Re: Spam Filter Law Suit
On Jul 15, 2009, at 3:25 AM, Bernd Petrovitsch be...@firmix.at wrote: What could be new in spam filtering as such in 2003? The Patent Office is manned by monkeys. Worse, they are ignorant monkeys. Have you seen the patent on swinging? Yes, as in the playground/backyard swing. -- Sent from my iPhone
Re: Spam Filter Law Suit
On Thu, 2009-07-16 at 00:56 -0600, LuKreme wrote: On Jul 15, 2009, at 3:25 AM, Bernd Petrovitsch be...@firmix.at wrote: What could be new in spam filtering as such in 2003? The Patent Office is manned by monkeys. Worse, they are ignorant More than 99% of each patent is old. The question is: Which feature of the patent is actually (considered) new (by the patent examiners). And reading the patent by people skilled in the art is out of question - they are written in a foreign language (which actually violates the patents must be published rule of patents BTW). Yes, the patent industry (PTOs, attorneys, trolls, ...) sees (and defines) it different. But most people know the power about secret and special languages (like e.g. using Latin in churches in the middle ages) ... Don't get me started about the so-called examination. monkeys. Have you seen the patent on swinging? Yes, as in the playground/backyard swing. So what? Business method patents are an even more crazy idea then software patents/CIIs. Bernd -- Firmix Software GmbH http://www.firmix.at/ mobil: +43 664 4416156 fax: +43 1 7890849-55 Embedded Linux Development and Services
The www[variations]continue....
Don't you just love them :-) Love Making Tipps -- Tips for Better And Greater sex.www[dot]nu26[dot]com
Re: The www[variations]continue....
On Thu, July 16, 2009 12:47, rich...@buzzhost.co.uk wrote: Don't you just love them :-) Love Making Tipps -- Tips for Better And Greater sex.www[dot]nu26[dot]com lets start block tld with score 100, and on known uri score -100 -- xpoint
Opt In Spam
And yet another SPAM from these opt-in guys. I believe this group are nothing but covert Spammers abusing a privilage afforded them. I receive these spams at two separate email addresses, both I use exclusively for my business, there is no way I'd use these addresses as an opt-in for anything. They are not personal emails and I'd never consider using them as opt-in for anything. I don't opt-in for anything ever to begin with anyway. X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on H67646.safesecureweb.com X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=HABEAS_ACCREDITED_SOI, HTML_IMAGE_RATIO_02,HTML_MESSAGE,LOCAL_URI_NUMERIC_ENDING,MISSING_MID, MPART_ALT_DIFF,SARE_UNSUB09 autolearn=no version=3.2.1 X-Spam-Report: * 0.0 MISSING_MID Missing Message-Id: header * 1.3 SARE_UNSUB09 URI: SARE_UNSUB09 * 2.0 LOCAL_URI_NUMERIC_ENDING URI: Ends in a number of at least 4 digits * 0.0 HTML_MESSAGE BODY: HTML included in message * 1.1 MPART_ALT_DIFF BODY: HTML and text parts are different * 0.6 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area * -4.3 HABEAS_ACCREDITED_SOI RBL: Habeas Accredited Opt-In or Better * [66.59.8.161 listed in sa-accredit.habeas.com] Received: (qmail 17894 invoked from network); 15 Jul 2009 12:21:13 -0400 Received: from mailengine.8lmediamail.com (66.59.8.161) by mail.jelsma.com with SMTP; 15 Jul 2009 12:21:12 -0400 Received-SPF: pass (mail.jelsma.com: SPF record at mailengine.8lmediamail.com designates 66.59.8.161 as permitted sender) Received: by mailengine.8lmediamail.com (PowerMTA(TM) v3.2r23) id hbo0ve0eutci for embroid...@x.com; Wed, 15 Jul 2009 09:14:23 -0700 (envelope-from streamsendboun...@mailengine.8lmediamail.com) Content-Type: multipart/alternative; boundary=_--=_1073964459106330 MIME-Version: 1.0 X-Mailer: StreamSend - 23361 X-Report-Abuse-At: ab...@streamsend.com X-Report-Abuse-Info: It is important to please include full email headers in the report X-Campaign-ID: 20812 X-Streamsendid: 23361+362+1918562+20812+mailengine.8lmediamail.com Date: Wed, 15 Jul 2009 09:14:24 -0700 From: Paul DiFrancesco: Eight Legged Media efly...@8lmediamail.com To: embroid...@x.com Subject: Visit with over 25 suppliers This is a multi-part message in MIME format.
Re: The www[variations]continue....
On Thu, 16 Jul 2009, Benny Pedersen wrote:
On Thu, July 16, 2009 12:47, rich...@buzzhost.co.uk wrote:
Don't you just love them :-)
Well, I seem to remember the nearly same scenario a long while ago.
Somebody went through nearly the same 'contorions' to always avoid
the last 'matching' which was shown on this list.
(Of course every good spammer will read the spamassassin list ;-)
At last the 'abstract patterns' were like
(the hostpattern and domains were different then):
wwwstringhostpatternstringtopdomain
and 'string' became so complicated, that a line was
added which said please replace 'string' with a dot.
Of course this was the end of it - the dead giveaway
'replace pattern by a dot' caugt them soon ...
