> -----Original Message----- > From: MATSUDA Yoh-ichi [mailto:[EMAIL PROTECTED] > Sent: Monday, October 10, 2005 4:12 PM > To: [EMAIL PROTECTED] > Cc: users@spamassassin.apache.org > Subject: Re: Explosion in uk.geocities.com spam > > > Hello. > > From: "Loren Wilton" <[EMAIL PROTECTED]> > Subject: Re: Explosion in uk.geocities.com spam > Date: Sat, 8 Oct 2005 22:01:22 -0700 > > > > They use html and tables very smart, thus avoiding Bayes rules. > > > Basically it is an invisible tables, using one row and > several columns. > > > The first column contains the first letter of every line, > separated by > > > "<BR>" and optionally some style-tags (b, i, etc.). Next > column contains > > > several more characters for each line, etc. > > > > Leo. There are a good 9 or 10 variations on this now. The > SARE rulesets > > have a number of rules that catch many of these, though not > all of them. > > > > Loren > > The "uk.geocities" spams come from "CHINANET" or "CHINA RAILWAY > TELECOMMUNICATIONS CENTER". > > You can catch the above two ISP's IP addresses in a header: > > header CHINANET Received =~ /from > .+(5[89]\.(3[2-9]|[45][0-9]|6[0-3])|60\.1([6-8][0-9]|9[01])|61 > \.1(2[89]|[3-8][0-9]|9[01])|218\.([0-9]|[12][0-9]|3[01]|5[6-9] > |[678][0-9]|9[0-5])|219\.1(2[89]|[345][0-9])|220\.1([678][0-9] > |9[01])|222\.(6[4-9]|[78][0-9]|9[0-5]|1(2[89|3[0-9]|4[0-3])))( > \.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}[\)\] ]/ > describe CHINANET Chinanet - large provider in China > score CHINANET 0.5 > > header CRTC Received =~ /from > .+(61\.23[2-7]|222\.(3[2-9]|[45][0-9]|6[0-3]))(\.([0-9]|[1-9][ > 0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}[\)\] ]/ > describe CRTC CHINA RAILWAY TELECOMMUNICATIONS CENTER > score CRTC 0.5 > > > And, you can catch uk.geo's URI strings in a message body: > > body UKGEOCITIES > /http:\/\/[a-z]{2,5}\.geocities\.com\/[A-Za-z0-9_]+\/\?{0,1}[A > -Za-z0-9_-]+/ > describe UKGEOCITIES http://uk.geocities.com/Hoge_Hoge/?Fuga=tekitou > score UKGEOCITIES 0.5 > > So, you'll be able to catch the "uk.geocities" spams by META rule. > > meta CHINAUKGEO (CHINANET || CRTC) && UKGEOCITIES && BAYES_99 > > -- > Nothing but a peace sign. > MATSUDA Yoh-ichi(yoh) > mailto:[EMAIL PROTECTED] > http://www.flcl.org/~yoh/diary/ (only Japanese)
Perhaps we need someone who gets zero hour spam runs of this? Getting first line submissions to URIBL website for addition right away. Whoever was the first person to get the spam in the run....raise your hand. :) --Chris
