Re: Low Scoring Lotto Spam
On Jul 27, 2009, at 7:51 AM, rich...@buzzhost.co.uk wrote: http://pastebin.com/m2cbc0965 Content analysis details: (7.0 points, 5.0 required) pts rule name description -- -- 0.0 HTML_MESSAGE BODY: HTML included in message 3.0 JM_SOUGHT_FRAUD_2 Body contains frequently-spammed text patterns 4.0 JM_SOUGHT_2Body contains frequently-spammed text patterns JM_SAUGHT for the win -- Nothing gold can stay -- Robert Frost Stay gold -- Johnny Cade
Re: Low Scoring Lotto Spam
rich...@buzzhost.co.uk wrote: http://pastebin.com/m2cbc0965 This is scoring way low. Coming in from Hotmail (I would love to blacklist these but some people just insist on using it). 10 in the last hour. Lart'd Hotmail abuse, but the content does not seem to be catching ? I get hits against JM_SOUGHT_FRAUD_3 and a couple DNSBLs I've configured catch the originating IP address. Nothing on the standard SA rulesets though. X-Spam-Status: Yes, score=8.0 required=5.0 tests=BAYES_50,HTML_MESSAGE, JM_SOUGHT_FRAUD_3,RCVD_IN_UCEPROTECT2,RCVD_IN_UCEPROTECT3, RCVD_IN_UCE_COMBINED autolearn=disabled version=3.2.5 X-Spam-Report: * 3.0 RCVD_IN_UCEPROTECT2 RBL: Received via a relay in * dnsbl-2.uceprotect.net * [81.202.69.68 listed in dnsbl-2.uceprotect.net] * 2.0 RCVD_IN_UCEPROTECT3 RBL: Received via a relay in * dnsbl-3.uceprotect.net * [81.202.69.68 listed in dnsbl-3.uceprotect.net] * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.5001] * 0.0 RCVD_IN_UCE_COMBINED Received via a relay in UCEProtect * 3.0 JM_SOUGHT_FRAUD_3 Body contains frequently-spammed text patterns
Re: Low Scoring Lotto Spam
http://pastebin.com/m2cbc0965 This is scoring way low. Coming in from Hotmail (I would love to blacklist these but some people just insist on using it). 10 in the last hour. Lart'd Hotmail abuse, but the content does not seem to be catching ? Content analysis details: (6.2 points, 5.0 required) pts rule name description -- -- 1.0 HTML_MESSAGE BODY: HTML included in message 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.4920] 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 3.0 JM_SOUGHT_FRAUD_3 Body contains frequently-spammed text patterns
Re: Low Scoring Lotto Spam
On Mon, 2009-07-27 at 14:51 +0100, rich...@buzzhost.co.uk wrote:
http://pastebin.com/m2cbc0965
This is scoring way low. Coming in from Hotmail (I would love to
blacklist these but some people just insist on using it).
Scores a healthy 13 here. Mostly using custom rules.
X-Spam-Report:
* 1.8 MILLION_EURO BODY: Talks about millions of Euros
* 0.0 RELAY_US Relayed through United States
* 0.5 FREEMAIL_FROM From-address is freemail domain
* (laszlomezesesp68[at]msn.com)
* 2.0 FREEMAIL_REPLYTO Different freemail address found in Reply-To or
* Body than From (laszlomezesesp68[at]msn.com,
* urbanizacion70[at]aol.com)
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 3.0 JM_SOUGHT_FRAUD_3 Body contains frequently-spammed text patterns
* 0.5 FREEMAIL_REPLYFREE Sent from non-freemail address, replies go to
* freemail address
* 3.0 AE_DETAILS_WITH_MONEY Has form and mentions much money
* 2.5 AE_DETAILS_WITH_EMAIL Has form and gives handy email to send it
back
* to
Freemail.pm and the JM_SOUGHT rules should be easy enough for you to
find. I also used these local rules (some shamelessly copied off this
forum):
body MILLION_EURO
/\b(million|hundred.{0.40}\bthousand)\b.{0,40}\b(euro|pound)s?\b/i
describe MILLION_EURO Talks about millions of Euros
score MILLION_EURO 2.391 1.777 1.501 1.528
body__TRMB_YOUR_NAME
/(^|\W)(your(\s+|\s+\w+\s+)names?|last.name:|full.names?|surname|Prenom|fullname|names?
