(not only one) more carefully
http://timesofindia.indiatimes.com/tech/enterprise-it/security/Microsoft-brings-down-major-fake-drug-spam-network/articleshow/7734903.cms
Anyone else been noticing the decrease in spam?
No, because there are ore then one Botnet of this size now
No wonder I have seen such a huge drop in spam the past few days:
http://timesofindia.indiatimes.com/tech/enterprise-it/security/Microsoft-brings-down-major-fake-drug-spam-network/articleshow/7734903.cms
Anyone else been noticing the decrease in spam?
Bill
://timesofindia.indiatimes.com/tech/enterprise-it/security/Microsoft-brings-down-major-fake-drug-spam-network/articleshow/7734903.cms
Anyone else been noticing the decrease in spam?
No, because there are ore then one Botnet of this size now...
Thanks, Greetings and nice Day/Evening
Michelle
On Sat, 19 Mar 2011 01:08:42 +0100
Michelle Konzack linux4miche...@tamay-dogan.net wrote:
No, because there are ore then one Botnet of this size now...
I also haven't noticed much difference.
Regards,
David.
Hello David F. Skoll,
Am 2011-03-18 20:12:01, hacktest Du folgendes herunter:
I also haven't noticed much difference.
...and fortunately I use zen.spamhaus.org to block on SMTP level! More
then 70% of the spams are blocked here. Spamassasin on USER level stop
arround 25%... The rest are own
On Sat, 2011-03-19 at 01:08 +0100, Michelle Konzack wrote:
No wonder I have seen such a huge drop in spam the past few days:
??? I get 18-26 mio spams (36 servers with 96.000 users) per day and
nothing has changed. Please read the news (not only one) more carefully
See the CBL report
read the news (not only one) more carefully
http://timesofindia.indiatimes.com/tech/enterprise-it/security/Microsoft-brings-down-major-fake-drug-spam-network/articleshow/7734903.cms
Anyone else been noticing the decrease in spam?
No, because there are ore then one Botnet of this size now
On Friday 01 August 2008 10:47 pm, Jake Maul wrote:
Okay, got some samples online to look at:
http://66.213.231.82/spam/sample1.txt
http://66.213.231.82/spam/sample2.txt
http://66.213.231.82/spam/sample3.txt
http://66.213.231.82/spam/sample4.txt
http://66.213.231.82/spam/sample5.txt
Yes, I would love to have the full listing.
I've just done the ClamAV sigs from SaneSecurity/etc. Very nice!
I'm looking into the following plugins/rulesets for general use. will
probably use a few of them:
Botnet plugin
SARE rulesets
DKIM (included in SA, but never bothered to set up)
iXhash
On 31.07.08 21:58, Jake Maul wrote:
I've recently been getting more simple drug-related spam that has no
real obfuscation and often doesn't get flagged with anything other
than HTML_MESSAGE (0.0) and BAYES_XX (generally 50-99).
[...]
Subject: Use Generik Viagra and forget about your sexual
On Thu, 2008-07-31 at 21:58 -0700, Jake Maul wrote:
Greetings,
I've recently been getting more simple drug-related spam that has no
real obfuscation and often doesn't get flagged with anything other
than HTML_MESSAGE (0.0) and BAYES_XX (generally 50-99).
A few sample Subject lines:
Jake Maul wrote:
Greetings,
I've recently been getting more simple drug-related spam that has no
real obfuscation and often doesn't get flagged with anything other
than HTML_MESSAGE (0.0) and BAYES_XX (generally 50-99).
A few sample Subject lines:
Subject: Use Generik Viagra and forget about
On Fri, Aug 1, 2008 at 12:53 AM, Matus UHLAR - fantomas
[EMAIL PROTECTED] wrote:
On 31.07.08 21:58, Jake Maul wrote:
I've recently been getting more simple drug-related spam that has no
real obfuscation and often doesn't get flagged with anything other
than HTML_MESSAGE (0.0) and BAYES_XX
On Fri, Aug 1, 2008 at 6:42 AM, Richard Frovarp
[EMAIL PROTECTED] wrote:
Jake Maul wrote:
Greetings,
I've recently been getting more simple drug-related spam that has no
real obfuscation and often doesn't get flagged with anything other
than HTML_MESSAGE (0.0) and BAYES_XX (generally
On Fri, Aug 1, 2008 at 6:07 AM, Karsten Bräckelmann
[EMAIL PROTECTED] wrote:
On Thu, 2008-07-31 at 21:58 -0700, Jake Maul wrote:
Greetings,
I've recently been getting more simple drug-related spam that has no
real obfuscation and often doesn't get flagged with anything other
than
On Thursday 31 July 2008 11:58 pm, Jake Maul wrote:
Greetings,
I've recently been getting more simple drug-related spam that has no
real obfuscation and often doesn't get flagged with anything other
than HTML_MESSAGE (0.0) and BAYES_XX (generally 50-99).
