Hello. From: "Loren Wilton" <[EMAIL PROTECTED]> Subject: Re: Explosion in uk.geocities.com spam Date: Sat, 8 Oct 2005 22:01:22 -0700
> > They use html and tables very smart, thus avoiding Bayes rules. > > Basically it is an invisible tables, using one row and several columns. > > The first column contains the first letter of every line, separated by > > "<BR>" and optionally some style-tags (b, i, etc.). Next column contains > > several more characters for each line, etc. > > Leo. There are a good 9 or 10 variations on this now. The SARE rulesets > have a number of rules that catch many of these, though not all of them. > > Loren The "uk.geocities" spams come from "CHINANET" or "CHINA RAILWAY TELECOMMUNICATIONS CENTER". You can catch the above two ISP's IP addresses in a header: header CHINANET Received =~ /from .+(5[89]\.(3[2-9]|[45][0-9]|6[0-3])|60\.1([6-8][0-9]|9[01])|61\.1(2[89]|[3-8][0-9]|9[01])|218\.([0-9]|[12][0-9]|3[01]|5[6-9]|[678][0-9]|9[0-5])|219\.1(2[89]|[345][0-9])|220\.1([678][0-9]|9[01])|222\.(6[4-9]|[78][0-9]|9[0-5]|1(2[89|3[0-9]|4[0-3])))(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}[\)\] ]/ describe CHINANET Chinanet - large provider in China score CHINANET 0.5 header CRTC Received =~ /from .+(61\.23[2-7]|222\.(3[2-9]|[45][0-9]|6[0-3]))(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}[\)\] ]/ describe CRTC CHINA RAILWAY TELECOMMUNICATIONS CENTER score CRTC 0.5 And, you can catch uk.geo's URI strings in a message body: body UKGEOCITIES /http:\/\/[a-z]{2,5}\.geocities\.com\/[A-Za-z0-9_]+\/\?{0,1}[A-Za-z0-9_-]+/ describe UKGEOCITIES http://uk.geocities.com/Hoge_Hoge/?Fuga=tekitou score UKGEOCITIES 0.5 So, you'll be able to catch the "uk.geocities" spams by META rule. meta CHINAUKGEO (CHINANET || CRTC) && UKGEOCITIES && BAYES_99 -- Nothing but a peace sign. MATSUDA Yoh-ichi(yoh) mailto:[EMAIL PROTECTED] http://www.flcl.org/~yoh/diary/ (only Japanese)