I have seen a few posts with people complaining about spam from gmail (often
linking to blogspot pages) which no existing rules catch, and have had a
number of these myself. This is only a small fraction of the spam I am
seeing, but it is anoying none-the-less!
NOTE: I am not a particulally good rule writer and there are probably a lot
more elegant ways of doing this! Feel free to make suggestions and
improvements and to use how you will.
The easiest way that I can see to catch these emails is to combine a number
of existing rules and to add a couple of new rules which look for specific
things:
Existing rules used:
FreeMail.pm Plugin
ChickenPox.cf
New Rule 1 - Find all emails which link to a free blog site:
uri FHS_FREEBLOG
/(?:spaces\.msn\.com|blogeasy\.com|easyjournal\.com|multiply\.com|blog-city\.com|blogharbor\.com|bloghi\.com|bloghorn\.com|blogspirit\.com|blogsource\.com|ebloggy\.com|pitas\.com|blogger\.de|blogsome\.com|weblogs\.us|wordpress\.com|wpblogs\.com|blogthing\.com|globbo\.org|theblog\.cc|learnerblogs\.org|uniblogs\.org|edublogs\.org|hrblogs\.org|beblogger\.com|evilsupergenius\.net|blogcafe\.com|blogspot\.com|weblogs\.hu|weblogs\.cz|blogs\.ro|weblogs\.pl|blogs\.fi|blogs\.no|blogs\.dk|blogs\.se|blog\.com|blog\.de|blog\.co\.uk|blog\.ca|freewebs\.com|livejournal\.com|20six\.co\.uk|xanga\.com|aeonity\.com|bloggercrab\.com|upsaid\.com|diaryland\.com|blogs\.ie|modblog\.com|efx2\.com|blogdrive\.com|tblog\.com|blogcult\.com|seo-blog\.com|quickblog\.org|diary-x\.com|blurty\.com|upsaid\.com|bloggercrab\.com|blogghost\.com)/i
describe FHS_FREEBLOG Contains a link to a free blog.
score FHS_FREEBLOG 0.001
New Rule 2 - Look for a propper html link in the email (i.e. long url and
short description):
rawbody FHS_LINK /\<a.href[^>]{20,50}\>[^<]{6,15}\<\/a/i
describe FHS_LINK Contains a long URL with a short description - a well
written link
score FHS_LINK 0.001
Now consider that people who send messages from a free email address are
very unlikely to go to the trouble of using a properly formatted link in
their email (they will just copy and past the url):
meta FREEMAIL_LINK_BLOG (FREEMAIL_FROM && FHS_LINK && FHS_FREEBLOG)
describe FREEMAIL_LINK_BLOG From a freemail address and includes a well
written link to a blog
score FREEMAIL_LINK_BLOG 2.0
The next thing I noticed was that most of these emails hit various bits of
the chickenpox.cf ruleset so I created a set of meta rules to count how many
of these were hit, and then combined this with the freemail rules:
meta FHS_COUNT_CHICKENPOX_3 (( J_CHICKENPOX_12 + J_CHICKENPOX_13 +
J_CHICKENPOX_14 + J_CHICKENPOX_15 + J_CHICKENPOX_16 + J_CHICKENPOX_17 +
J_CHICKENPOX_18 + J_CHICKENPOX_19 + J_CHICKENPOX_110 + J_CHICKENPOX_111 +
J_CHICKENPOX_21 + J_CHICKENPOX_22 + J_CHICKENPOX_23 + J_CHICKENPOX_24 +
J_CHICKENPOX_25 + J_CHICKENPOX_26 + J_CHICKENPOX_27 + J_CHICKENPOX_28 +
J_CHICKENPOX_29 + J_CHICKENPOX_210 + J_CHICKENPOX_31 + J_CHICKENPOX_32 +
J_CHICKENPOX_33 + J_CHICKENPOX_34 + J_CHICKENPOX_35 + J_CHICKENPOX_36 +