A few sample Subject lines:
Okay, got some samples online to look at:
http://66.213.231.82/spam/sample1.txt
http://66.213.231.82/spam/sample2.txt
http://66.213.231.82/spam/sample3.txt
http://66.213.231.82/spam/sample4.txt
http://66.213.231.82/spam/sample5.txt
http://66.213.231.82/spam/sample6.txt
Greetings,
I've recently been getting more simple drug-related spam that has no
real obfuscation and often doesn't get flagged with anything other
than HTML_MESSAGE (0.0) and BAYES_XX (generally 50-99).
A few sample Subject lines:
Subject: Use Generik Viagra and forget about your sexual
No doubt that spammers watching this list.
They update their tactics right after a solution is posted here
I got this today im several mail address, and most of them got 4-5 score:
Original Message
From: - Sun Feb 11 22:15:22 2007
X-Account-Key: account29
X-UIDL:
On Thursday 08 February 2007 15:21, Ben Wylie wrote:
As I understand it, these undefined dependencies are errors where a meta
rule has been written to depend on another rule, which does not exist.
These don't have catastrophic consequences, it just means that rule may
not be effective.
Google
As I understand it, these undefined dependencies are errors where a meta
rule has been written to depend on another rule, which does not exist.
These don't have catastrophic consequences, it just means that rule may
not be effective.
Ben
Spamassassin List wrote:
div class=moz-text-flowed
http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf
I had encountered errors
[21895] info: rules: meta test KAM_RPTR_PASSED has undefined dependency
'__URIBL_ANY'
[21895] info: rules: meta test KAM_REAL has undefined dependency
'__KAMREAL1'
[21895] info: rules: meta test
On Fri, 26 Jan 2007, Jim Maul wrote:
Those are the DEFAULT rules. Do not add/remove/modify anything in this
folder.
custom rules go in /etc/mail/spamassassin/
So basicly you just need to 'cd /etc/mail/spamassissin'
and 'wget
Nigel Frankcom wrote:
On Sun, 28 Jan 2007 14:51:21 -0500, Tim Boyer [EMAIL PROTECTED]
wrote:
One thing I've noticed is that Polyakov is starting to obfuscate the URL.
What would normally be caught because it's in the Spamhaus SBL is getting
missed because of this:
Good day,
Viazzgra $1, 80
On Sun, 28 Jan 2007 14:51:21 -0500, Tim Boyer [EMAIL PROTECTED]
wrote:
One thing I've noticed is that Polyakov is starting to obfuscate the URL.
What would normally be caught because it's in the Spamhaus SBL is getting
missed because of this:
Good day,
Viazzgra $1, 80
Ciazzlis $3, 00
Sorry for asking as I am sure that it has already been covered. But if
there a rule for the new spate of drug SPAM where the URL has Remove
* to make the link working! in it ?
Thanks,
--
This message has been scanned for viruses and dangerous content by MailScanner,
and is
believed to be clean.
On Sat, 27 Jan 2007 11:49:03 +, --[ UxBoD ]--
[EMAIL PROTECTED] wrote:
Sorry for asking as I am sure that it has already been covered. But if
there a rule for the new spate of drug SPAM where the URL has Remove
* to make the link working! in it ?
Thanks,
This was suggested to me yesterday
Ben, or others. I've been experimenting with the KAM.cf rules and find
them quite helpful. Is there a means of keeping these up-to-date, or
are they possibly on their way in to the standard set of rules?
Andy Figueroa
Ben Wylie wrote:
I recommend the KAM rules list which can be found here:
On Sat, 27 Jan 2007 12:25:12 +
Nigel Frankcom [EMAIL PROTECTED] wrote:
On Sat, 27 Jan 2007 11:49:03 +, --[ UxBoD ]--
[EMAIL PROTECTED] wrote:
Sorry for asking as I am sure that it has already been covered. But
if there a rule for the new spate of drug SPAM where the URL has
Remove
Same here. I've been very impressed with this ruleset so far.
