Lots of comment in mail, how to score
I seem to remember we discussed a way to figure out how much HTML comment is in a message, but I am not able to find a decent ruleset that is trying to count the amount of comment. Let me elaborate with an example: http://pastebin.com/AS6kvLH2 I do realize the spamvertized site (way way down the message) is at the moment in blacklists. But it was not at the time the message was received. And I reckon a fresh domain will be spammed in the next batch. But they typically all have _pages_ of comment, and behind that scattering of words, a small block with the payload. What would be the best way to score such an unusual amout of HTML comment in a message? -- View this message in context: http://old.nabble.com/Lots-of-comment-in-mail%2C-how-to-score-tp33272106p33272106.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Lots of comment in mail, how to score
Benny Pedersen wrote: 1.0 RCVD_IN_CSSRBL: Received via a relay in Spamhaus CSS 1.6 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: universmallmail.com] seems wasted :) As I said, sure they are in RBL now. They were not when this message was delivered. That's the whole point of coming up with a diffent approach here, the amount of comment in the message. -- View this message in context: http://old.nabble.com/Lots-of-comment-in-mail%2C-how-to-score-tp33272106p33273247.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Sought rules revisited
Is it just me, or is the last sought_rules update November 9th? And it is not like an update is available: # sa-update --gpgkey 6C6191E3 -D --channel sought.rules.yerp.org dbg: channel: attempting channel sought.rules.yerp.org ... dbg: channel: current version is 3301199767, new version is 3301199767, skipping channel dbg: diag: updates complete, exiting with code 1 # _ -- View this message in context: http://old.nabble.com/Sought-rules-revisited-tp32872635p32872635.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Sought rules revisited
Is it just me, or is the last sought_rules update November 9th? And it is not like an update is available: # sa-update --gpgkey 6C6191E3 -D --channel sought.rules.yerp.org dbg: channel: attempting channel sought.rules.yerp.org ... dbg: channel: current version is 3301199767, new version is 3301199767, skipping channel dbg: diag: updates complete, exiting with code 1 # _ -- View this message in context: http://old.nabble.com/Sought-rules-revisited-tp32872636p32872636.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Sought rules revisited
Is it just me, or is the last sought_rules update November 9th? And it is not like an update is available: $ sa-update --gpgkey 6C6191E3 -D --channel sought.rules.yerp.org dbg: channel: attempting channel sought.rules.yerp.org ... dbg: channel: current version is 3301199767, new version is 3301199767, skipping channel dbg: diag: updates complete, exiting with code 1 $ _ -- View this message in context: http://old.nabble.com/Sought-rules-revisited-tp32872637p32872637.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Sought rules revisited
Is it just me, or is the last sought_rules update November 9th? And it is not like an update is available: $ sa-update --gpgkey 6C6191E3 -D --channel sought.rules.yerp.org dbg: channel: attempting channel sought.rules.yerp.org [...] dbg: channel: current version is 3301199767, new version is 3301199767, skipping channel dbg: diag: updates complete, exiting with code 1 $ _ Looks, other than the fact that update is from November 9th, okay to me. -- View this message in context: http://old.nabble.com/Sought-rules-revisited-tp32872639p32872639.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Sought rules revisited
Mynabbler wrote: Is it just me, or is the last sought_rules update November 9th? Sorry about the double posts... It was posted using Nabble, which returned 500 errors, and yet still posted the message. Oops. -- View this message in context: http://old.nabble.com/Sought-rules-revisited-tp32872639p32872671.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