in full|with your.? Serial No|Confirmation Email
Serial|Names?(\s+:|:)|Receiver name)(_|\W)/i
body__TRMB_YOUR_ADDRESS
/(^|\W)((your|home|residential)(\s+|\s+\w+\s+)add(re|ere)ss|Adresse|Location|Country:|(contact|full)
address|Marital Status:|Occupation:|your current
telephone|(tel|phone):(|\s+)([^0-9\+])|Tel:|Phone:___|Telephone
(number|\#:)(|\s+)([^0-9\+]))(\W|_)/i
body__TRMB_YOUR_AGE /(^|\W)(Your age|age:|age.)(\W|_)/i
body__TRMB_YOUR_OCCUPATION /(^|\W)((Your
|)occupation|Profession)(\W|_)/i
body__TRMB_YOUR_BLOBBY_DETAILS /(^|\W)(FULL
NAMES?.*ADDRESS.*PHONE NUM|PHONE AND FAX NUMBER|your telephone.fax|your full
Contact Details|send us your fullnames? and address|your mobile numbers?|Please
reply if you are willing to help me save|send the following
informations?|Provide your email address.? Phone Number)/i
body__TRMB_OTHER_DETAILS/\W(with your Full Contact
informations?|contact the application desk)\W/i
meta__TRMB_YOUR_DETAILS ((__TRMB_YOUR_NAME ||
__TRMB_OTHER_DETAILS) (__TRMB_YOUR_ADDRESS || __TRMB_YOUR_AGE ||
__TRMB_YOUR_OCCUPATION) || __TRMB_YOUR_BLOBBY_DETAILS )
metaAE_DETAILS_WITH_MONEY __TRMB_YOUR_DETAILS (MILLION_EURO ||
MILLION_USD || US_DOLLARS_3 || NA_DOLLARS || FRT_DOLLAR || AE_GBP ||
__FRAUD_DBI)
describe AE_DETAILS_WITH_MONEY Has form and mentions much money
metaAE_DETAILS_WITH_EMAIL __TRMB_YOUR_DETAILS __HAS_ANY_EMAIL
describe AE_DETAILS_WITH_EMAIL Has form and gives handy email to send it back
to
score AE_DETAILS_WITH_MONEY 3.0
score AE_DETAILS_WITH_EMAIL 2.5
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
signature.asc
Description: This is a digitally signed message part
Re: Low Scoring Lotto Spam
Jari Fredriksson wrote: Content analysis details: (6.2 points, 5.0 required) pts rule name description -- -- 1.0 HTML_MESSAGE BODY: HTML included in message 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.4920] 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 3.0 JM_SOUGHT_FRAUD_3 Body contains frequently-spammed text patterns I get roughly the same... Content analysis details: (0.4 points, 7.0 required) pts rule name description -- -- 0.0 HTML_MESSAGE BODY: HTML included in message -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] 3.0 JM_SOUGHT_FRAUD_3 Body contains frequently-spammed text patterns -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: Low Scoring Lotto Spam
On Mon, 2009-07-27 at 14:51 +0100, rich...@buzzhost.co.uk wrote:
I also used these local rules (some shamelessly copied off this
forum):
body MILLION_EURO
/\b(million|hundred.{0.40}\bthousand)\b.{0,40}\b(euro|pound)s?\b/i
describe MILLION_EURO Talks about millions of Euros
score MILLION_EURO 2.391 1.777 1.501 1.528
body__TRMB_YOUR_NAME
/(^|\W)(your(\s+|\s+\w+\s+)names?|last.name:|full.names?|surname|Prenom|fullname|names?