(This time they'll avoid this, after reading me :-)
The following Pattern, inserted in the plae of a 'dot'
catches all the typical variations of 'bracketing the dot'
(either with a '.' or with 'dot'):
(?:[\[({]\.[\])}]|[\[({]dot[\])}])
Hope that helps, Stucki
Re: Opt In Spam
On Thu, 2009-07-16 at 04:38 -0700, twofers wrote: 66.59.8.161 TRY: OrgAbuseEmail: ab...@streamsend.com
Re: Opt In Spam
Have you reported the abuse to mailto:habeas@abuse.net, as Neil Schwartzman from Return Path (operators of Habeas) requested last time? Just posting to the sa-users list isn't really going to do very much. If there are pervasive FP problems, it will show up in the mass-checks and we'll drop the score. twofers wrote: And yet another SPAM from these opt-in guys. I believe this group are nothing but covert Spammers abusing a privilage afforded them. I receive these spams at two separate email addresses, both I use exclusively for my business, there is no way I'd use these addresses as an opt-in for anything. They are not personal emails and I'd never consider using them as opt-in for anything. I don't opt-in for anything ever to begin with anyway. X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on H67646.safesecureweb.com X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=HABEAS_ACCREDITED_SOI, HTML_IMAGE_RATIO_02,HTML_MESSAGE,LOCAL_URI_NUMERIC_ENDING,MISSING_MID, MPART_ALT_DIFF,SARE_UNSUB09 autolearn=no version=3.2.1 X-Spam-Report: * 0.0 MISSING_MID Missing Message-Id: header * 1.3 SARE_UNSUB09 URI: SARE_UNSUB09 * 2.0 LOCAL_URI_NUMERIC_ENDING URI: Ends in a number of at least 4 digits * 0.0 HTML_MESSAGE BODY: HTML included in message * 1.1 MPART_ALT_DIFF BODY: HTML and text parts are different * 0.6 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area * -4.3 HABEAS_ACCREDITED_SOI RBL: Habeas Accredited Opt-In or Better * [66.59.8.161 listed in sa-accredit.habeas.com] Received: (qmail 17894 invoked from network); 15 Jul 2009 12:21:13 -0400 Received: from mailengine.8lmediamail.com (66.59.8.161) by mail.jelsma.com with SMTP; 15 Jul 2009 12:21:12 -0400 Received-SPF: pass (mail.jelsma.com: SPF record at mailengine.8lmediamail.com designates 66.59.8.161 as permitted sender) Received: by mailengine.8lmediamail.com (PowerMTA(TM) v3.2r23) id hbo0ve0eutci for embroid...@x.com mailto:embroid...@x.com; Wed, 15 Jul 2009 09:14:23 -0700 (envelope-from streamsendboun...@mailengine.8lmediamail.com mailto:streamsendboun...@mailengine.8lmediamail.com) Content-Type: multipart/alternative; boundary=_--=_1073964459106330 MIME-Version: 1.0 X-Mailer: StreamSend - 23361 X-Report-Abuse-At: ab...@streamsend.com mailto:ab...@streamsend.com X-Report-Abuse-Info: It is important to please include full email headers in the report X-Campaign-ID: 20812 X-Streamsendid: 23361+362+1918562+20812+mailengine.8lmediamail.com Date: Wed, 15 Jul 2009 09:14:24 -0700 From: Paul DiFrancesco: Eight Legged Media efly...@8lmediamail.com mailto:efly...@8lmediamail.com To: embroid...@x.com mailto:embroid...@x.com Subject: Visit with over 25 suppliers This is a multi-part message in MIME format.
Underscores
How can I pattern match when every word has an underscore after it. Example: This_sentenance_has_an_underscore_after_every_word I'm not really good at Perl pattern matching, but \w and \W see an underscore as a word character, so I'm just not sure what might work. body =~ /^([a-z]+_+)+/i Is that something that will work effectively? Thanks. Wes
Re: Opt In Spam
On 16/07/09 7:38 AM, twofers twof...@yahoo.com wrote: And yet another SPAM from these opt-in guys. SINGLE opt-in (SOI). I believe this group are nothing but covert Spammers abusing a privilage afforded them. Which group? E Z Publishing? They are neither covert, nor spammers. They are an ESP. As such, they certainly have their share of challenges, with regard to client vetting and list provenance. Complaints about them here, and elsewhere are not going unnoticed, I can assure you; we have had a few sit-downs with them and it appears there is need for another. We do want to work with this client to better their practices, and will continue to do so, using the carrot stick mthod of encouragement. We do have sticks of several lengths and weighting to apply if need be, of course. I've BCCed our principal contact at EZP to alert him to the problem. I receive these spams at two separate email addresses, both I use exclusively for my business, there is no way I'd use these addresses as an opt-in for anything. They are not personal emails and I'd never consider using them as opt-in for anything. I don't opt-in for anything ever to begin with anyway. Understood. But here's where it gets weird ... X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on H67646.safesecureweb.com X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=HABEAS_ACCREDITED_SOI, HTML_IMAGE_RATIO_02,HTML_MESSAGE,LOCAL_URI_NUMERIC_ENDING,MISSING_MID, MPART_ALT_DIFF,SARE_UNSUB09 autolearn=no version=3.2.1 X-Spam-Report: * 0.0 MISSING_MID Missing Message-Id: header * 1.3 SARE_UNSUB09 URI: SARE_UNSUB09 * 2.0 LOCAL_URI_NUMERIC_ENDING URI: Ends in a number of at least 4 digits * 0.0 HTML_MESSAGE BODY: HTML included in message * 1.1 MPART_ALT_DIFF BODY: HTML and text parts are different * 0.6 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area * -4.3 HABEAS_ACCREDITED_SOI RBL: Habeas Accredited Opt-In or Better * [66.59.8.161 listed in sa-accredit.habeas.com] Received: (qmail 17894 invoked from network); 15 Jul 2009 12:21:13 -0400 Received: from mailengine.8lmediamail.com (66.59.8.161) This IP is not currently on the Safe whitelist (formerly known as HABEAS_ACCREDITED_SOI ). It was suspended some time ago. Now, I am aware that we recently changed the DNS hives serving up Safe (aka safelist aka Habeas) and I'm wondering if there is a glitch between SA and our lists. I don't know. I expect I need to take this up with the developer team, and bump it to someone else over here. I've also BCCed our contacts at SA for clarification by mail.jelsma.com with SMTP; 15 Jul 2009 12:21:12 -0400 Received-SPF: pass (mail.jelsma.com: SPF record at mailengine.8lmediamail.com designates 66.59.8.161 as permitted sender) Received: by mailengine.8lmediamail.com (PowerMTA(TM) v3.2r23) id hbo0ve0eutci for embroid...@x.com; Wed, 15 Jul 2009 09:14:23 -0700 (envelope-from streamsendboun...@mailengine.8lmediamail.com) Content-Type: multipart/alternative; boundary=_--=_1073964459106330 MIME-Version: 1.0 X-Mailer: StreamSend - 23361 X-Report-Abuse-At: ab...@streamsend.com X-Report-Abuse-Info: It is important to please include full email headers in the report X-Campaign-ID: 20812 X-Streamsendid: 23361+362+1918562+20812+mailengine.8lmediamail.com Date: Wed, 15 Jul 2009 09:14:24 -0700 From: Paul DiFrancesco: Eight Legged Media efly...@8lmediamail.com To: embroid...@x.com Subject: Visit with over 25 suppliers This is a multi-part message in MIME format. -- Neil Schwartzman Director, Certification Security Standards Return Path Inc. 0142002038
Re: The www[variations]continue....
