Rule for PDF and eCard Spam Needed

Can someone recommend a SAR(E) to mitigate the influx of the PDF and eCard spams until I can learn the bayes? (haven't been tuned into the list for a while... sorry.) Thanks, Clay

Re: Rule for PDF and eCard Spam Needed

PDFinfo plugin from SARE helps a lot with the pdf mess. Theo has also published a number of rules that catch them, I believe. You can get them form one of the standard SA update channels. I suppose we ought to publish some SARE rules for the greeting cards, although our experience is they te

Re: Rule for PDF and eCard Spam Needed

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Loren Wilton wrote: > PDFinfo plugin from SARE helps a lot with the pdf mess. Theo has also > published a number of rules that catch them, I believe. You can get > them form one of the standard SA update channels. > > I suppose we ought to publish s

Re: Rule for PDF and eCard Spam Needed

Doc Schneider wrote: Loren Wilton wrote: PDFinfo plugin from SARE helps a lot with the pdf mess. I found that ClamAV catches most all those greeting card spamscam viruses. But the PDFInfo from SARE works GREAT! ClamAV does even better if you use the Sanesecurity, MSRBL, and MBL signatures

Re: Rule for PDF and eCard Spam Needed

On Aug 14, 2007, at 8:22 AM, Loren Wilton wrote: PDFinfo plugin from SARE helps a lot with the pdf mess. Theo has also published a number of rules that catch them, I believe. You can get them form one of the standard SA update channels. I suppose we ought to publish some SARE rules for the g

Re: Rule for PDF and eCard Spam Needed

Jo Rhett wrote: On Aug 14, 2007, at 8:22 AM, Loren Wilton wrote: PDFinfo plugin from SARE helps a lot with the pdf mess. Theo has also published a number of rules that catch them, I believe. You can get them form one of the standard SA update channels. I suppose we ought to publish some SARE

Re: Rule for PDF and eCard Spam Needed

Jo Rhett escribió: On Aug 14, 2007, at 8:22 AM, Loren Wilton wrote: PDFinfo plugin from SARE helps a lot with the pdf mess. Theo has also published a number of rules that catch them, I believe. You can get them form one of the standard SA update channels. I suppose we ought to publish some SA

Re: Rule for PDF and eCard Spam Needed

Interesting Tech Republic article, Putting a stop to PDF spam which mentions the pdfinfo plugin for SA.

Re: Rule for PDF and eCard Spam Needed

Jo Rhett escribió: I think that rules which did a better job on these messages would be greatly appreciated. On Aug 14, 2007, at 12:42 PM, Diego Pomatta wrote: I use PDFinfo plugin from http://rulesemporium.com/plugins.htm Well first I don't think many of us want to waste CPU cycles trying

RE: Rule for PDF and eCard Spam Needed

> > Just to make it clear what I and others keep saying on this topic: > I'm using 4 different systems that have various 3.x versions of > spamassassin, all of which use sa-update, and none of which are doing > an adequate job of catching gif, pdf or ecard spam. It's upwards of > 20 an hour on se

Re: Rule for PDF and eCard Spam Needed

Jo Rhett wrote on Tue, 14 Aug 2007 13:27:20 -0700: > Well first I don't think many of us want to waste CPU cycles trying > to analyze the contents of PDF files. Right, and not only of PDFs. That's why "many of us" reject this stuff already at MTA for technical reasons and thus rarely see this

Re: Rule for PDF and eCard Spam Needed

On Tue, 14 Aug 2007, Diego Pomatta wrote: > and this ruleset for postcards&ecards -> > http://www.impsec.org/~jhardin/antispam/postcards.cf We're starting to get into whack-a-mole territory with the postcard spams. There will be another update out tonight. -- John Hardin KA7OHZ

Re: Rule for PDF and eCard Spam Needed

On Aug 14, 2007, at 2:22 PM, Robert - elists wrote: You might consider the clamav integration into SA, as clamav is catching all the ecard ones Apparently with alternate virus files, which I had not yet tested. Someone mentioned that earlier today and I'm investigating it. -- Jo Rhett Ne