-Original Message-
From: Andy Figueroa [mailto:[EMAIL PROTECTED]
Sent: Saturday, January 27, 2007 9:23 AM
To: users@spamassassin.apache.org
Subject: Re: Drug spam, some caught some not - none caught by drug rules
Ben
. But
if there a rule for the new spate of drug SPAM where the URL has
Remove * to make the link working! in it ?
Thanks,
This was suggested to me yesterday...
http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf
Bayes training helps too.
Kind regards
I am already
Ok, I am the ultimate beginner in both using regex, and writing SA rules.
I had some problems with those recent drug spams (replace * thingy).
Current ruleset didn't caught them, and I tried to write my own rules, and they
seem to be working.
Here is the URL to my rules, I am most probably
Hi Andy and Dave,
I asked the same question of Daryl back in November, and this was his
response:
I'm not aware of Kevin publishing a channel for his rules, although he
does have commit access to SpamAssassin, so I'd hope that he would
commit his rules to SA for inclusion (upon meeting
On Thu, 25 Jan 2007 20:16:42 -0500, Matt Kettler
[EMAIL PROTECTED] wrote:
Nigel Frankcom wrote:
Debug results are available on:
http://dev.blue-canoe.net/spam/spam01.txt
http://dev.blue-canoe.net/spam/debug1.txt
http://dev.blue-canoe.net/spam/spam02.txt
I recommend the KAM rules list which can be found here:
http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf
This catches the drugs names in these emails.
Cheers,
Ben
Nigel Frankcom wrote:
On Thu, 25 Jan 2007 20:16:42 -0500, Matt Kettler
[EMAIL PROTECTED] wrote:
Nigel Frankcom
Rich Shepard wrote:
Andy et al.:
You can use wget
http://www.appl-ecosys.com/temp-files/analyzed-spam.tgz.
I'll leave it there for a day. Any insight into how to better trap this
type of spam would be welcome. I have a few other representative types,
too.
* 2.0 BOTNET Relay
On Fri, 26 Jan 2007, Ben Wylie wrote:
I recommend the KAM rules list which can be found here:
http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf This
catches the drugs names in these emails.
Ben,
Where do I put this file so it's seen and used by SpamAssassin?
Thanks,
Rich
Nigel Frankcom wrote:
Files redone... a little more informative this time round :-D
http://dev.blue-canoe.net/spam/spam01.txt
http://dev.blue-canoe.net/spam/debug1.txt
http://dev.blue-canoe.net/spam/spam02.txt
http://dev.blue-canoe.net/spam/debug2.txt
On Fri, 26 Jan 2007, Ben Wylie wrote:
On top of these rules, I have written a rule to give 4 points to any email
with an .exe attachment as there have been a lot of these. With the above
rules and the 4 for having an exe attachment, it hits a rating of 12. The
rule i have for detecting the exe
On Fri, 26 Jan 2007, Rich Shepard wrote:
Where do I put this file so it's seen and used by SpamAssassin?
Nevermind. I put it in /usr/share/spamassassin/ with all the other .cf
files.
Rich
--
Richard B. Shepard, Ph.D. |The Environmental Permitting
Applied Ecosystem
Rich Shepard wrote:
On Fri, 26 Jan 2007, Rich Shepard wrote:
Where do I put this file so it's seen and used by SpamAssassin?
Nevermind. I put it in /usr/share/spamassassin/ with all the other .cf
files.
Rich
nooo
Those are the DEFAULT rules. Do not add/remove/modify anything in
On Fri, 26 Jan 2007, Jim Maul wrote:
Those are the DEFAULT rules. Do not add/remove/modify anything in this
folder.
custom rules go in /etc/mail/spamassassin/
OK. I'll put the new ones there.
You really need to have a better understanding of the basics of SA. I'd
suggest going over the
On Fri, 26 Jan 2007 09:16:09 -0500, Matt Kettler
[EMAIL PROTECTED] wrote:
Nigel Frankcom wrote:
Files redone... a little more informative this time round :-D
http://dev.blue-canoe.net/spam/spam01.txt
http://dev.blue-canoe.net/spam/debug1.txt
http://dev.blue-canoe.net/spam/spam02.txt
On Fri, 26 Jan 2007 13:54:03 +, Ben Wylie
[EMAIL PROTECTED] wrote:
I recommend the KAM rules list which can be found here:
http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf
This catches the drugs names in these emails.