On Thu, 2009-07-16 at 13:43 +0200, Chr. von Stuckrad wrote: [snip] (Of course every good spammer will read the spamassassin list ;-) I don't think they care that much. Once you've got the mail server to accept it, ending up in a junk folder is still a successful delivery. If you are running it so it blocks at the gateway, rather than post queue it may bother them, but from what I've seen most people don't do that. All that aside, many of the bigger 'spammers' don't care much about block lists either :-)
Re: Opt In Spam
On Thu, 2009-07-16 at 07:55 -0400, Matt Kettler wrote: Have you reported the abuse to mailto:habeas@abuse.net, as Neil Schwartzman from Return Path (operators of Habeas) requested last time? Just posting to the sa-users list isn't really going to do very much. Have to agree (it's nice to have a moan mind you, it's therapeutic) It has to be outspokenly said that the name EZ Publishing as come up before here and I'm starting to wonder if ESP = EMAIL SPAM PERMITTED up and to the point someone complains about it.
Re: Header Layout
On Wed, 2009-07-15 at 01:53 +0200, Karsten Bräckelmann wrote: On Tue, 2009-07-14 at 12:33 -0500, McDonald, Dan wrote: On Tue, 2009-07-14 at 16:13 +0100, Steve wrote: This is very pretty; Can we change the header layout with SA to format it similar to this? You can, I guess -- even without code changes. You could tweak it a bit on line 2166 of PerMsgstatus.pm [1] http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html#template_tags My read of the code was that the _REPORT_ or _SUMMARY_ template tag was a fixed entity with the space-delimited strings and 1 unit of precision on the score number. I think you have to play around with the code to get 2 units of precision for the scores and tab-delimited reports. I'd be happy to be proven wrong. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com signature.asc Description: This is a digitally signed message part
Re: Underscores
twofers wrote: How can I pattern match when every word has an underscore after it. Example: This_sentenance_has_an_underscore_after_every_word I'm not really good at Perl pattern matching, but \w and \W see an underscore as a word character, so I'm just not sure what might work. body =~ /^([a-z]+_+)+/i Is that something that will work effectively? Thanks. Wes I'd do something like this: body MY_UNDERSCORES/\S+_+\S+_+\S+/ Unless you really want to restrict it to A-Z. Regardless, ending any regex in + in a SA rule is redundant. Since + allows a one-instance match, it will devolve to that. You don't need to match the entire line with your rule, so the extra matches are redundant. It will match the first instance, and that's all it needs to be a match. Also any regex ending in * should just have it's last element removed, as that will devolve to a zero-count match.
Re: The www[variations]continue....
On Thu, 2009-07-16 at 11:47 +0100, rich...@buzzhost.co.uk wrote: Don't you just love them :-) Love Making Tipps -- Tips for Better And Greater sex.www[dot]nu26[dot]com http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
{Spam?} RE: The www[variations]continue....
John Hardin wrote:
On Thu, 2009-07-16 at 11:47 +0100, rich...@buzzhost.co.uk wrote:
Don't you just love them :-)
Love Making Tipps -- Tips for Better And Greater
sex.www[dot]nu26[dot]com
http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/
20_uri_obfu_ws.cf
The rules should also proactively cover (dot) and {dot} as well as [dot]
Cheers,
Phil
--
Phil Randal | Networks Engineer
Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
Tel: 01432 260160
email: pran...@herefordshire.gov.uk
Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council.
This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error
please contact the sender immediately and destroy all copies of it.
Re: {Spam?} RE: The www[variations]continue....
The rules should also proactively cover (dot) and {dot} as well as [dot]
I agree.
--
Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.
Re: PerlRE Lookahead... problem
On Wed, 15 Jul 2009, Karsten Bräckelmann wrote:
body =~ /(?!www\.[a-z]{2,3}[0-9]{2,3}\.(com|net|org))
This is invalid.
Please ignore. I use a generator
To avoid red herrings, you should have mentioned it. ;)
What I 'shoulda dun' (sic) is type that first bit correctly... :-D
Yeah, well -- are they? Any chance there's a space injected at the
places that are now line breaks? Or possibly invisible chars anywhere?
