I'm no expert but this is what I use. It looks for progressively worst use of this_sort.of_stuff.in.messages and the scores sum up.
Quest_equals being the least specific and spam_uri the worst. Many of my users have 6.0 as their cut-off so a fairy vague spam gets 5.5 and other rules take care of the rest. If its bad it gets a total of 10.5. If you don't like the set use quest_equals and up the score. Mike Experts, please improve the regex. uri TIO_UK_GEO_SPAM_URI m'^https?://uk\.geocities\.com.*([a-z]*(\?|=|\.|_)[a-z]*(\?|\.|_)[a-z]*(\.|_ )[a-z]*)'i describe TIO_UK_GEO_SPAM_URI Geocities Spammer URL score TIO_UK_GEO_SPAM_URI 5.0 uri TIO_UK_URI_GEO_DOT_OR_USCORE m'^https?://uk\.geocities\.com.*([a-z]*(\?|=|\.|_)[a-z]*(\?|=|\.|_)[a-z]*)'i describe TIO_UK_URI_GEO_DOT_OR_USCORE Geocities URL with several dots or underscores score TIO_UK_URI_GEO_DOT_OR_USCORE 2.5 uri TIO_UK_URI_GEO_QUEST_EQUALS m'^https?://uk\.geocities\.com.*([a-z]*(\?|=|\.|_)[a-z]*)'i describe TIO_UK_URI_GEO_QUEST_EQUALS Short Geocities URL score TIO_UK_URI_GEO_QUEST_EQUALS 3.0 uri TIO_SPC_MSN_SPAM_URI m'^https?://spaces\.msn\.com.*([a-z]*(\?|=|\.|_)[a-z]*(\?|\.|_)[a-z]*(\.|_)[ a-z]*)'i describe TIO_SPC_MSN_SPAM_URI Geocities Spammer URL score TIO_SPC_MSN_SPAM_URI 5.0 uri TIO_SPC_MSN_DOT_OR_USCORE_URI m'^https?://spaces\.msn\.com.*([a-z]*(\?|=|\.|_)[a-z]*(\?|=|\.|_)[a-z]*)'i describe TIO_SPC_MSN_DOT_OR_USCORE_URI Geocities URL with several dots or underscores score TIO_SPC_MSN_DOT_OR_USCORE_URI 2.5 uri TIO_SPC_MSN_QUEST_EQUALS_URI m'^https?://spaces\.msn\.com.*([a-z]*(\?|=|\.|_)[a-z]*)'i describe TIO_SPC_MSN_QUEST_EQUALS_URI Short Geocities URL score TIO_SPC_MSN_QUEST_EQUALS_URI 3.0 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Cisar Sent: 18 August 2005 17:45 To: [email protected] Subject: RE: [AMaViS-user] User complaints of spam For what it's worth it looks like they may have "moved"... just got the first batch of... http://spaces.msn.com/members/GuadalupeSzekula/?H5=Best_offerings.coming!_T So everybody may want to get a jump on adding a regex for that to your rulesets :-) Based on the general format of these URLs, how could you craft a regex that would catch these specific ones, without penalizing people who legitimately are emailing a uk.geocities or spaces.msn.com URL to someone. they would seem to be in the format of http://spaces.msn.com/members/<RANDOM NAME>/?<2 or 3 CHARACTERS>=<MORE CHARACTERS> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^ ^ http://uk.geocities.com/<RANDOM NAME>/?<2 or 3 CHARACTERS>=<MORE CHARACTERS> ^^^^^^^^^^^^^^^^^^^^^^^^ ^^ ^ So it would seem that regex to match the "caret'ed" bits above would be the most likely means to that end? Any regex geniuses out there? :) Cheers, >>>>> Mike <<<<< > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gary V > Sent: Monday, August 15, 2005 11:57 AM > To: Matt Juszczak > Cc: [email protected] > Subject: Re: [AMaViS-user] User complaints of spam > > Matt wrote: > > > Hi all, > > > We're getting some user complaints of spam and they all > seem to follow > > the same general template. > > > Something like this: > > > ---snip--- > > nicky > > > > http://uk.geocities.com/Hyman_Barrientos/?Wn=Seek_quick.and_effective. > > cures > > ---snip--- > > > After which they have some random words at the end (random english > > dictionary words). Some of them don't. > > > A lot of these are making it to the quarantine but some of > them aren't > > even getting a positive score. Is there a rule out there I > can find, > > or possibly an additional blacklist I can add on top of the > default (razor)? > > I'm not a big fan of blacklists but as long as we're only > just "tagging" > > spam (and not deleting it) and the blacklist is fairly > conservative, I > > wouldn't mind allowing it to add some points to messages. > > > Thanks, > > Matt > > Make sure you set: > $sa_local_tests_only = 0; in amavisd.conf. Otherwise SpamAssassin will > not perform network tests (Razor included). > I think you are using FreeBSD, so there should be a > /usr/local/etc/mail/spamassassin/init.pre > file. This file normally will contain: > loadplugin Mail::SpamAssassin::Plugin::URIDNSBL > loadplugin Mail::SpamAssassin::Plugin::Hashcash > loadplugin Mail::SpamAssassin::Plugin::SPF > > If you did not install from ports, then it might be in > /etc/mail/spamassassin > > Verify that init.pre exists in the same place you have local.cf and at > the very least 'loadplugin Mail::SpamAssassin::Plugin::URIDNSBL' is > there. > > You might consider using Pyzor. It is slower than some of the other > tests (only one server) and it has made a bit of a mess on some > machines when the Pyzor server was unavailable. The author will change > the server on occasion, so it may be a good idea to make sure the > server is up by maybe doing a 'pyzor ping' in a cron job, with the > result mailed to you. > > If you use ports, it should be there: /usr/ports/mail/pyzor > > install, then run both: > pyzor discover > and > su vscan -c 'pyzor discover' > (pyzor discover provides pyzor the IP address of the Pyzor server) > > then 'pyzor ping' to see if the Pyzor server is up > > run > su vscan -c 'spamassassin --lint -D' > and you should see > debug: Pyzor: got response: 66.250.40.33:24441 (200, 'OK') > 0 0 > if all is working well. > I don't think you even need to reload amavisd-new. > > DCC is very good, but as an ISP, and due to the volume of mail you > receive, and due to the license, I believe you would need to run the > DCC server (dccd I think) on one of your machines and then provide > your data (flood your data) to the main servers. At least something to > that effect, I think. You would have to study how to set this up. > > If you don't have $sa_local_tests_only = 0; set, then this would be > the main problem. An email like this should hit on a couple of the > networks tests, with URIDNSBL the most likely to help. There is not > much for SpamAssassin to key on if network test are not performed. > > Gary V > > > > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle > Practices Agile & Plan-Driven Development * Managing Projects & Teams > * Testing & QA Security * Process Improvement & Measurement * > http://www.sqe.com/bsce5sf > _______________________________________________ > AMaViS-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/amavis-user > AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 > AMaViS-HowTos:http://www.amavis.org/howto/ > ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/ ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