in full|with your.? Serial No|Confirmation Email
Serial|Names?(\s+:|:)|Receiver name)(_|\W)/i
body__TRMB_YOUR_ADDRESS
/(^|\W)((your|home|residential)(\s+|\s+\w+\s+)add(re|ere)ss|Adresse|Location|Country:|(contact|full)
address|Marital Status:|Occupation:|your current
telephone|(tel|phone):(|\s+)([^0-9\+])|Tel:|Phone:___|Telephone
(number|\#:)(|\s+)([^0-9\+]))(\W|_)/i
body__TRMB_YOUR_AGE /(^|\W)(Your
age|age:|age.)(\W|_)/i
body__TRMB_YOUR_OCCUPATION /(^|\W)((Your
|)occupation|Profession)(\W|_)/i
body__TRMB_YOUR_BLOBBY_DETAILS /(^|\W)(FULL
NAMES?.*ADDRESS.*PHONE NUM|PHONE AND FAX NUMBER|your telephone.fax|your
full Contact Details|send us your fullnames? and address|your mobile
numbers?|Please reply if you are willing to help me save|send the
following informations?|Provide your email address.? Phone Number)/i
body__TRMB_OTHER_DETAILS/\W(with your Full Contact
informations?|contact the application desk)\W/i
meta__TRMB_YOUR_DETAILS ((__TRMB_YOUR_NAME ||
__TRMB_OTHER_DETAILS) (__TRMB_YOUR_ADDRESS || __TRMB_YOUR_AGE ||
__TRMB_YOUR_OCCUPATION) || __TRMB_YOUR_BLOBBY_DETAILS )
meta AE_DETAILS_WITH_MONEY __TRMB_YOUR_DETAILS (MILLION_EURO ||
MILLION_USD || US_DOLLARS_3 || NA_DOLLARS || FRT_DOLLAR || AE_GBP ||
__FRAUD_DBI)
describe AE_DETAILS_WITH_MONEYHas form and mentions much money
meta AE_DETAILS_WITH_EMAIL __TRMB_YOUR_DETAILS __HAS_ANY_EMAIL
describe AE_DETAILS_WITH_EMAIL Has form and gives handy email to send it
back to
score AE_DETAILS_WITH_MONEY 3.0
score AE_DETAILS_WITH_EMAIL 2.5
Thanks there! Much better now, but I wonder what happened to my AWL. It
was not there in my last post..
Content analysis details: (9.7 points, 5.0 required)
pts rule name description
--
--
1.5 MILLION_EURO BODY: Talks about millions of Euros
1.0 HTML_MESSAGE BODY: HTML included in message
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.4920]
2.2 DCC_CHECK Listed in DCC
(http://rhyolite.com/anti-spam/dcc/)
3.0 JM_SOUGHT_FRAUD_3 Body contains frequently-spammed text patterns
3.0 AE_DETAILS_WITH_MONEY Has form and mentions much money
2.5 AE_DETAILS_WITH_EMAIL Has form and gives handy email to send it back
to
-3.5 AWLAWL: From: address is in the auto white-list
Re: Low Scoring Lotto Spam
On Mon, 2009-07-27 at 17:31 +0300, Jari Fredriksson wrote:
Thanks there! Much better now, but I wonder what happened to my AWL. It
was not there in my last post..
Yes, which is exactly what AWL is. You just piped the message through SA
a second time. Previously, it was the first time you saw a mail from
that address and net-block pair. Now you did a second time, so there's
some history for AWL...
Notice how the previous score 6.2 == 9.7 - 3.5 matches quite nicely?
Oh, and yes, 2 * 3.5 is exactly the difference in score you just
added... ;)
Content analysis details: (9.7 points, 5.0 required)
-3.5 AWLAWL: From: address is in the auto white-list
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Low Scoring Lotto Spam
Hi, * 3.0 RCVD_IN_UCEPROTECT2 RBL: Received via a relay in * dnsbl-2.uceprotect.net * [81.202.69.68 listed in dnsbl-2.uceprotect.net] * 2.0 RCVD_IN_UCEPROTECT3 RBL: Received via a relay in * dnsbl-3.uceprotect.net * [81.202.69.68 listed in dnsbl-3.uceprotect.net] How successful have you been with the UCEPROTECT lists? Seems like a nice project. How come more people aren't using it? IOW, you seemed to be the only one of the four or five people that posted their output from this lotto spam. Why such a disparity in the rules that people use? Thanks, Alex
Re: Low Scoring Lotto Spam
MySQL Student wrote: Hi, * 3.0 RCVD_IN_UCEPROTECT2 RBL: Received via a relay in * dnsbl-2.uceprotect.net * [81.202.69.68 listed in dnsbl-2.uceprotect.net] * 2.0 RCVD_IN_UCEPROTECT3 RBL: Received via a relay in * dnsbl-3.uceprotect.net * [81.202.69.68 listed in dnsbl-3.uceprotect.net] How successful have you been with the UCEPROTECT lists? Seems like a nice project. How come more people aren't using it? I find it quite useful, but do understand their listing policy before using it, and score each list appropriately for your mail flow. I use it to check all relay IPs, not just last external, which is why it hits on this example, but do expect FPs used in this way from senders on particularly spammy ISPs. For me it hits more low scoring spam than it does legit mail so it's worth a few points. I have had one user on another open source mailing list whose mail it blocks every time who I've had to manually whitelist, but other than that I've not really noticed it causing any legitimate mail to be quarantined (note that doesn't mean the rule doesn't misfire, only that negatively scoring rules in my setup, such as bayes, counteract and prevent the mail from being classified as spam).