Nope. The second rule is a cut-n-paste of the first with the look-ahead
removed via the delete key. All other characters should be the same
Tested again, both of them do work for me...
Totally weird
Well, HOW exactly do YOU test these?
The 'error' is a false negative, so I figure it is harmless to test
it in the 'live' mail stream, avoiding all possible introduced errors
from testing scripts/code Here is the spam hit results from
this actual e-mail of yours that I am answering:
X-Spam-Status: No, hits=-2003.0 required=10.0 autolearn=disabled
tests=LOC_09061905=1,LOC_SAUSERS_RCVD_WL=-1000,
LOC_SAUSERS_TO_WL=-1000,RCVD_IN_DNSWL_MED=-4
...well, yeah, I have a simple solution for the problem of spamsign
sometimes appearing in SA list mail. :) But you can see how the '05'
rule (no look-ahead) is listed, but not the '01' rule. By all that I
understand, this just 'should not happen'...
I'm beginning to think maybe I've got an 'unlucky' combination of
Perl and SA versions? My SA is reasonably new (3.25) but my Perl
is the default packaged with CentOS 4 (5.8.5).
- C
Re: Underscores
On Thu, 2009-07-16 at 08:52 -0400, Matt Kettler wrote:
twofers wrote:
How can I pattern match when every word has an underscore after it.
Example:
This_sentenance_has_an_underscore_after_every_word
body =~ /^([a-z]+_+)+/i
I'd do something like this:
body MY_UNDERSCORES/\S+_+\S+_+\S+/
That's quite a lot of backtracking, no?
How about:
/(?:[^_]{1,30}_+){1,5}/
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
Re: Spamassassin rules in a mysql database
Patrick Saweikis wrote: Has anyone had any experience trying to make spamassassin use a mysql database for it’s ruleset instead of text files? We are planning on making our anti-spam solution redundant, and it would be nice to have this in a database instead of copying files around when we make changes. Why not use a shared directory? Since SA does not write to the rules directory, there would be no locking issues. -- Bowie
Re: [sa] Re: Spam Filter Law Suit
On Wed, 15 Jul 2009, Gene Heskett wrote: Or tell them to go pound sand. The last Bilski ruling seems to have pretty well torpedoed software patents, but some jerks may not have gotten the memo. Well, I'm not saying this about anyone in particular, as I don't want to get sued for defaming any particular person's character (LOL), but in general it is a fair statement that it is often less costly for a big company to settle out of court rather than go through the expensive process of defending themselves against a lawsuit. So even though the company might be 100% guaranteed to 'win' its defense, and have a patent declared invalid, there is still a decent chance that someone holding a questionable patent could make a profit from it out of court - C
Re: {Spam?} RE: The www[variations]continue....
On Thu, 2009-07-16 at 14:08 +0100, Randal, Phil wrote:
John Hardin wrote:
On Thu, 2009-07-16 at 11:47 +0100, rich...@buzzhost.co.uk wrote:
Don't you just love them :-)
Love Making Tipps -- Tips for Better And Greater
sex.www[dot]nu26[dot]com
http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/
20_uri_obfu_ws.cf
The rules should also proactively cover (dot) and {dot} as well as [dot]
Of course. They do. And other variations as well.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
Re: Underscores
From: Matt Kettler mkettler...@verizon.net Date: Thu, 16 Jul 2009 08:52:50 -0400 twofers wrote: How can I pattern match when every word has an underscore after it. Example: This_sentenance_has_an_underscore_after_every_word I'm not really good at Perl pattern matching, but \w and \W see an underscore as a word character, so I'm just not sure what might work. body =~ /^([a-z]+_+)+/i Is that something that will work effectively? Is this for a spam rule? I'd do something like this: body MY_UNDERSCORES/\S+_+\S+_+\S+/ Unless you really want to restrict it to A-Z. Regardless, ending any regex in + in a SA rule is redundant. Since + allows a one-instance match, it will devolve to that. You don't need to match the entire line with your rule, so the extra matches are redundant. It will match the first instance, and that's all it needs to be a match. Also any regex ending in * should just have it's last element removed, as that will devolve to a zero-count match. The /\S+_+\S+_+\S+/ rule will lots of technical email, for example discussions on shell environment variables like LD_LIBRARY_PATH. -jeff
Re: [sa] Re: PerlRE Lookahead... problem
On Wed, 15 Jul 2009, Karsten Bräckelmann wrote: Actually, in this very rule, the negative look-ahead is useless and won't match the remaining part of the RE anyway. Correct. Because this is my 'live' .cf file, I have modified the 'working' rule (05) to minimize false positives (in the old fashioned way) so I could raise its score, then, to avoid accusations that rule 01 and rule 05 are not 'identical' I inserted that extra code into rule 01 (and again, to be clear, and certain there were no invisible characters, I actually fixed up rule 01, then cut-n-pasted it to make a new rule 05, and removed the look-ahead from 05). Yes, it makes the look-ahead useless, but the rule SHOULD still trigger. I should be able to remove that complicated either-or code in the rule (which actually does not cover *all* possible obfuscations) and have the negative look-ahead handle the one true false negative. Given that the negative look-ahead actually does nothing, but yet prevents the RE from matching when added -- this either is a bug with your Perl (assuming the ONLY difference is the added negative look- ahead), or the assumption doesn't hold and the REs actually are not identical. I am going to play with it a bit more right now. I've reduced the negative look-ahead to (?!www\.[a-z0-9]+\.net) and we'll see if.www .pe31. net still triggers only one rule - Charles
RE: [sa] Spam Filter Law Suit
Thanks for everyone's feedback. Once I receive the actual paperwork and talk to their legal firm I'll let everyone know the results. Regards, Damian -Original Message- From: Charles Gregory [mailto:cgreg...@hwcn.org] Sent: Thursday, July 16, 2009 6:26 AM To: users@spamassassin.apache.org Subject: Re: [sa] Spam Filter Law Suit On Wed, 15 Jul 2009, Gene Heskett wrote: Or tell them to go pound sand. The last Bilski ruling seems to have pretty well torpedoed software patents, but some jerks may not have gotten the memo. Well, I'm not saying this about anyone in particular, as I don't want to get sued for defaming any particular person's character (LOL), but in general it is a fair statement that it is often less costly for a big company to settle out of court rather than go through the expensive process of defending themselves against a lawsuit. So even though the company might be 100% guaranteed to 'win' its defense, and have a patent declared invalid, there is still a decent chance that someone holding a questionable patent could make a profit from it out of court - C
Re: Underscores
On Thu, 2009-07-16 at 06:27 -0700, John Hardin wrote:
How about:
/(?:[^_]{1,30}_+){1,5}/
Whoops! Make that:
/(?:[^_]{1,30}_+){5}/
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
Re: {Spam?} RE: The www[variations]continue....