RE: myfanbox.com
R - elists wrote: why not just save processor cycles make it easier... reject the below at smtp time sms.ac fanbox.com fanboxnotes.com myfanbox.com We have a ruleset here, since I want to see what they send, and your list is incomplete: header MN_FANBOX From =~ /(smsacfriends\.com|fanboxmail\.com|fanboxapps\.com|fanboxnotes\.com|myfanbox\.com|fanboxnotes\.com/i ... I never saw sms.ac however. Did not have a complaint about the rule either. -- View this message in context: http://old.nabble.com/myfanbox.com-tp32791654p32802636.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Elite Pron
Axb wrote: Could you pastebin a sample? Sure, if you insist... http://pastebin.com/s6CTZM2T -- View this message in context: http://old.nabble.com/Elite-Pron-tp32764834p32771766.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Elite Pron
this is part of the hacked Wordpress series for safetly you may want to add a uri condition for /wp-content/ to your meta Nope. Since they also arrive as ###.ro/cache/rgk40/nse/xwv/ ###.com/images/stories/rol76/cly/uzj/ ###.com/admin/rxr82/owt/bpz/ ###.com/rda67/pyi/wom/ ###.com/modules/mod_wdbanners/rvs84/ So, in some cases they are using Joomla hacked sites, in others somewhat randomly hacked crap. The subject ruleset is failsafe and I did not encounter one false positive as of yet. Mind you, the ^FW: part at the beginning of the ruleset is rather specfic in combination with the rest of the subject. -- View this message in context: http://old.nabble.com/Elite-Pron-tp32764834p32772338.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Elite Pron
Nice one:
header MN_ELITEPRON Subject =~ /^FW: .{5,40}
(?:Elite|Instant|Extreme|Guaranteed|Infinite|Multi|Approved|Unreal)
(?:Collection|Access|Gallery).{0,2}$/
describe MN_ELITEPRON Elite Gallery pron spam
scoreMN_ELITEPRON 18
... enjoy!
--
View this message in context:
http://old.nabble.com/Elite-Pron-tp32764834p32764834.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Chickenpoxed subjects
RW-15 wrote: MN As I explained, even if the rule would have fired, it adds a whopping MN 0.1 score. It only shows teeth when combined with other findings... RW So, why isn't it worth scoring if it's a useful rule? Because mail with odd characters is not per se spam RW And why score it so high with FREEMAIL? You are kidding, right? 50% of this crap comes from FREEMAIL addresses, and even more specific: 44% of this crap is delivered by aol.com. The aol deliveries have about 85% unique from@aol addresses, so they pretty much 'own' aol. RW The danger here is that you end-up with a lot FREEMAIL WEAK_RULE metas RW that are prone to high-scoring FPs that BAYES_00 can't save. As most spammers try to find something other than BOTNET's at the moment, I think it's only fair to be very critical about FREEMAIL. RW If FREEMAIL_FROM is a good indicator then score it up, and score other rules RW on their merits. Well... in itself FREEMAIL isn't spam a priori. It's just that chances are a lot higher that it is. Hence my method of meta-ing FREEMAIL with fairly low scoring rules, like links to free blogsites, free websites, tumblr, odd punctuation in Subject rules, stuff like that. Interestingly enough the most used subject from valid freemail is Re: and none. I don't see a problem with being picky about freemail. The only free email provider succesfully fighting _out_going spam is gmail.com. -- View this message in context: http://old.nabble.com/Chickenpoxed-subjects-tp32644509p32681681.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Chickenpoxed subjects
Adam Katz wrote:
On Mon, 17 Oct 2011, Adam Katz wrote:
Time for F-U-N
I like DD and rockroll
/var/spool/mail is full
... those examples don't get a hit with the rule I cooked up (since it needs
three different odd characters), and besides, an MN_PUNCTUATION hits only
scores in meta combinations. Note I commented out [] and () since they score
too easily in valid email.