Cheers,
Ben
Nigel Frankcom wrote:
On Thu, 25 Jan 2007
Matt (but not just to Matt), I don't understand your reply (though I am
deeply in your dept for the work you do for this community). The sample
emails that Nigel posted are identical in content, including
obfuscation. I've noted the same situation. Yet, the scoring is really
different. On
Andy Figueroa wrote:
Matt (but not just to Matt), I don't understand your reply (though I
am deeply in your dept for the work you do for this community). The
sample emails that Nigel posted are identical in content, including
obfuscation. I've noted the same situation. Yet, the scoring is
Thanks, Matt. That sounds like a good suggestion.
Nigel, since you have the emails, if you could capture the debug output
in a file and post like you did the messages, perhaps someone wise could
evaluate what is going on.
You can capture the debug output by using:
spamassassin -D -t
On Thu, 25 Jan 2007 10:28:21 -0500, Andy Figueroa
[EMAIL PROTECTED] wrote:
Thanks, Matt. That sounds like a good suggestion.
Nigel, since you have the emails, if you could capture the debug output
in a file and post like you did the messages, perhaps someone wise could
evaluate what is going
On Thu, 25 Jan 2007 10:28:21 -0500, Andy Figueroa
[EMAIL PROTECTED] wrote:
Thanks, Matt. That sounds like a good suggestion.
Nigel, since you have the emails, if you could capture the debug output
in a file and post like you did the messages, perhaps someone wise could
evaluate what is going
Andy Figueroa wrote:
Thanks, Matt. That sounds like a good suggestion.
Nigel, since you have the emails, if you could capture the debug
output in a file and post like you did the messages, perhaps someone
wise could evaluate what is going on.
You can capture the debug output by using:
Nigel Frankcom wrote:
Debug results are available on:
http://dev.blue-canoe.net/spam/spam01.txt
http://dev.blue-canoe.net/spam/debug1.txt
http://dev.blue-canoe.net/spam/spam02.txt
http://dev.blue-canoe.net/spam/debug2.txt
http://dev.blue-canoe.net/spam/spam03.txt
On Thu, 25 Jan 2007, Matt Kettler wrote:
The proper command would be:
spamassassin -D bayes message1 2 debug1.txt
OK. I have a spam message that made it to my inbox today. Empty body, the
spam base64 encoded. SA gave it a score of 0 this morning.
I've run it through the debug process
Thanks, again, Matt. I need all the help I can get. I've only been
managing my own SpamAssassin installations (two mailservers) for about
four months and still have a lot to learn.
Andy
Matt Kettler wrote:
Andy Figueroa wrote:
You can capture the debug output by using:
spamassassin -D -t
Rich, if you can post the output as text files to a web site somewhere
and just send the link/url, that's the kindest way to to this. And then
if I knew what I was doing, I'd go look at them and analyze them for
you. Thought it won't be me, I'm sure someone will.
Andy Figueroa
Rich Shepard
On Thu, 25 Jan 2007, Andy Figueroa wrote:
Rich, if you can post the output as text files to a web site somewhere and
just send the link/url, that's the kindest way to to this. And then if I
knew what I was doing, I'd go look at them and analyze them for you.
Thought it won't be me, I'm sure
Hi All,
Does anyone have any idea why there are such scoring disparities
between these two emails? I've been seeing a few of these creep
through lately.
http://dev.blue-canoe.net/spam/spam01.txt
http://dev.blue-canoe.net/spam/spam02.txt
http://dev.blue-canoe.net/spam/spam03.txt
Nigel Frankcom wrote:
Hi All,
Does anyone have any idea why there are such scoring disparities
between these two emails? I've been seeing a few of these creep
through lately.
http://dev.blue-canoe.net/spam/spam01.txt
http://dev.blue-canoe.net/spam/spam02.txt
On Thu, 25 Jan 2007 02:40:30 -0500, Matt Kettler
[EMAIL PROTECTED] wrote:
Nigel Frankcom wrote:
Hi All,
Does anyone have any idea why there are such scoring disparities
between these two emails? I've been seeing a few of these creep
through lately.
http://dev.blue-canoe.net/spam/spam01.txt
This drug spam seems pretty simple
http://ecm.netcore.co.in/tmp/spammail1.txt
but is not caught by my sare (mangled.cf) MANGLED* rulesets
am I missing something here
Thanks
Ram
Brian Wong wrote on Wed, 29 Jun 2005 12:11:49 -0400:
Does anyone have any tips for me?
have a look at www.rulesemporium.com
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de http://msie.winware.org
Hi list,
My site is getting hit hard with with those 'Emerging Growth Alert'
stock spams which has the blue banner. Also I have been getting drug
html spams which change the font colors and have nonsense at the footer
to change it up. Does anyone have any tips for me?