On Thu, 2009-07-16 at 09:11 -0400, Dan Schaefer wrote:
The rules should also proactively cover (dot) and {dot} as well as [dot]
and dot, and {dot, and /dot/, and ...
That's why I like using [[:punct:]], which includes ! ' # S % ' ( ) *
+ , - . / : ; = ? @ [ \ ] ^ _ { | } ~
I've simplified my rule a bit and think this will catch all of the
possible variants, until they replace dot with something else...
body__MED_OB
/\bw{2,3}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})[[:alpha:]]{2,6}\d{2,6}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body__MED_NOT_OB/\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}\.(?:com|net|org)\b/i
metaAE_MED44(__MED_OB ! __MED_NOT_OB)
describeAE_MED44Shorter rule to catch spam obfuscation
score AE_MED442.0
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
signature.asc
Description: This is a digitally signed message part
Re: Underscores
Whoops! Make that:
/(?:[^_]{1,30}_+){5}/
Better. ;) However, while that indeed eliminates excessive backtracking
as \S or \w results in (since they contain the underscore), this doesn't
match words ending in underscores. A non-underscore [^_] includes
space, punctuation, and any other unwanted char.
Exactly _five_ occurrences of an '_' underscore, with up to 30 _random_
chars in between. This paragraph matches. :)
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: [NEW SPAM FLOOD] www.shopXX.net
On Wed, 15 Jul 2009, MrGibbage wrote: I wonder if the spammers are reading this forum. That seemed awful fast. I'm sure they do. But I also suspect that they have a simple 'feedback' mechanism that let's them know how much of their spew is getting rejected on their botnets, and when the rejection numbers get too high they try something new, and keep trying until the rejection numbers drop again. Then we fix our rules, the rejections go up, and they look for yet another 'trick' to get through. They have the advantage of being able to download their own copies of spamassassin to 'test' their spew. That's why sometimes you get 'red herrings' from me on this list when I don't share the full details of a rule. Posting it here almost assures that it will get bypassed. They copy the rule, then try all sorts of different combinations to bypass it Now really, the significant factor here is not that any of these obfuscation tricks are 'new', but that they are using them to bypass the URIBL rules. I strongly urge the spamassassin develpopers to consider ways to 'open up' the way that we can specify what SA will 'consider' a URI, or to be able to 'capture' a value from an obfuscation test, manipulate it into its 'original' URI and then 'manually' submit it to the URIBL Example hypothetical syntax (note that some parentheses are *capturing*): body FINDURI /(www)(?:obfuscation)(domain)(?:obfuscation)(com|net|org)/i uribl CHECIT /$1.$2.$3/ Basically, allow a rule to 'capture' one or more 'matches' in Perl variables, and then feed them to a subsequent rule (in this case, a manual URIBL lookup). This way, the SA developers don't have to hard-code an ever-changing set of URI detection rules into the core code, but we can still develop on-the-fly rules that can feed a URI to the URIBL tests I've heard people mention 'plugins'. Could I code one that would be easily 'modifiable' so that (for example) this morning's '[dot]' trick can be quickly added to my plugin? Is there a good working example of a plugin that extracts text from a message and feeds it to a URI? I'll work on this! - C
sa-update recently failing with gpg error
In the last week or so sa-update has been failing due to a gpg cross-certification error: [18306] dbg: gpg: Searching for 'gpg' [18306] dbg: util: current PATH is: /usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:/usr/lib/java/bin [18306] dbg: util: executable for gpg was found at /usr/bin/gpg [18306] dbg: gpg: found /usr/bin/gpg [18306] dbg: gpg: release trusted key id list: 5E541DC959CB8BAC7C78DFDC4056A61A5244EC45 26C900A46DD40CD5AD24F6D7DEE01987265FA05B 0C2B1D7175B852C64B3CDC716C55397824F434CE [18306] dbg: channel: attempting channel updates.spamassassin.org [...] [18306] dbg: generic: lint check of site pre files succeeded, continuing with channel updates [18306] dbg: channel: reading MIRRORED.BY file [18306] dbg: channel: found mirror http://daryl.dostech.ca/sa-update/asf/ weight=5 [18306] dbg: channel: found mirror http://www.sa-update.pccc.com/ weight=5 [18306] dbg: channel: selected mirror http://www.sa-update.pccc.com [18306] dbg: http: GET request, http://www.sa-update.pccc.com/792712.tar.gz [18306] dbg: http: GET request, http://www.sa-update.pccc.com/792712.tar.gz.sha1 [18306] dbg: http: GET request, http://www.sa-update.pccc.com/792712.tar.gz.asc [18306] dbg: http: IMS GET request, http://www.sa-update.pccc.com/MIRRORED.BY, Mon, 30 Mar 2009 08:03:24 GMT [18306] dbg: sha1: verification wanted: 58c1b218366fb49b287d8a63a39a7b130c0faab8 [18306] dbg: sha1: verification result: 58c1b218366fb49b287d8a63a39a7b130c0faab8 [18306] dbg: channel: populating temp content file [18306] dbg: gpg: populating temp signature file [18306] dbg: gpg: calling gpg [18306] dbg: gpg: gpg: Signature made Thu 09 Jul 2009 05:32:21 PM EDT using RSA key ID 24F434CE [18306] dbg: gpg: gpg: WARNING: signing subkey 24F434CE is not cross-certified [18306] dbg: gpg: gpg: please see http://www.gnupg.org/faq/subkey-cross-certify.html for more information [18306] dbg: gpg: [GNUPG:] ERRSIG 6C55397824F434CE 1 2 00 1247175141 1 [18306] dbg: gpg: gpg: Can't check signature: general error error: GPG validation failed! The update downloaded successfully, but the GPG signature verification failed. channel: GPG validation failed, channel failed [18306] dbg: generic: cleaning up temporary directory/files [18306] dbg: diag: updates complete, exiting with code 4 This means to me that the spamassassin key needs to be cross-certified but since I haven't seen anyone else mention this I am thinking maybe I need to update something, although I am not sure what. Matt -- GnuPG Key ID: 0xC33BD882 aim: beyondzero123 yahoo msg: beyondzero123 I do not want to die without any scars. -Tyler Durden
