>...
>From: List Mail User [mailto:[EMAIL PROTECTED]
>>
>> >...
>> >I'm running SA 3.1 and I have started to notice more spam come through
>> >recently.
>> >[snip - original table drug spam]
>> >
>> >Has anyone else been having this problem? Any rules to catch medication
>> >names in those types of tables?
>>
>> They should hit a well trained BAYES, and both Pyzor and DCC as
>> well as Razor2 (your site may not be able to use them due to licensing
>>[snip - original reply]
>
>I have a trained Bayes DB, but I didn't get anything from it. I'm
>running Razor, but not Pyzor or DCC. I've got the default blacklists
>and a bunch of SARE rules, but I'm not sure if I've got the one you
>are referring to.
>
>Here's my current list (updated via RDJ):
> 70_sare_adult.cf
> 70_sare_evilnum0.cf
> 70_sare_genlsubj0.cf
> 70_sare_header0.cf
> 70_sare_html0.cf
> 70_sare_obfu0.cf
> 70_sare_random.cf
> 70_sare_specific.cf
> 70_sare_spoof.cf
> 70_sare_unsub.cf
> 70_sare_uri0.cf
> 70_sare_whitelist_rcvd.cf
> 70_sare_whitelist_spf.cf
> 99_sare_fraud_post25x.cf
> chickenpox.cf
> weeds.cf
>
>I don't have one to look at right now, but from memory, there was just
>Razor and chickenpox that hit.
>
>No Bayes mention at all, which is odd now that you mention it. Maybe
>I should check to make sure everything is working properly.
>
>Bowie
>
I'm not sure if Loren's rules made it into any particular
ruleset or if Leo "morph"'d too often to bother; Maybe someone
else could speak up who is using them (I seem to remember the
first few cuts would only work for a few days, then were "beaten").
I'd expect the SARE set to be 70_sare_drugs.cf, but that one may
now be obsolete or not appropriate for 3.1 (or possible even earlier,
I admit I often read the SARE rules, but don't actually use them).
If you're not using Pyzor, it is a bit of a memory hog (need
to keep a copy of python running), but is a very valuable addition.
Likewise, if you can accept the licensing run DCC - If you don't like
or can't use it because of the license, consider running version 1.2.72
which generally works well and had the old license terms (i.e. basically
unrestricted free, but no longer supported though it does work). Also,
do check your Bayes DB - with a bunch of examples, if you run sa-learn
on them, you should quickly get to where they trigger BAYES_99. A high
Bayes score and one or two digest hits will stop them in most environments;
Anything else is just icing and makes them easier still. Because of the
nature of zombie delivery, it is important to hand train your Bayes DB
even if you do enable auto-learning (i.e. they will often have too few
header or body points to trigger auto-learn).
Also, try to feed some old ones back into "spamassassin -t" and
see if they now are hitting net tests; If they do now, but didn't when
you received them, you had the misfortune to be at the start of a spam
run (net tests are very, very helpful and good for everybody except the
few people who get the spam first - they are the ones who report the spam
and then "save" everyone else who gets it later - it is good altruistic
behavior for everyone to report spam as much as possible to get it into
the BL databases - i.e. SpamCop, etc. and digest reporting).
Paul Shupak
[EMAIL PROTECTED]