header __MN_PUNC00 Subject =~ /~/
header __MN_PUNC02 Subject =~ /`/
header __MN_PUNC03 Subject =~ /\#/
header __MN_PUNC04 Subject =~ /\$/
header __MN_PUNC05 Subject =~ /%/
header __MN_PUNC06 Subject =~ /\^/
header __MN_PUNC07 Subject =~ //
header __MN_PUNC08 Subject =~ /\*/
# header __MN_PUNC09 Subject =~ /\(|\)/
header __MN_PUNC10 Subject =~ /\?/
header __MN_PUNC11 Subject =~ /\+/
header __MN_PUNC12 Subject =~ /=/
header __MN_PUNC13 Subject =~ /\{|\}/
# header __MN_PUNC14 Subject =~ /\[|\]/
header __MN_PUNC15 Subject =~ /\|/
header __MN_PUNC16 Subject =~ /\/
header __MN_PUNC17 Subject =~ /\;/
header __MN_PUNC18 Subject =~ /\:/
header __MN_PUNC19 Subject =~ /\//
header __MN_PUNC20 Subject =~ /_/
meta MN_PUNCTUATION (__MN_PUNC01 + __MN_PUNC02 + __MN_PUNC03 +
__MN_PUNC04 + __MN_PUNC05 + __MN_PUNC06 + __MN_PUNC07 + __MN_PUNC08 +
__MN_PUNC10 + __MN_PUNC11 + __MN_PUNC12 + __MN_PUNC13 + __MN_PUNC15 +
__MN_PUNC16 + __MN_PUNC17 + __MN_PUNC18 + __MN_PUNC19 + __MN_PUNC20 = 3)
score MN_PUNCTUATION 0.1
#
# Now, let's go hunt with this:
meta MN_PUNCS1 (MN_PUNCTUATION (FREEWEB || HAS_SHORT_URL ||
MN_TUMBLR))
score MN_PUNCS1 6
describe MN_PUNCS1 Garbled subject with free website or blogsite, SHORT_URL
or tumblr link
meta MN_PUNCS2 (MN_PUNCTUATION FREEMAIL)
score MN_PUNCS2 3
describe MN_PUNCS2 Garbled subject from a free mail address
--
View this message in context:
http://old.nabble.com/Chickenpoxed-subjects-tp32644509p32672891.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Chickenpoxed subjects
RW-15 wrote: It would hit: Re: Did you pick-up the dry-cleaning? Nope. Scores just two (one ':' and a '?') and the rule needs three different odd characters. RW-15 wrote: I think it needs more work, maybe combine it with tests for lots of very short words or adjacent punctuation pairs. As I explained, even if the rule would have fired, it adds a whopping 0.1 score. It only shows teeth when combined with other findings... -- View this message in context: http://old.nabble.com/Chickenpoxed-subjects-tp32644509p32677140.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Why doesn't anything at all get these botnet spammers?
John Hardin wrote:
On Sat, 2011-10-15 at 15:38 -0700, John Hardin wrote:
Check out SUBJ_OBFU_PUNCT in my sandbox. Awaiting masscheck, but we'll
have to be quick to see the actual results... :)
I wrote a couple a days ago about these subjects, did not get a response
however. I came up with something rather straightforward:
header __MN_PUNC00 Subject =~ /~/
header __MN_PUNC02 Subject =~ /`/
header __MN_PUNC03 Subject =~ /\#/
header __MN_PUNC04 Subject =~ /\$/
header __MN_PUNC05 Subject =~ /%/
header __MN_PUNC06 Subject =~ /\^/
header __MN_PUNC07 Subject =~ //
header __MN_PUNC08 Subject =~ /\*/
header __MN_PUNC09 Subject =~ /\(|\)/
header __MN_PUNC10 Subject =~ /\?/
header __MN_PUNC11 Subject =~ /\+/
header __MN_PUNC12 Subject =~ /=/
header __MN_PUNC13 Subject =~ /\{|\}/
# header __MN_PUNC14 Subject =~ /\[|\]/
header __MN_PUNC15 Subject =~ /\|/
header __MN_PUNC16 Subject =~ /\/
header __MN_PUNC17 Subject =~ /\;/
header __MN_PUNC18 Subject =~ /\:/
header __MN_PUNC19 Subject =~ /\//
header __MN_PUNC20 Subject =~ /_/
meta MN_PUNCTUATION (__MN_PUNC01 + __MN_PUNC02 + __MN_PUNC03 +
__MN_PUNC04 + __MN_PUNC05 + __MN_PUNC06 + __MN_PUNC07 + __MN_PUNC08 +
__MN_PUNC09 + __MN_PUNC10 + __MN_PUNC11 + __MN_PUNC12 + __MN_PUNC13 +
__MN_PUNC15 + __MN_PUNC16 + __MN_PUNC17 + __MN_PUNC18 + __MN_PUNC19 +
__MN_PUNC20 = 3)
score MN_PUNCTUATION 0.1
PUNC14 gave too much false positives with forums and such where [ForumName]
is send in the subject. The actual score for this kind of punctuation is
low, I use the rule in a meta with URL shortening, free websites, free
blogs, stuff like that, and it is hovering above the kill switch. Also note
that is does not choke on subjects like ===, where a multiple would.