Re: [sa] Re: Underscores
On Thu, 16 Jul 2009, Karsten Bräckelmann wrote:
/(?:[^_]{1,30}_+){5}/
Better. ;) However, while that indeed eliminates excessive backtracking
as \S or \w results in (since they contain the underscore), this doesn't
match words ending in underscores. A non-underscore [^_] includes
space, punctuation, and any other unwanted char.
Given that OP said the entire *line* was word-underscore-word-underscore,
then why not just:
body R01 /^\w{30,}$/m
Or perhaps the OP wasn't clear on whether 'word' might contain other
punctuation, and so we might simply use:
body R02 /^\S{30,}$/m
I might add \s* at the end of the rule, just in case of trailing spaces...
- C
Re: sa-update recently failing with gpg error
On Thu, 2009-07-16 at 11:04 -0400, Matt wrote:
In the last week or so sa-update has been failing due to a gpg
cross-certification error:
Google spamassassin gpg cross-certified. Turns up quite a few list posts
discussing that issue. Following those links gets me here:
http://wiki.apache.org/spamassassin/SaUpdateKeyNotCrossCertified
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Opt In Spam
On 16-Jul-2009, at 05:38, twofers wrote: * -4.3 HABEAS_ACCREDITED_SOI RBL: Habeas Accredited Opt-In or Better * [66.59.8.161 listed in sa-accredit.habeas.com] If you search for HABEAS_ACCREDITED you will find that a LOT of admins either drop these scores to very low numbers, or actually set them slightly positive. In my mailspool they are a spam indicator and I have them scored as such: score HABEAS_ACCREDITED_COI 1.0 score HABEAS_ACCREDITED_SOI 1.5 -- When the stars threw down their spears And watered heaven with their tears, DidHe smile his work to see? Did He who made the Lamb make thee?
Re: [sa] Re: Underscores
On Thu, 2009-07-16 at 11:08 -0400, Charles Gregory wrote:
Given that OP said the entire *line* was word-underscore-word-underscore,
then why not just:
body R01 /^\w{30,}$/m
Indeed, it really depends on what *exactly* the rule should match.
Or perhaps the OP wasn't clear on whether 'word' might contain other
punctuation, and so we might simply use:
body R02 /^\S{30,}$/m
This one also matches a long-ish URL on a line of its own.
I might add \s* at the end of the rule, just in case of trailing spaces...
Keep in mind, that with body rules, the body is *rendered*. Whitespace
normalized, and *paragraphs* re-flowed to a single string with embedded
newlines stripped. For instance, this very paragraph is a single ^line$
as far as body REs are concerned.
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
interesting sa-compile times
Using Freebsd. 64bit versions (amd64 code), march=nocona, both freebsd 6.4 and freebsd 7.1, xeon processors 32bit versions (i386 code), march=prescott, freebsd 6.4 only. P4 D processor on 64bit versions, around 2 or 3 mins (et) using 'time' to measure it. on 32 bit versions, same load, same rules, averages 20 mins, sometimes 30 mins. using SA rules, SOUGHT and a few SARES rules (same rules on all systems) largest gap in display (what part seems to take 15/20 mins) Wide character in print at /usr/local/bin/sa-compile line 382, $fh line 2272. --- large gap in time Cannot create directory /var/db/pkg/bsdpan-Mail-SpamAssassin-CompiledRegexps-body_0-1.0: File exists without sought rules, the 32bit system runs sa-compile in around 5 mins. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _
Re: Opt In Spam
FOLLOW-UP: A process was hung on one of the 20 hives serving the whitelists and reported this IP as being listed. We've restarted the process and it is no longer reporting incorrectly. On 16/07/09 8:05 AM, Neil Schwartzman neil.schwartz...@returnpath.net wrote: Now, I am aware that we recently changed the DNS hives serving up Safe (aka safelist aka Habeas) and I'm wondering if there is a glitch between SA and our lists. I don't know. I expect I need to take this up with the developer team, and bump it to someone else over here. I've also BCCed our contacts at SA for clarification -- Neil Schwartzman Director, Certification Security Standards Return Path Inc. 0142002038
copy spam mail to separate mailbox
I have a postfix/SA setup and I was wondering if anyone knew how to COPY an email marked as spam instead of redirecting. Not this: /^X-Spam-Flag: YES/ REDIRECT spam...@example.com -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: copy spam mail to separate mailbox
At 11:22 AM 7/16/2009, you wrote: I have a postfix/SA setup and I was wondering if anyone knew how to COPY an email marked as spam instead of redirecting. Not this: /^X-Spam-Flag: YES/ REDIRECT spam...@example.com As that's really a postfix question, not a SpamAssassin question, if you don't get an answer here you may want to try on a postfix mailing list.