Re: Low Scoring Lotto Spam
On Mon, 2009-07-27 at 17:31 +0300, Jari Fredriksson wrote:
On Mon, 2009-07-27 at 14:51 +0100, rich...@buzzhost.co.uk wrote:
I also used these local rules (some shamelessly copied off this
forum):
body__TRMB_YOUR_NAME
/(^|\W)(your(\s+|\s+\w+\s+)names?|last.name:|full.names?|surname|Prenom|fullname|names?
in full|with your.? Serial No|Confirmation Email
Serial|Names?(\s+:|:)|Receiver name)(_|\W)/i
After I splatted these rules here, I saw that they were pretty
in-efficient perl-wise, and matched a bit much logic wise. I've
tightened them up, and I think this is better, but I'd appreciate
suggestions:
body__TRMB_YOUR_NAME
/\b(?:your.{0,10}\bnames?|last.name:|full.names?|surname|Prenom|fullname|names?
in full|with your.? Serial No|Confirmation Email Serial|Names?\s?:|Receiver
name)_{0,40}\b/i
body__TRMB_YOUR_ADDRESS
/\b(?:your|home|residen|contact|full|current).{0,20}\b(?:add[er]{2,4}sse?|location|country|marital
status|occupation)_{0,40}\b/i
body__TRMB_YOUR_PHONE
/\b(?:telephone|tel|phone)\s?(?:num(?:ber)?|\#)?[[:space:][:punct:]]{1,5}\D/i
body__TRMB_YOUR_AGE /\b(?:your\s)?age\s?[[:punct:]]{1,40}\b/i
body__TRMB_YOUR_OCCUPATION
/\b(?:your\s)?(?:occupation|profession)_{0,30}\b/i
body__TRMB_YOUR_BLOBBY_DETAILS /\b(?:full
names?.{1,20}address.{1,20}phone num|phone and fax number|your
telephone.fax|your full contact details|send us your fullnames? and
address|your mobile numbers?|please reply if you are willing to help me
save|send the following informations?|provide your email address.? phone
number)/i
body__TRMB_OTHER_DETAILS/\b(?:with your full contact
informations?|contact the application desk)\b/i
meta__TRMB_YOUR_DETAILS ((__TRMB_YOUR_NAME ||
__TRMB_OTHER_DETAILS) (__TRMB_YOUR_ADDRESS || __TRMB_YOUR_PHONE ||
__TRMB_YOUR_AGE || __TRMB_YOUR_OCCUPATION) || __TRMB_YOUR_BLOBBY_DETAILS )
metaAE_DETAILS_WITH_MONEY __TRMB_YOUR_DETAILS (MILLION_EURO ||
MILLION_USD || US_DOLLARS_3 || NA_DOLLARS || FRT_DOLLAR || AE_GBP ||
__FRAUD_DBI)
describe AE_DETAILS_WITH_MONEY Has form and mentions much money
metaAE_DETAILS_WITH_EMAIL __TRMB_YOUR_DETAILS __HAS_ANY_EMAIL
describe AE_DETAILS_WITH_EMAIL Has form and gives handy email to send it back
to
score AE_DETAILS_WITH_MONEY 2.0
score AE_DETAILS_WITH_EMAIL 2.5
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
Re: Low Scoring Lotto Spam
On Mon, 27 Jul 2009, Daniel J McDonald wrote:
On Mon, 2009-07-27 at 17:31 +0300, Jari Fredriksson wrote:
On Mon, 2009-07-27 at 14:51 +0100, rich...@buzzhost.co.uk wrote:
I also used these local rules (some shamelessly copied off this
forum):
body__TRMB_YOUR_NAME
/(^|\W)(your(\s+|\s+\w+\s+)names?|last.name:|full.names?|surname|Prenom|fullname|names?
in full|with your.? Serial No|Confirmation Email
Serial|Names?(\s+:|:)|Receiver name)(_|\W)/i
After I splatted these rules here, I saw that they were pretty
in-efficient perl-wise, and matched a bit much logic wise. I've
tightened them up, and I think this is better, but I'd appreciate
suggestions:
body__TRMB_YOUR_NAME
/\b(?:your.{0,10}\bnames?|last.name:|full.names?|surname|Prenom|fullname|names?