--
View this message in context:
http://old.nabble.com/Why-doesn%27t-anything-at-all-get-these-botnet-spammers--tp32659169p32668643.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Interword capitalization - solved and improved
jdow wrote: header __MN_IWCAPSubject =~ /[a-z][A-Z][a-z]/ Help! My iPad does not work on FaceBook. Bet that hits it as a subject. Nope. Matches only two times..., on the P from iPad and the B from FaceBook. It does not match the F. Getting back to the matter at hand: is someone able to put that ruleset in a sandbox for the daily run? A 'yahoo groups' would be: header __MN_YHGRP Return-path =~ /returns\.groups\.yahoo\.com/ and the better meta with ruleset and not yahoogroups could be: # Gibberish subjects like: Cap su lesOr de rsMad eFo rRar ePro du cts header __MN_IWCAPSubject =~ /[a-z][A-Z][a-z]/ tflags __MN_IWCAPmultiple meta MN_IWCAP__MN_IWCAP = 3 !__MN_YHGRP score MN_IWCAP0.01 meta MN_FMIWCAP MN_IWCAP FREEMAIL_FROM score MN_FMIWCAP 3 -- View this message in context: http://old.nabble.com/Interword-capitalization-tp31521819p31593215.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Interword capitalization - solved
Mynabbler wrote: Does someone have a rule for interword capitalization? Unfortunately no takers for the question. I came up with this: # Gibberish subjects like: Cap su lesOr de rsMad eFo rRar ePro du cts header __MN_IWCAPSubject =~ /[a-z][A-Z][a-z]/ tflags __MN_IWCAPmultiple meta MN_IWCAP__MN_IWCAP = 3 score MN_IWCAP0.1 meta MN_FMIWCAP (MN_IWCAP FREEMAIL_FROM) score MN_FMIWCAP 3 describe MN_FMIWCAP Found thRee intErword caPitalizations from a free mail address It searches for three or more occurrences in the subject and scores it when coming from a freemail address (just hotmail would have been enough... sigh). -- View this message in context: http://old.nabble.com/Interword-capitalization-tp31521819p31584892.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Interword capitalization - solved
Bowie Bailey wrote: header __MN_IWCAPSubject =~ /[a-z][A-Z][a-z]/ tflags __MN_IWCAPmultiple meta MN_IWCAP__MN_IWCAP = 3 So hopefully you aren't expecting any emails from a Hotmail user discussing iPods or iPadsor McDonalds :) It searches for three occurrences or more. So, they would ought to compose a subject like Shall I bring my iPod or my iPad to McDonalds, and daft enough to be using a free mail provider. Yes. In the meantime I only see the rule hitting spam: Subject: Typ eOfCap sule sSa tis fac tor yForVerySt ric tBuy er s Subject: SeeLate stPill sAma zingAdv ant ages Subject: TakeAdv an tag eOfToda y' sNe wTabl ets Subject: No velPillOff erAHoli sti cPro ce ssToHe al th ... and it is interesting to see how long it takes for the ruLese tTob ecoMe oBso letE because of changed tactics after publicly publishing a specific rule. -- View this message in context: http://old.nabble.com/Interword-capitalization-tp31521819p31585518.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Interword capitalization - solved
Bowie Bailey wrote:
Ah. I missed the meta limiting it to 3 or more hits. If it works well,
maybe we can add it to the stock ruleset.