Re: copy spam mail to separate mailbox
As that's really a postfix question, not a SpamAssassin question, if you don't get an answer here you may want to try on a postfix mailing list. I know. Since everybody here is so great at answering my questions so far, I thought I'd try this list first. -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: copy spam mail to separate mailbox
I have a postfix/SA setup and I was wondering if anyone knew how to COPY an email marked as spam instead of redirecting. Not this: /^X-Spam-Flag: YES/ REDIRECT spam...@example.com Needs scripting. If the target spambox is on same server, a cp will do with correct owner adjustmetnts in the script, but if it is on some remote server, a more complex 'sendmail' call will be required (I have neved done this). I have a 'grabspam' script which copies spam-folder from specficified user to the spam-user. Nothing special in it, the email is just a file in the file system (if using Maildir -format).
Re: copy spam mail to separate mailbox
Evan Platt wrote: At 11:22 AM 7/16/2009, you wrote: I have a postfix/SA setup and I was wondering if anyone knew how to COPY an email marked as spam instead of redirecting. Not this: /^X-Spam-Flag: YES/ REDIRECT spam...@example.com As that's really a postfix question, not a SpamAssassin question, if you don't get an answer here you may want to try on a postfix mailing list. Procmail. Set postfix to use this as local delivery agent. Then create a recipe that does what you want. procmailrc SPAMIT=$whatever_dir_you_want_to_use/.SPAM/ :0: * ^X-Spam-Status: Yes $SPAMIT This would need to be modified for your specs of course. RCR
Re: copy spam mail to separate mailbox
Quoting Dan Schaefer d...@performanceadmin.com: As that's really a postfix question, not a SpamAssassin question, if you don't get an answer here you may want to try on a postfix mailing list. I know. Since everybody here is so great at answering my questions so far, I thought I'd try this list first. $ cat .procmailrc PMDIR=$HOME/Procmail # Make sure this directory exists! LOGFILE=$PMDIR/pmlog LOG= MAILDIR=$HOME/Mail # VERBOSE=yes :0 * ^Subject:.*\[SPAM\] $HOME/Mail/Spam/ # EOF This is about the simplest procmail recipe to do what you ask. there are many much more robust examples in the googlesphere, but maybe this gets you started. jp -- Simple compliance is a hacker's best friend @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com
Re: sa-update recently failing with gpg error
On Thu, Jul 16, 2009 at 05:34:38PM +0200, Karsten Br?ckelmann wrote: On Thu, 2009-07-16 at 11:04 -0400, Matt wrote: In the last week or so sa-update has been failing due to a gpg cross-certification error: Google spamassassin gpg cross-certified. Turns up quite a few list posts discussing that issue. Following those links gets me here: http://wiki.apache.org/spamassassin/SaUpdateKeyNotCrossCertified Not sure how I missed that, sorry. Thanks for the help. Matt -- GnuPG Key ID: 0xC33BD882 aim: beyondzero123 yahoo msg: beyondzero123 He who makes his own liberty secure must guard even his enemy from oppression; for if he violates this duty he establishes a precedent that will reach to himself. -Thomas Paine
Re: Underscores
On Thu, 16 Jul 2009, Karsten Br?ckelmann wrote:
Whoops! Make that:
/(?:[^_]{1,30}_+){5}/
Better. ;) However, while that indeed eliminates excessive backtracking
as \S or \w results in (since they contain the underscore), this doesn't
match words ending in underscores. A non-underscore [^_] includes
space, punctuation, and any other unwanted char.
Exactly _five_ occurrences of an '_' underscore, with up to 30 _random_
chars in between. This paragraph matches. :)
Sorry. I lost sight of that part...
/(?:[^_\s]{1,30}_+){5}/
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
You know things are bad when Pravda says we [the USA] have gone
too far to the left. -- Joe Huffman
---
Today: the 64th anniversary of the dawn of the Atomic Age
Re: {Spam?} RE: The www[variations]continue....
Hi,
Is this rule available via updates.spamassassin.org sa-update channel?
Thansk
On Thu, Jul 16, 2009 at 4:08 PM, Randal,
Philpran...@herefordshire.gov.uk wrote:
John Hardin wrote:
On Thu, 2009-07-16 at 11:47 +0100, rich...@buzzhost.co.uk wrote:
Don't you just love them :-)
Love Making Tipps -- Tips for Better And Greater
sex.www[dot]nu26[dot]com
http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/
20_uri_obfu_ws.cf
The rules should also proactively cover (dot) and {dot} as well as [dot]
Cheers,
Phil
--
Phil Randal | Networks Engineer
Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
Tel: 01432 260160
email: pran...@herefordshire.gov.uk
Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council.
This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error
please contact the sender immediately and destroy all copies of it.
Re: The www[variations]continue....
On Fri, 2009-07-17 at 00:37 +0300, Ibrahim Harrani wrote:
Is this rule available via updates.spamassassin.org sa-update channel?
