Hello.
From: "Loren Wilton" <[EMAIL PROTECTED]>
Subject: Re: Explosion in uk.geocities.com spam
Date: Sat, 8 Oct 2005 22:01:22 -0700
> > They use html and tables very smart, thus avoiding Bayes rules.
> > Basically it is an invisible tables, using one row and several columns.
> > The first column contains the first letter of every line, separated by
> > "<BR>" and optionally some style-tags (b, i, etc.). Next column contains
> > several more characters for each line, etc.
>
> Leo. There are a good 9 or 10 variations on this now. The SARE rulesets
> have a number of rules that catch many of these, though not all of them.
>
> Loren
The "uk.geocities" spams come from "CHINANET" or "CHINA RAILWAY
TELECOMMUNICATIONS CENTER".
You can catch the above two ISP's IP addresses in a header:
header CHINANET Received =~ /from
.+(5[89]\.(3[2-9]|[45][0-9]|6[0-3])|60\.1([6-8][0-9]|9[01])|61\.1(2[89]|[3-8][0-9]|9[01])|218\.([0-9]|[12][0-9]|3[01]|5[6-9]|[678][0-9]|9[0-5])|219\.1(2[89]|[345][0-9])|220\.1([678][0-9]|9[01])|222\.(6[4-9]|[78][0-9]|9[0-5]|1(2[89|3[0-9]|4[0-3])))(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}[\)\]
]/
describe CHINANET Chinanet - large provider in China
score CHINANET 0.5
header CRTC Received =~ /from
.+(61\.23[2-7]|222\.(3[2-9]|[45][0-9]|6[0-3]))(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}[\)\]
]/
describe CRTC CHINA RAILWAY TELECOMMUNICATIONS CENTER
score CRTC 0.5
And, you can catch uk.geo's URI strings in a message body:
body UKGEOCITIES
/http:\/\/[a-z]{2,5}\.geocities\.com\/[A-Za-z0-9_]+\/\?{0,1}[A-Za-z0-9_-]+/
describe UKGEOCITIES http://uk.geocities.com/Hoge_Hoge/?Fuga=tekitou
score UKGEOCITIES 0.5
So, you'll be able to catch the "uk.geocities" spams by META rule.
meta CHINAUKGEO (CHINANET || CRTC) && UKGEOCITIES && BAYES_99
--
Nothing but a peace sign.
MATSUDA Yoh-ichi(yoh)
mailto:[EMAIL PROTECTED]
http://www.flcl.org/~yoh/diary/ (only Japanese)