Step 1 would be a check in someone's sandbox. And maybe a better meta than
freemail, since I do see some false positives in yahoo groups:
Spamassassin found from x...@returns.groups.yahoo.com at
n73c.bullet.mail.sp1.yahoo.com [98.136.45.72] HELO
n73c.bullet.mail.sp1.yahoo.com to XXX
...snip,DKIM_SIGNED,DKIM_VALID,FREEMAIL_FROM,CAPSNOSPACE,MN_FMIWCAP,snip...
Subject: Re: [RebornDollsArtistCircle] Hello
so... a freemail post to a yahoo group that has three interword capitals in
the groupname is a false positive (in this case, by the way, the group
message _was_ spam).
A not 'CAPSNOSPACE' or a not yahoogroups would be in order to solve that.
CAPSNOSPACE is:
# Junk with CapsCrapMessageSubjects
header MN_CAPSNOSPACE Subject =~ /(?:[A-Z][a-z]+){4}/
describe MN_CAPSNOSPACE Subject ContainsFourWordsLikeThis
scoreMN_CAPSNOSPACE 1
--
View this message in context:
http://old.nabble.com/Interword-capitalization-tp31521819p31586088.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Interword capitalization
Does someone have a rule for interword capitalization? Or more specific, something to score stuff like: Subject = At tai nWel l- bei ngGoa lsVeryEf fe ctiv eTabl et -- View this message in context: http://old.nabble.com/Interword-capitalization-tp31521819p31521819.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Open letter to Yahoo and Hotmail concerning junkmail
Warren Togami Jr. wrote: I'd agree, but users wont rebel against Yahoo unless they begin to see actual bounces to their sent mail. I don't know about your end users, but ours typically get flummoxed if mail from this well known and trusted free mail providers would not arrive to them... There's just too many users actually using their services, mixed with too many spammers abusing it. Warren Togami Jr. wrote: I do agree that we should have FROM_HOTMAIL and FROM_YAHOO so we can independently decide how to treat their mail separate from typical FREEMAIL. Been there, tried that. It is like stopping a river. I've tried metas with the originating source (FROM_AFRICA rules), metas with keywords, metas with short_urls... the list of junk coming out of Yahoo and Hotmail is just endless. And again, the solution would be fairly simple, if only Microsoft and Yahoo administrators actually cared about the mail leaving their systems. I get frustrated every time I read the 'Tired of spam in your inbox, come to Hotmail/Yahoo' tagline in spam send to us _from_ Yahoo and Hotmail. Frustrated, because it is so easy to target the abuse at the source... if only they cared. Setting a default score of 3 or 4 to mail coming from Hotmail and/or Yahoo, would only be efficient if we would start a campaign and proclaim a Tired of spam send by Hotmail and Yahoo-day at like May 4th, and our endusers getting wind of this special Microsoft-and-Yahoo-dont-care-about-spam-awareness event going on that particular day. There's just too much collateral damage. -- View this message in context: http://old.nabble.com/Open-letter-to-Yahoo-and-Hotmail-concerning-junkmail-tp31079893p31087123.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Open letter to Yahoo and Hotmail concerning junkmail
Dear Microsoft administrators, dear Yahoo administrators, The amount of junkmail coming from your systems is unbelievable. How hard is it to implement a cap on the amount of messages people can send out daily with your systems. And that includes the number of Cc's and Bcc's one message generates. If you would cap that on, say, a 1000 users, you would be doing us an incredible favor. And how hard is it, if that cap is reached, to check the messages that are being generated and when spam (which it will be in 9 of 10 cases) to block the originating IP or cap the originating IP to a maximum of 100 addresses that can be spammed daily. Oh, and while you are at it, to block that account abusing your service as well. There is no filtering in the world more effective then you taking this action and it would take an intern about two hours to implement. By the way, if you are a Yahoo administrator, the cap from %account%---%numb...@att.net need to be set to 10 messages daily. Sigh. -- View this message in context: http://old.nabble.com/Open-letter-to-Yahoo-and-Hotmail-concerning-junkmail-tp31079893p31079893.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