J_CHICKENPOX_37 + J_CHICKENPOX_38 + J_CHICKENPOX_39 + J_CHICKENPOX_41 +
J_CHICKENPOX_42 + J_CHICKENPOX_43 + J_CHICKENPOX_44 + J_CHICKENPOX_45 +
J_CHICKENPOX_46 + J_CHICKENPOX_47 + J_CHICKENPOX_48 + J_CHICKENPOX_51 +
J_CHICKENPOX_52 + J_CHICKENPOX_53 + J_CHICKENPOX_54 + J_CHICKENPOX_55 +
J_CHICKENPOX_56 + J_CHICKENPOX_57 + J_CHICKENPOX_61 + J_CHICKENPOX_62 +
J_CHICKENPOX_63 + J_CHICKENPOX_64 + J_CHICKENPOX_65 + J_CHICKENPOX_66 +
J_CHICKENPOX_71 + J_CHICKENPOX_72 + J_CHICKENPOX_73 + J_CHICKENPOX_74 +
J_CHICKENPOX_75 + J_CHICKENPOX_81 + J_CHICKENPOX_82 + J_CHICKENPOX_83 +
J_CHICKENPOX_84 + J_CHICKENPOX_91 + J_CHICKENPOX_92 + J_CHICKENPOX_93 +
J_CHICKENPOX_101 + J_CHICKENPOX_102 ) > 2)
describe FHS_COUNT_CHICKENPOX_3 Three or more odd character combinations
score FHS_COUNT_CHICKENPOX_3 0.1
meta FHS_COUNT_CHICKENPOX_5 (( J_CHICKENPOX_12 + J_CHICKENPOX_13 +
J_CHICKENPOX_14 + J_CHICKENPOX_15 + J_CHICKENPOX_16 + J_CHICKENPOX_17 +
J_CHICKENPOX_18 + J_CHICKENPOX_19 + J_CHICKENPOX_110 + J_CHICKENPOX_111 +
J_CHICKENPOX_21 + J_CHICKENPOX_22 + J_CHICKENPOX_23 + J_CHICKENPOX_24 +
J_CHICKENPOX_25 + J_CHICKENPOX_26 + J_CHICKENPOX_27 + J_CHICKENPOX_28 +
J_CHICKENPOX_29 + J_CHICKENPOX_210 + J_CHICKENPOX_31 + J_CHICKENPOX_32 +
J_CHICKENPOX_33 + J_CHICKENPOX_34 + J_CHICKENPOX_35 + J_CHICKENPOX_36 +
J_CHICKENPOX_37 + J_CHICKENPOX_38 + J_CHICKENPOX_39 + J_CHICKENPOX_41 +
J_CHICKENPOX_42 + J_CHICKENPOX_43 + J_CHICKENPOX_44 + J_CHICKENPOX_45 +
J_CHICKENPOX_46 + J_CHICKENPOX_47 + J_CHICKENPOX_48 + J_CHICKENPOX_51 +
J_CHICKENPOX_52 + J_CHICKENPOX_53 + J_CHICKENPOX_54 + J_CHICKENPOX_55 +
J_CHICKENPOX_56 + J_CHICKENPOX_57 + J_CHICKENPOX_61 + J_CHICKENPOX_62 +
J_CHICKENPOX_63 + J_CHICKENPOX_64 + J_CHICKENPOX_65 + J_CHICKENPOX_66 +
J_CHICKENPOX_71 + J_CHICKENPOX_72 + J_CHICKENPOX_73 + J_CHICKENPOX_74 +
J_CHICKENPOX_75 + J_CHICKENPOX_81 + J_CHICKENPOX_82 + J_CHICKENPOX_83 +
J_CHICKENPOX_84 + J_CHICKENPOX_91 + J_CHICKENPOX_92 + J_CHICKENPOX_93 +
J_CHICKENPOX_101 + J_CHICKENPOX_102 ) > 4)
describe FHS_COUNT_CHICKENPOX_5 Five or more odd character combinations
score FHS_COUNT_CHICKENPOX_5 0.1
meta FHS_COUNT_CHICKENPOX_7 (( J_CHICKENPOX_12 + J_CHICKENPOX_13 +
J_CHICKENPOX_14 + J_CHICKENPOX_15 + J_CHICKENPOX_16 + J_CHICKENPOX_17 +
J_CHICKENPOX_18 + J_CHICKENPOX_19 + J_CHICKENPOX_110 + J_CHICKENPOX_111 +
J_CHICKENPOX_21 + J_CHICKENPOX_22 + J_CHICKENPOX_23 + J_CHICKENPOX_24 +
J_CHICKENPOX_25 + J_CHICKENPOX_26 + J_CHICKENPOX_27 + J_CHICKENPOX_28 +
J_CHICKENPOX_29 + J_CHICKENPOX_210 + J_CHICKENPOX_31 + J_CHICKENPOX_32 +
J_CHICKENPOX_33 + J_CHICKENPOX_34 + J_CHICKENPOX_35 + J_CHICKENPOX_36 +
J_CHICKENPOX_37 + J_CHICKENPOX_38 + J_CHICKENPOX_39 + J_CHICKENPOX_41 +
J_CHICKENPOX_42 + J_CHICKENPOX_43 + J_CHICKENPOX_44 + J_CHICKENPOX_45 +
J_CHICKENPOX_46 + J_CHICKENPOX_47 + J_CHICKENPOX_48 + J_CHICKENPOX_51 +
J_CHICKENPOX_52 + J_CHICKENPOX_53 + J_CHICKENPOX_54 + J_CHICKENPOX_55 +
J_CHICKENPOX_56 + J_CHICKENPOX_57 + J_CHICKENPOX_61 + J_CHICKENPOX_62 +
J_CHICKENPOX_63 + J_CHICKENPOX_64 + J_CHICKENPOX_65 + J_CHICKENPOX_66 +
