>>From [EMAIL PROTECTED] Thu Mar 10 06:20:20 2005 >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >Precedence: bulk >list-help: <mailto:[EMAIL PROTECTED]> >list-unsubscribe: <mailto:[EMAIL PROTECTED]> >List-Post: <mailto:users@spamassassin.apache.org> >List-Id: <users.spamassassin.apache.org> >Delivered-To: mailing list users@spamassassin.apache.org >X-ASF-Spam-Status: No, hits=0.0 required=10.0 > tests= >Received-SPF: pass (hermes.apache.org: local policy) >Date: Thu, 10 Mar 2005 14:19:48 +0000 >To: users@spamassassin.apache.org >Subject: Rule for downwards writing spam >Mime-Version: 1.0 >Content-Type: text/plain; charset=us-ascii >Content-Disposition: inline >User-Agent: Mutt/1.3.28i >From: Matthew Newton <[EMAIL PROTECTED]> >X-UoL-Id: [EMAIL PROTECTED]@apollo.le.ac.uk >X-Virus-Checked: Checked >X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on nepal.plectere.com >X-Spam-Level: >X-Spam-Status: No, score=-108.6 required=5.0 tests=AWL,BAYES_00, > USER_IN_WHITELIST,USER_IN_WHITELIST_TO autolearn=ham version=3.0.1 > >Hi > >I've put together the following rule to try and catch the read-downwards >type spam shown below. Could someone with a decent size corpus check it >for me please? :-) (or if you see any obvious errors or improvements; it >seems to work here) > >----8<---- >body __UOLCC_DOWN1 /read\sd[o0]wn/i >body __UOLCC_DOWN2 >/\bc\b.*\b[il|\]\b.*\ba\b.*\b[il\|]\b.*\b[il\|]\b.*\bs\b/si >body __UOLCC_DOWN3 /\bv\b.*\b[il\|]\b.*\ba\b.*\bg\b.*\br\b.*\ba\b/si >body __UOLCC_DOWN4 >/\bv\b.*\b[il\|]\b.*\bc\b.*\b[o0]\b.*\bd\b.*\b[il\|]\b.*\bn\b/si >body __UOLCC_DOWN5 >/\bc\b.*\b[o0]\b.*\bd\b.*\be\b.*\b[il\|]\b.*\bn\b.*\be\b/si > >meta UOLCC_DOWN ((__UOLCC_DOWN1 + __UOLCC_DOWN2 + __UOLCC_DOWN3 + >__UOLCC_DOWN4 + __UOLCC_DOWN5) > 3) >describe UOLCC_DOWN Drugs downwards >score UOLCC_DOWN 1.0 >----8<---- > >Thanks! > >Matthew > > >******************************* >Hey there. > >Please read downwards :) > >V V C C (They are all F.D.A approved.) >I I I O >C A A D (The $ are simply kickass!) >O G L E >D R I I (Don't need to $ for ship.) >I A S N >N E > >I could talk to you about it forever, >but I'll let you experience it yourself. > >http://swabby.nopaln-munged.com/?bluebushpvv >******************************* > >-- >Matthew Newton <[EMAIL PROTECTED]> > >UNIX and e-mail Systems Administrator, Network Support Section, >Computer Centre, University of Leicester, >Leicester LE1 7RH, United Kingdom > taiwanmedialtd-munged.com their parent. All of the addresses are false and almost every other domain they have is already supended or on "hold" status. Note the entire set of related domains uses the name servers ns1.dnsm-munged.com and ns2.dnsm-munged.com (which have their own "whois" troubles). Most of the domains use a different registrant, but all the same contacts - recently the name and Amsterdam address of "Roelf Van der Brug" seems to be being used for everything.
They mostly use Joker, who has *very* good policies for killing domains like this. You should complain and file at wdprs.internic.net. They create about a dozen new domains a week, but have been using the Amsterdam address for a few months. Paul Shupak [EMAIL PROTECTED] P.S. I've been too busy to report them all, so I just took the time to catch up on most of them.