in full|with your.? Serial No|Confirmation Email Serial|Names?\s?:|Receiver
name)_{0,40}\b/i
body__TRMB_YOUR_ADDRESS
/\b(?:your|home|residen|contact|full|current).{0,20}\b(?:add[er]{2,4}sse?|location|country|marital
status|occupation)_{0,40}\b/i
body__TRMB_YOUR_PHONE
/\b(?:telephone|tel|phone)\s?(?:num(?:ber)?|\#)?[[:space:][:punct:]]{1,5}\D/i
body__TRMB_YOUR_AGE /\b(?:your\s)?age\s?[[:punct:]]{1,40}\b/i
body__TRMB_YOUR_OCCUPATION
/\b(?:your\s)?(?:occupation|profession)_{0,30}\b/i
body__TRMB_YOUR_BLOBBY_DETAILS /\b(?:full
names?.{1,20}address.{1,20}phone num|phone and fax number|your
telephone.fax|your full contact details|send us your fullnames? and
address|your mobile numbers?|please reply if you are willing to help me
save|send the following informations?|provide your email address.? phone
number)/i
body__TRMB_OTHER_DETAILS/\b(?:with your full contact
informations?|contact the application desk)\b/i
meta__TRMB_YOUR_DETAILS ((__TRMB_YOUR_NAME || __TRMB_OTHER_DETAILS)
(__TRMB_YOUR_ADDRESS || __TRMB_YOUR_PHONE || __TRMB_YOUR_AGE ||
__TRMB_YOUR_OCCUPATION) || __TRMB_YOUR_BLOBBY_DETAILS )
metaAE_DETAILS_WITH_MONEY __TRMB_YOUR_DETAILS (MILLION_EURO ||
MILLION_USD || US_DOLLARS_3 || NA_DOLLARS || FRT_DOLLAR || AE_GBP || __FRAUD_DBI)
describe AE_DETAILS_WITH_MONEY Has form and mentions much money
metaAE_DETAILS_WITH_EMAIL __TRMB_YOUR_DETAILS __HAS_ANY_EMAIL
describe AE_DETAILS_WITH_EMAIL Has form and gives handy email to send it back
to
score AE_DETAILS_WITH_MONEY 2.0
score AE_DETAILS_WITH_EMAIL 2.5
How about:
http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_fillform.cf?view=log
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
...much of our country's counterterrorism security spending is not
designed to protect us from the terrorists, but instead to protect
our public officials from criticism when another attack occurs.
-- Bruce Schneier
---
9 days until the 274th anniversary of John Peter Zenger's acquittal
Re: Low Scoring Lotto Spam
On Mon, 2009-07-27 at 14:51 +0100, rich...@buzzhost.co.uk wrote: http://pastebin.com/m2cbc0965 This is scoring way low. Coming in from Hotmail (I would love to blacklist these but some people just insist on using it). 10 in the last hour. Lart'd Hotmail abuse, but the content does not seem to be catching ? X-Spam-Status: Yes, score=13.0 required=5.0 tests=BAYES_60=2.002, DCC_CHECK_NEGATIVE=-0.0001,FREEMAIL_FROM=0.5,FREEMAIL_REPLYTO=2, HTML_MESSAGE=0.001,JM_SOUGHT_FRAUD_2=3,JM_SOUGHT_FRAUD_3=3,KAM_LOTTO1=0.5, KHOP_RCVD_UNTRUST=1,RCVD_IN_JMF_YE=0.01,RELAY_ES=0.01,SAGREY=1 autolearn=disabled version=3.2.5 Content analysis details: (13.0 points, 5.0 required) pts rule name description -- -- 0.0 RCVD_IN_JMF_YE RBL: Relay listed in JunkEmailFilter YELLOW (varies) [65.55.116.112 listed in hostkarma.junkemailfilter.com] 0.0 RELAY_ES Relayed through Spain 0.5 FREEMAIL_FROM Sender email is freemail (laszlomezesesp68[at]msn.com) 2.0 FREEMAIL_REPLYTO Reply-To is different freemail than From or body (laszlomezesesp68[at]msn.com, urbanizacion70[at]aol.com) 2.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80% [score: 0.7866] 0.0 HTML_MESSAGE BODY: HTML included in message -0.0 DCC_CHECK_NEGATIVE Not listed in DCC [localhost 1201; Body=1 Fuz1=21] [Fuz2=35] 3.0 JM_SOUGHT_FRAUD_3 Body contains frequently-spammed text patterns 0.5 KAM_LOTTO1 Likely to be an e-Lotto Scam Email 3.0 JM_SOUGHT_FRAUD_2 Body contains frequently-spammed text patterns 1.0 KHOP_RCVD_UNTRUST DNS-whitelisted sender is not verified 1.0 SAGREY Adds 1.0 to spam from first-time senders -- KeyID 0xE372A7DA98E6705C signature.asc Description: This is a digitally signed message part