Nope. It's living in a sandbox.
http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: The www[variations]continue....
Hi,
How can I get them into my spamassassin rules automatically or manually?
Thanks
2009/7/17 Karsten Bräckelmann guent...@rudersport.de:
On Fri, 2009-07-17 at 00:37 +0300, Ibrahim Harrani wrote:
Is this rule available via updates.spamassassin.org sa-update channel?
Nope. It's living in a sandbox.
http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: The www[variations]continue....
Good Evening,
Am 2009-07-16 23:42:44, schrieb Karsten Bräckelmann:
On Fri, 2009-07-17 at 00:37 +0300, Ibrahim Harrani wrote:
Is this rule available via updates.spamassassin.org sa-update channel?
Nope. It's living in a sandbox.
http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf
And it does not work... :-(
Gotten today more then 2800 of this ${STRONG_WORD_HERE}.
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack c/o Shared Office KabelBW ICQ #328449886
+49/177/9351947Blumenstasse 2 MSN LinuxMichi
+33/6/61925193 77694 Kehl/Germany IRC #Debian (irc.icq.com)
signature.pgp
Description: Digital signature
Re: The www[variations]continue....
Am 2009-07-16 11:47:16, schrieb rich...@buzzhost.co.uk: Don't you just love them :-) Love Making Tipps -- Tips for Better And Greater sex.www[dot]nu26[dot]com The only thing I love is the use of my Makarow... charged for spamers! Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # Michelle Konzack c/o Shared Office KabelBW ICQ #328449886 +49/177/9351947Blumenstasse 2 MSN LinuxMichi +33/6/61925193 77694 Kehl/Germany IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Re: The www[variations]continue....
On Fri, 2009-07-17 at 01:02 +0300, Ibrahim Harrani wrote:
How can I get them into my spamassassin rules automatically
svn
or manually?
Click the link. Then use the download link, preferably for HEAD.
Copy-n-paste the rule in some *.cf file of your choice in your *site*
specific configuration dir. Lint check. Restart the daemon.
Of course there's always 'wget', too...
2009/7/17 Karsten Bräckelmann guent...@rudersport.de:
On Fri, 2009-07-17 at 00:37 +0300, Ibrahim Harrani wrote:
Is this rule available via updates.spamassassin.org sa-update channel?
Nope. It's living in a sandbox.
http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: The www[variations]continue....
On Fri, 2009-07-17 at 00:04 +0200, Michelle Konzack wrote:
Good Evening,
Am 2009-07-16 23:42:44, schrieb Karsten Bräckelmann:
On Fri, 2009-07-17 at 00:37 +0300, Ibrahim Harrani wrote:
Is this rule available via updates.spamassassin.org sa-update channel?
Nope. It's living in a sandbox.
http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf
And it does not work... :-(
Gotten today more then 2800 of this ${STRONG_WORD_HERE}.
Have you tried my rule? I've caught 401 of them since I updated it this
morning. It's also got a little surprise for the next logical
variant...
body__MED_OB
/\bw{2,3}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})[[:alpha:]]{2,6}\d{2,6}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body__MED_NOT_OB/\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}\.(?:com|net|
org)\b/i
metaAE_MED44(__MED_OB ! __MED_NOT_OB)
describeAE_MED44Shorter rule to catch spam obfuscation
score AE_MED442.0
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
signature.asc
Description: This is a digitally signed message part
Re: {Spam?} RE: The www[variations]continue....
On Fri, 17 Jul 2009, Ibrahim Harrani wrote: Hi, Is this rule available via updates.spamassassin.org sa-update channel? http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf Not at present. Stuff in the sandbox is still undergoing testing and evaluation. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- I'll have that son of a bitch eating out of dumpsters in less than two years. -- MS CEO Steve Ballmer, on RedHat CEO Matt Szulik --- Today: the 64th anniversary of the dawn of the Atomic Age
Re: The www[variations]continue....
Am 2009-07-16 17:23:41, schrieb McDonald, Dan:
Have you tried my rule?
Installed for some minutes... will see how many it catch.
I've caught 401 of them since I updated it this
morning. It's also got a little surprise for the next logical
variant...
body __MED_OB
/\bw{2,3}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})[[:alpha:]]{2,6}\d{2,6}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body __MED_NOT_OB/\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}\.(?:com|net|
org)\b/i
meta AE_MED44(__MED_OB ! __MED_NOT_OB)
describe AE_MED44Shorter rule to catch spam obfuscation
score AE_MED442.0
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack c/o Shared Office KabelBW ICQ #328449886
+49/177/9351947Blumenstasse 2 MSN LinuxMichi
+33/6/61925193 77694 Kehl/Germany IRC #Debian (irc.icq.com)
signature.pgp
Description: Digital signature
Re: The www[variations]continue....
McDonald, Dan wrote:
Have you tried my rule? I've caught 401 of them since I updated it this
morning. It's also got a little surprise for the next logical
variant...
body__MED_OB
/\bw{2,3}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})[[:alpha:]]{2,6}\d{2,6}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body__MED_NOT_OB/\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}\.(?:com|net|
org)\b/i
metaAE_MED44(__MED_OB ! __MED_NOT_OB)
describeAE_MED44Shorter rule to catch spam obfuscation
score AE_MED442.0
Dan,
Thanks for the rules.
I am using AE_MED42 from a previous thread, is this AE_MED44 meant
to replace this or work in addition to it?
Also just curious, why the low score? With the default required hits of
5.0 and this in my setup being the only rule to hit it would not be
tagged as spam. Am i missing something or have you lowered your
required hits?
Ben
