nickname |<[EMAIL PROTECTED]> \ Freie Universitaet Berlin |/_*|'stucki' |Tel(days):+49 30 838-75 459| Mathematik & Informatik EDV |\ *|if online|Tel(else):+49 30 77 39 6600| Arnimallee 2-6/14195 Berlin * * |on IRCnet|Fax(alle):+49 30 838-75454/
RE: Spam with Re[2]: or Re[4]:
Here is what I have crafted so far - # Check for bad RE[ tag header BAD_RE_TAG Subject =~ /\b"Re"\[\b/i score BAD_RE_TAG 6.0 # Check for bad Re: tag header BAD_RECOLON_TAG Subject =~ /\b"Re:"\b/i score BAD_RECOLON_TAG 6.0 While the first rule should stop the cialis spam from coming through that the other rules aren't, I am concerned about the second rule stopping email with something past the Re:. Is my concern valid and how do I allow the email to get through that has something after Re: ? Thanks, Ron Ron Nutter [EMAIL PROTECTED] Network Infrastructure & Security Manager Information Technology Services(502)863-7002 Georgetown College Georgetown, KY40324-1696 -Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Thursday, September 15, 2005 11:17 AM To: Ronald I. Nutter; users@spamassassin.apache.org Subject: RE: Spam with Re[2]: or Re[4]: At 11:11 AM 9/15/2005, Ronald I. Nutter wrote: >I am trying to write a rule to block these based on subject line but >keep getting regex errors. It seems to be related to trying to put in >the [ character/symbol. Can someone provide an example of how they did >it? You'd need to escape any [ or ] with a \ so put \[ instead of just [
RE: Spam with Re[2]: or Re[4]:
At 11:11 AM 9/15/2005, Ronald I. Nutter wrote: I am trying to write a rule to block these based on subject line but keep getting regex errors. It seems to be related to trying to put in the [ character/symbol. Can someone provide an example of how they did it? You'd need to escape any [ or ] with a \ so put \[ instead of just [
RE: Spam with Re[2]: or Re[4]:
Preface the brackets with a backslash: \[ and \] >>> "Ronald I. Nutter" <[EMAIL PROTECTED]> 9/15/2005 10:11 AM >>> I am trying to write a rule to block these based on subject line but keep getting regex errors. It seems to be related to trying to put in the [ character/symbol. Can someone provide an example of how they did it? Thanks, Ron Ron Nutter [EMAIL PROTECTED] Network Infrastructure & Security Manager Information Technology Services(502)863-7002 Georgetown College Georgetown, KY40324-1696
RE: Spam with Re[2]: or Re[4]:
I am trying to write a rule to block these based on subject line but keep getting regex errors. It seems to be related to trying to put in the [ character/symbol. Can someone provide an example of how they did it? Thanks, Ron Ron Nutter [EMAIL PROTECTED] Network Infrastructure & Security Manager Information Technology Services(502)863-7002 Georgetown College Georgetown, KY40324-1696
Re: Spam with Re[2]: or Re[4]:
Um, yes. That is not unusual for either issue. You've heard of "Bcc"? {^_^} - Original Message - From: "Jeffrey N. Miller" <[EMAIL PROTECTED]> Go a lot of spam last night with subject lines Re[2] or [4] or [5] Most are Cialis or sperm pill spam. Also I received one of these emails that was addressed to another user???
Re: Spam with Re[2]: or Re[4]:
Jeffrey N. Miller wrote: Go a lot of spam last night with subject lines Re[2] or [4] or [5] Most are Cialis or sperm pill spam. Also I received one of these emails that was addressed to another user??? I got about 10 of them waiting for me this morning. All were tagged. The lowest score out of the 10 was 22.8 shown below. This is running on 2.64. -Jim Content analysis details: (22.8 points, 5.0 required) pts rule name description -- -- 0.1 HTML_MESSAGE BODY: HTML included in message 3.0 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence between 51 and 100 [cf: 100] 5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.1 HTML_50_60 BODY: Message is 50% to 60% HTML 2.2 OB_URI_RBL Has URI in OB at http://www.surbl.org/lists.html [reproofs.com is blacklisted in URI RBL at] [multi.surbl.org] 1.5 WS_URI_RBL Has URI in WS at http://www.surbl.org/lists.html [reproofs.com is blacklisted in URI RBL at] [multi.surbl.org] 2.5 JP_URI_RBL Has URI in JP at http://www.surbl.org/lists.html [reproofs.com is blacklisted in URI RBL at] [multi.surbl.org] 4.0 SPAMCOP_URI_RBLHas URI in SC at http://www.surbl.org/lists.html [reproofs.com is blacklisted in URI RBL at] [multi.surbl.org] 3.0 AB_URI_RBL Has URI in AB at http://www.surbl.org/lists.html [reproofs.com is blacklisted in URI RBL at] [multi.surbl.org] 1.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
Re: Spam with Re[2]: or Re[4]:
On Tuesday 13 September 2005 14:10, Jeffrey N. Miller typed: > Go a lot of spam last night with subject lines Re[2] or [4] or [5] > Most are Cialis or sperm pill spam. Also I received one of these emails > that was addressed to another user??? The To: you see displayed in your mail client is not the TO that mail servers use to deliver e-mail. There is no requirement that these two entities match. I don't know why, but my Bayes has been trapping all of those Re spams just fine :)
Spam with Re[2]: or Re[4]:
Go a lot of spam last night with subject lines Re[2] or [4] or [5] Most are Cialis or sperm pill spam. Also I received one of these emails that was addressed to another user???