SHORT_URL, searchresult-g.php and DOTZUP.COM or keywordtraffic.info
It is quite amazing how much crap is being send with a SHORT_URL pointing to somesite.com/searchresult-g.php?someresult all pointing to some stupid NBC10 report about how a work-at-home-mom makes 13k9 a month. What is interesting is that most of these domains point to domains that are being managed by Dotzup.com or have an affiliation to keywordtraffic.info in the whois lookup. Is dotzup the shady outfit here? Or a mere coincident that their crappy domain park service is hosting stuff with a template that contains an easy hackable searchresult-g.php? In any case, for those using DecodeShortURLs, an interesting meta is a short url and a uri /searchresult-g\.php/, or maybe just outright block searchresult-g.php, I have not come across a ham message containing a reference to searchresult-g.php as of yet... For your info, some examples of domains that are a used (disquised in a SHORT_URL) are: steelpipes.com/searchresult-g.php?CS=aH... bahammashotels.com/searchresult-g.php?CS=aH... bodywrapping.com/searchresult-g.php?CS=aH... funnyqoutes.com/searchresult-g.php?CS=aH... -- View this message in context: http://old.nabble.com/SHORT_URL%2C-searchresult-g.php-and-DOTZUP.COM-or-keywordtraffic.info-tp30975770p30975770.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Optional argument in regex
I think everybody and their dog made a ruleset regarding 'your email address has won'. Something like: MN_YEAHRIGHT /\bYour (?:email|e-mail) (?:address|account) (?:has won|just won you)\b/ How do you make the second argument optional? So it also hits 'your email has won'? -- View this message in context: http://old.nabble.com/Optional-argument-in-regex-tp29448754p29448754.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Count length subject
We experience quite a bit of spam with subjects like: - SexyCoedHoneysGetWildInTheseRealgfsPhotos - Make*each*of*your*intimate*acts*unforgettable*for*your*partner - HotGi'rlP,us'syF,u'c.kedByPigs - We-are-the-only-manufacturer-who-offers-a-FREE-test-bottle-of-enlargement-pills Now, some of these could be targeted with a ruleset like header __DASHES Subject =~ /-/ tflags __DASHES multiple meta MN_DASHES __DASHES = 4 score MN_DASHES 2 ... but it is quite a bit of cat and mouse. However, other than these weird subjects, there's not a lot to target in the message body. Would it be possible to use the length of the subject, combined with the absence of spaces in a subject? Can we count the subject length and 'not space' in a ruleset? -- View this message in context: http://old.nabble.com/Count-length-subject-tp28367879p28367879.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: svn rules and viewvc
John Hardin wrote: Karsten beat me to it. Check out what you want using SVN and pull it into your local config I feel rather stupid here... I tried that, and it barfs on me: # svn checkout http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/ svn: PROPFIND request failed on '/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin' svn: PROPFIND of '/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin': 302 Found (http://svn.apache.org) What gives? -- View this message in context: http://old.nabble.com/svn-rules-and-viewvc-tp25920485p26156667.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Shortcircuit Rules