J_CHICKENPOX_71 + J_CHICKENPOX_72 + J_CHICKENPOX_73 + J_CHICKENPOX_74 +
J_CHICKENPOX_75 + J_CHICKENPOX_81 + J_CHICKENPOX_82 + J_CHICKENPOX_83 +
J_CHICKENPOX_84 + J_CHICKENPOX_91 + J_CHICKENPOX_92 + J_CHICKENPOX_93 +
J_CHICKENPOX_101 + J_CHICKENPOX_102 ) > 6)
describe FHS_COUNT_CHICKENPOX_7 Seven or more odd character combinations
score FHS_COUNT_CHICKENPOX_7 0.1
meta FHS_COUNT_CHICKENPOX_9 (( J_CHICKENPOX_12 + J_CHICKENPOX_13 +
J_CHICKENPOX_14 + J_CHICKENPOX_15 + J_CHICKENPOX_16 + J_CHICKENPOX_17 +
J_CHICKENPOX_18 + J_CHICKENPOX_19 + J_CHICKENPOX_110 + J_CHICKENPOX_111 +
J_CHICKENPOX_21 + J_CHICKENPOX_22 + J_CHICKENPOX_23 + J_CHICKENPOX_24 +
J_CHICKENPOX_25 + J_CHICKENPOX_26 + J_CHICKENPOX_27 + J_CHICKENPOX_28 +
J_CHICKENPOX_29 + J_CHICKENPOX_210 + J_CHICKENPOX_31 + J_CHICKENPOX_32 +
J_CHICKENPOX_33 + J_CHICKENPOX_34 + J_CHICKENPOX_35 + J_CHICKENPOX_36 +
J_CHICKENPOX_37 + J_CHICKENPOX_38 + J_CHICKENPOX_39 + J_CHICKENPOX_41 +
J_CHICKENPOX_42 + J_CHICKENPOX_43 + J_CHICKENPOX_44 + J_CHICKENPOX_45 +
J_CHICKENPOX_46 + J_CHICKENPOX_47 + J_CHICKENPOX_48 + J_CHICKENPOX_51 +
J_CHICKENPOX_52 + J_CHICKENPOX_53 + J_CHICKENPOX_54 + J_CHICKENPOX_55 +
J_CHICKENPOX_56 + J_CHICKENPOX_57 + J_CHICKENPOX_61 + J_CHICKENPOX_62 +
J_CHICKENPOX_63 + J_CHICKENPOX_64 + J_CHICKENPOX_65 + J_CHICKENPOX_66 +
J_CHICKENPOX_71 + J_CHICKENPOX_72 + J_CHICKENPOX_73 + J_CHICKENPOX_74 +
J_CHICKENPOX_75 + J_CHICKENPOX_81 + J_CHICKENPOX_82 + J_CHICKENPOX_83 +
J_CHICKENPOX_84 + J_CHICKENPOX_91 + J_CHICKENPOX_92 + J_CHICKENPOX_93 +
J_CHICKENPOX_101 + J_CHICKENPOX_102 ) > 8)
describe FHS_COUNT_CHICKENPOX_9 Nine or more odd character combinations
score FHS_COUNT_CHICKENPOX_9 0.1
meta FREEMAIL_CHICKENPOX_3 (FREEMAIL_FROM && FHS_COUNT_CHICKENPOX_3)
describe FREEMAIL_CHICKENPOX_3 From a freemail address and has three or more
odd character combinations
score FREEMAIL_CHICKENPOX_3 0.1
meta FREEMAIL_CHICKENPOX_5 (FREEMAIL_FROM && FHS_COUNT_CHICKENPOX_5)
describe FREEMAIL_CHICKENPOX_5 From a freemail address and has five or more
odd character combinations
score FREEMAIL_CHICKENPOX_5 0.4
meta FREEMAIL_CHICKENPOX_7 (FREEMAIL_FROM && FHS_COUNT_CHICKENPOX_7)
describe FREEMAIL_CHICKENPOX_7 From a freemail address and has seven or more
odd character combinations
score FREEMAIL_CHICKENPOX_7 0.3
meta FREEMAIL_CHICKENPOX_9 (FREEMAIL_FROM && FHS_COUNT_CHICKENPOX_9)
describe FREEMAIL_CHICKENPOX_9 From a freemail address and has nine or more
odd character combinations
score FREEMAIL_CHICKENPOX_9 0.2
You could also create a meta rule that puts all of this together and
basically kills (gives a very hight score to) any email from a freemail
address which has a specific number of strange character combinations in it
and which links with propper html to a free blog site... I'll leave that for
you to work out!
Any comments or suggestions?
--
View this message in context:
http://www.nabble.com/A-few-rules-to-catch-current-gmail-spam-tp17590682p17590682.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