Re: Rule for PDF and eCard Spam Needed

On Aug 14, 2007, at 2:31 PM, Kai Schaetzl wrote: What can be done to get these tested and included in the main ruleset? What is "these"? I don't see that you offered any rules catching that stuff. So, what do you want the developers or anyone to test? People refer to rulesets they've create

RE: Rule for PDF and eCard Spam Needed

> > Apparently with alternate virus files, which I had not yet tested. > Someone mentioned that earlier today and I'm investigating it. > > -- > Jo Rhett Jo I don't use alternative files that I am aware of anyways... just stock clamav And... I hear ya, yet clamav plugin *integration* into SA

Re: Rule for PDF and eCard Spam Needed

Robert - elists wrote: I don't use alternative files that I am aware of anyways... just stock clamav the ecard stuff is not the normal clamav virus databases. And... I hear ya, yet clamav plugin *integration* into SA scores as I understand it, where stock clamav quarantines We use amavis w

Re: Rule for PDF and eCard Spam Needed

On Tue, Aug 14, 2007 at 07:53:56PM -0700, Robert - elists wrote: > > > Apparently with alternate virus files, which I had not yet tested. > > Someone mentioned that earlier today and I'm investigating it. > > > > -- > > Jo Rhett > > Jo > > I don't use alternative files that I am aware of anyway

Re: Rule for PDF and eCard Spam Needed

Jo Rhett wrote on Tue, 14 Aug 2007 17:42:02 -0700: > People refer to rulesets they've created. I am not an SA committer, > so I can't run these through their test environment and them commit > them to the tree. So I'm asking someone who is if they'd be willing > to do this. I can just tel

Re: Rule for PDF and eCard Spam Needed

Jo Rhett writes: > > On Aug 14, 2007, at 2:31 PM, Kai Schaetzl wrote: > >> What can be done to get these tested and included in the main > >> ruleset? > > > > What is "these"? I don't see that you offered any rules catching that > > stuff. So, what do you want the developers or anyone to test?

Re: Rule for PDF and eCard Spam Needed

Kai Schaetzl writes: > Jo Rhett wrote on Tue, 14 Aug 2007 17:42:02 -0700: > > > People refer to rulesets they've created. I am not an SA committer, > > so I can't run these through their test environment and them commit > > them to the tree. So I'm asking someone who is if they'd be willing

Re: Rule for PDF and eCard Spam Needed

On Aug 15, 2007, at 3:31 AM, Kai Schaetzl wrote: I can just tell you what *I* would do. - test the rules - test the rules - test the rules - gather statistics about hits, FPs and FNs The SA-team has an environment designed to do this, I don't. Nor do most people on this list. -- Jo Rhett

Re: Rule for PDF and eCard Spam Needed

On Aug 15, 2007, at 2:26 AM, Justin Mason wrote: We only do this with rules that people give us permission to use. We can't take third-party rules without their developers' permission; on top of this, many of the rulesets don't use a compatible license, or the developers don't want them in S

Re: Rule for PDF and eCard Spam Needed

On Aug 15, 2007, at 12:47 AM, Arthur Dent wrote: I am only a home user, but I have found that bog-standard clamAV (updated with freshclam) has caught all but one of the greeting card scams: I'm using stock clamav with freshclam, and getting 10-12 an hour in each maibox. So no, stock clama

Re: Rule for PDF and eCard Spam Needed

Jo Rhett wrote on Wed, 15 Aug 2007 15:47:37 -0700: > The SA-team has an environment designed to do this, I don't. Nor do > most people on this list. Sigh, I give up. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com

RE: Rule for PDF and eCard Spam Needed

> > I'm using stock clamav with freshclam, and getting 10-12 an hour in > each maibox. So no, stock clamav does not catch these. > > -- > Jo Rhett Hmm interesting I was telling the same thing recently on this same thread. YES, they do catch and quarantine them all them rotten buggers. Wh

RE: Rule for PDF and eCard Spam Needed

> > I'm using stock clamav with freshclam, and getting 10-12 an hour in > each maibox. So no, stock clamav does not catch these. > > -- > Jo Rhett Hmm interesting I was telling the same thing recently on this same thread. YES, they do catch and quarantine them all them rotten buggers. Wh