Alex-325 wrote: I'm interested in experimenting with shortcircuiting, and wondered if anyone had some examples they're using that they could share? We are using it to shortcircuit HAM and prevent blowing CPU cycles on newsletters that people expect to never contain spam. So, there is a 'shortcircuit.cf' that lives in /etc/mail/spamassassin and looks like this: loadplugin Mail::SpamAssassin::Plugin::Shortcircuit report Content analysis details: (_SCORE_ points, _REQD_ required, s/c _SCTYPE_) ifplugin Mail::SpamAssassin::Plugin::Shortcircuit # always log shortcircuit status add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ shortcircuit=_SCTYPE_ autolearn=_AUTOLEARN_ version=_VERSION_ # Note: add_header statement should be on one line..., your browser might snap that in two # Trusted newsletters meta SC_NEWSLETTER (HAM001||HAM002||HAM003) priority SC_NEWSLETTER -500 shortcircuit SC_NEWSLETTER on score SC_NEWSLETTER 0.1 # JADA Newsletter header __HAM001_FROM Return-Path =~ /.*nce\.j\...@b\.jada\.com/ header __HAM001_SNDR Received =~ /123\.234\.123\./ meta HAM001 (__HAM001_FROM __HAM001_SNDR) score HAM001 0.1 describe HAM001 Newsletter from jadajada # YON YetAnotherNewsletter header __HAM002_FROM From =~ /.*munication-brie...@yon\.com/ header __HAM002_SNDR Received =~ /12\.13\.14\.1/ meta HAM002 (__HAM002_FROM __HAM002_SNDR) score HAM002 0.1 describe HAM002 Newsletter from YetAnotherNewsletter # MoreNice stuff (debugged) header __HAM003_FROM Return-Path =~ /@mail\.morenice\.com|bounce\.j\...@.*/ header __HAM003_SNDR Received =~ /198\.99\.245\./ meta HAM003 (__HAM003_FROM __HAM003_SNDR) score HAM003 0.1 describe HAM003 Newsletter delivered by MoreNice stuff endif So, a check on Return-Path, combined with the ip address where it comes from, to reasonably prevent any abuse of the shortcut, and a hit results in no more handling by SA and prevent any further CPU load. Given the nature of 'pushy' newsletter-senders, it prevents CPU spikes when some newsletters come in bulk on the electronic doormat. Other then shortcircuiting and saving CPU cycles, it also prevents any false positives on the few selected 'special' newsletters here. -- View this message in context: http://old.nabble.com/Shortcircuit-Rules-tp26116110p26127045.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: SA needs a new paradigm for rule structure
Marc Perkel wrote: I think you are missing my point. Here's an example. Mentions God/Christianity = 0 Mentions Nigeria = 0 Mentions Bank = 0 Mentions Funds = 0 Mentions all 4 = 100 This is simplistic but it makes my point. I think you are missing our point. Your simplistic example translates to: body __GOD /\bGod\b/ body __NIGERIA /\bNigeria\b/ body __BANK /\bBank\b/ body __FUNDS /\bFunds\b/ body __SWIFT /\bSwift response\b/ meta RAISEFLAG (__GOD + __NIGERIA + __BANK + __FUNDS + __SWIFT = 4) describe RAISEFLAG 4 out 5 bad words fround, surely a 419 scam scoreRAISEFLAG 100 __GOD does not score, __NIGERIA neither, etc, 4 out of 5 does, a 100 a per your request. -- View this message in context: http://www.nabble.com/SA-needs-a-new-paradigm-for-rule-structure-tp25822909p25838064.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Porn-portal spammers
LuKreme wrote: On 29-Aug-2009, at 07:41, Mynabbler wrote: They typically originate from hotmail.com, Er, do they really originate from hotmail servers, or are they simply spoofing a hotmail return address? Are you using zen? Ow yes. Zen is not an option. Aug 31 14:52:04 mail filter[22000]: n7VCpx0l031457: Spamassassin found from prismesiti...@hotmail.com at snt0-omc2-s10.snt0.hotmail.com [65.55.90.85] HELO snt0-omc2-s10.snt0.hotmail.com to victim hits: 9.52, names: FREEMAIL_FROM,PORTAL_ABUSE Subject: amanda righetti showing her nice big tits This one had a yahoo groups portal link... Genuine hotmail originated crap. Aug 31 14:57:19 mail filter[23165]: n7VCvEnb030505: Spamassassin found from chasza9...