RE: Rule for PDF and eCard Spam Needed

> > Sigh, I give up. > > Kai > Give up what? Trying to run destructive interference or consider helping Jo ? :-) - rh

Re: Rule for PDF and eCard Spam Needed

Jo Rhett wrote on Wed, 15 Aug 2007 15:47:37 -0700: The SA-team has an environment designed to do this, I don't. Nor do most people on this list. Kai Schaetzl wrote: Sigh, I give up. I find it vastly amusing that when there is real work to do (ie fix a broken rule) the list grows very sile

RE: Rule for PDF and eCard Spam Needed

Arthur Dent > Cc: users@spamassassin.apache.org > Subject: Re: Rule for PDF and eCard Spam Needed > > On Aug 15, 2007, at 12:47 AM, Arthur Dent wrote: > > I am only a home user, but I have found that bog-standard clamAV > > (updated with freshclam) has caught all but one of t

Re: Rule for PDF and eCard Spam Needed

[EMAIL PROTECTED]> Reply-To: users@spamassassin.apache.org X-Rcpt-To: Robert - elists wrote on Wed, 15 Aug 2007 18:12:28 -0700: > consider helping Jo ? I think Jo could help himself quite good if he wanted to. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: h

Re: Rule for PDF and eCard Spam Needed

Jo Rhett writes: > On Aug 15, 2007, at 2:26 AM, Justin Mason wrote: > > We only do this with rules that people give us permission to use. > > We can't take third-party rules without their developers' > > permission; on > > top of this, many of the rulesets don't use a compatible license, > > o

Re: Rule for PDF and eCard Spam Needed

>>> On 8/14/2007 at 6:31 PM, "John D. Hardin" <[EMAIL PROTECTED]> wrote: On Tue, 14 Aug 2007, Diego Pomatta wrote: > and this ruleset for postcards&ecards -> > http://www.impsec.org/~jhardin/antispam/postcards.cf We're starting to get into whack-a-mole territory with the postcard spams. There

Re: Rule for PDF and eCard Spam Needed

On Thu, 16 Aug 2007, Joe Zitnik wrote: > I've been looking at the rule, and POSTCARD_02 and POSTCARD_03 > along with DQ_URI_ONLY_ARGS has no associated score line. Is this > an intentional omission? Yes. That uses the default score of 1.0 -- John Hardin KA7OHZhttp://www.imp

Re: Rule for PDF and eCard Spam Needed

44 (0)1865 842300 -Original Message- From: Jo Rhett [mailto:[EMAIL PROTECTED] Sent: 15 August 2007 23:46 To: Arthur Dent Cc: users@spamassassin.apache.org Subject: Re: Rule for PDF and eCard Spam Needed On Aug 15, 2007, at 12:47 AM, Arthur Dent wrote: I am only a home user, but I have

Re: Rule for PDF and eCard Spam Needed

From: "Jo Rhett" <[EMAIL PROTECTED]> So the only thing which is actually working to catch these is bayes and bayes-based systems. Not rules, and not AV. Is that a statement about your own system? MANY people have responded that quite a number of other things like pdfinfo and clamav and vari

Re: Rule for PDF and eCard Spam Needed

On Thu, 16 Aug 2007, Jo Rhett wrote: > So the only thing which is actually working to catch these is > bayes and bayes-based systems. Not rules, and not AV. The postcard spams? Modulo the fact that they are a whack-a-mole solution, the Subject rules I maintain are apparently quite effective in c

Re: Rule for PDF and eCard Spam Needed

Loren Wilton wrote: From: "Jo Rhett" <[EMAIL PROTECTED]> So the only thing which is actually working to catch these is bayes and bayes-based systems. Not rules, and not AV. Is that a statement about your own system? MANY people have responded that quite a number of other things like pdfinf

Re: Rule for PDF and eCard Spam Needed

On Sat, 2007-08-18 at 19:26 -0700, Jo Rhett wrote: > Loren Wilton wrote: > > From: "Jo Rhett" <[EMAIL PROTECTED]> > > > >> So the only thing which is actually working to catch these is bayes > >> and bayes-based systems. Not rules, and not AV. > > > > Is that a statement about your own system?