@hotmail.com at blu0-omc3-s32.blu0.hotmail.com [65.55.116.107] HELO blu0-omc3-s32.blu0.hotmail.com to anothervictim hits: 12.206, names: FREEMAIL_FROM,PORTAL_ABUSE,TRACKER_ID Subject: GorgeousCelebrityShowsHerNicePussyAndPerfectBoobs and that one has a livejournal link, brought to us by the same fine company. Comment by the hotmail abuse desk on a previous attempt to close the gate upstream: we are not responsable for the content on yahoo groups and our users communicating about it. Pfff. k-thank-you-bye-bye. :( At the moment the source is primarily hotmail, although other addresses have been used during the last two months. So, PORTAL_ABUSE is a meta consisting of the existence of a link to a portal provider in the message, and a slew of trics to be found in the subject, regardless of the source being either hotmail or some poor sod giving his credentials to a spammer. -- View this message in context: http://www.nabble.com/Porn-portal-spammers-tp25203019p25223292.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Porn-portal spammers
I am getting rather tired from messages spamming porn-portals. They typically originate from hotmail.com, and advertise a porn-portal based on google.com/groups, google.com/reader, groups.yahoo.com, pipes.yahoo.com, spaces.live.com, docs.google.com, sites.google.com and livejournal.com. Up until now the vermin could be stopped decently by checking the subject (with obvious porn related terms or farm/animal related subjects) and the existence of a URL pointing to one of these portalproviders. But the vermin has (as always) adapted. They now toss gibberish in the subject line, creating subjects like f,arm ani,mals get the taste of real har,dc,ore. If made an example available here: http://pastebin.com/m5c18ffdd The combo 'Portal link found' and subject could still be used, provided I have a rule that is able to count the number of comma's in a subject. Is there a way to do such a thing? -- View this message in context: http://www.nabble.com/Porn-portal-spammers-tp25203019p25203019.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Porn-portal spammers
Karsten Bräckelmann-2 wrote: header __COMMA Subject =~ /,/ tflags __COMMA multiple meta __COMMA_4 __COMMA = 4 Works wonders. I chose three, and was almost inclined to score on just this rule, if it wasn't for people discussing Dave Dee, Dozy, Beaky, Mick Tich :) It scores however on non-intended fudder like Purify, Clense, Look Better, Feel Better and a Google Reader hit. As for the suggestion to run an RFC-ignorant check on hotmail.com... Another solution in that category would be starting a blacklist giving a hit on ipv4 range 0.0.0.0 to 255.255.255.255... -- View this message in context: http://www.nabble.com/Porn-portal-spammers-tp25203019p25204657.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Porn-portal spammers
Karsten Bräckelmann-2 wrote: Yes, it is indeed likely prone to FPs on its own, unless very strictly meta'ed for some special cases, and it actually also is likely bound to expire soon. Obfuscation techniques like this usually are subject to change, quite rapidly, and I'd bet you'll soon find yourself playing whack-a-mole. You are correct about FPs on its own, that is why I meta'ed the ruleset with the existence of a URL to these portal providers. And you are correct about obfuscation techniques: the amount of changes is fairly high, but slow enough to be helpful in fighting it. And to prevent the whack-a-mole battle I lined up rulesets for a fair amount of expectable crap. Here's a recent change: Aug 29 21:46:24 mail filter[22469]: n7TJkJ03026851: Spamassassin found from hosmanzmjmcyhroytxc1...@hotmail.com at blu0-omc3-s14.blu0.hotmail.com [65.55.116.89] HELO blu0-omc3-s14.blu0.hotmail.com to victim hits: 10.168, names: FREEMAIL_FROM,PORTAL_ABUSE,HTML_MESSAGE Subject: Seeixy brunette fu-icks and suuicks on camera -- View this message in context: http://www.nabble.com/Porn-portal-spammers-tp25203019p25205909.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