-Original Message-
From: martin smith [mailto:[EMAIL PROTECTED]
Sent: Saturday, May 14, 2005 12:43 PM
To: Spamassassin
Subject: RE: {SPAM} Drug SPAM problem..any fixes?
M-Original Message-
MFrom: Matt Kettler [mailto:[EMAIL PROTECTED]
MSent: 14 May 2005 18:37
MTo
Hi All,
I am having an issue with the following DRUG related spam. Does
anyone have any rules to catch this?
Environment: SA 3.0.2 with network tests and the following SARE rule sets:
70_sare_adult.cf
70_sare_bayes_poison_nxm.cf
70_sare_evilnum0.cf
70_sare_genlsubj0.cf
70_sare_genlsubj1.cf
M-Original Message-
MFrom: Dan Simmons [mailto:[EMAIL PROTECTED]
MSent: 14 May 2005 18:13
MTo: users@spamassassin.apache.org
MSubject: Drug SPAM problem..any fixes?
M
MHi All,
M
MI am having an issue with the following DRUG related spam. Does
Manyone have any rules to catch this?
M
Dan Simmons wrote:
Hi All,
I am having an issue with the following DRUG related spam. Does
anyone have any rules to catch this?
Environment: SA 3.0.2 with network tests and the following SARE rule sets:
snip
X-SA-SysThreshold: 6.0
0.8 HTML_IMAGE_ONLY_20 BODY: HTML: images with
M-Original Message-
MFrom: Matt Kettler [mailto:[EMAIL PROTECTED]
MSent: 14 May 2005 18:37
MTo: Dan Simmons
MCc: users@spamassassin.apache.org
MSubject: Re: {SPAM} Drug SPAM problem..any fixes?
M
MDan Simmons wrote:
M Hi All,
M
M I am having an issue with the following DRUG related spam
martin smith wrote:
Trouble is with the SURBL is that you can receive a lot of these spams
before they get listed, they also seem to change domain name twice a day or
more to keep ahead of the listing, that's why I wanted something to block
them if they don't hit any black lists.
Martin
On Saturday 14 May 2005 18:30, List Mail User wrote:
[...]
Just to keep up; aeroseddicc. com is another multitrade group
domain. Note the contact email of [EMAIL PROTECTED] com - same as
for the domain multitrade-corp. com, and the telephone/fax numbers
match those of the domain
Let me just suggest that there are all kinds of catchable keys in the spam
you posted. I don't really want to post rules for these, since as soon as
rules get posted here the keys disappear from the spams.
Loren
...
--nextPart12555236.45TTRGDWuC
Content-Type: text/plain;
charset=utf-8
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Saturday 14 May 2005 18:30, List Mail User wrote:
[...]
Just to keep up; aeroseddicc. com is another multitrade group
domain. Note the
On Sunday 15 May 2005 00:02, List Mail User wrote:
...
On Saturday 14 May 2005 18:30, List Mail User wrote:
[...]
Just to keep up; aeroseddicc. com is another multitrade group
domain. Note the contact email of [EMAIL PROTECTED] com - same as
for the domain multitrade-corp. com, and
On Saturday, May 14, 2005, 10:43:08 AM, martin smith wrote:
MFrom: Matt Kettler [mailto:[EMAIL PROTECTED]
MMost of that is URI blacklists from surbl (supported by SA
M3.x by default), as well as uribl.com (not supported in
Mdefault config but I added it by hand)
M
Trouble is with the SURBL is
jdow wrote:
Odd, I typed that correctly in the user_prefs and transcribed it
wrong here.
header JD_FROM_DRUG_1 From =~ /(viagra|cialis| soma)\b/i
JD - performance suggestion. When doing a (a|b) type construct, add ?:
to disable backreferences. It saves some memory and speeds the regex
From: Cialis $89, Soma $59, Viagra $69 [EMAIL PROTECTED]
Guess what? It passes right through all the tests because the drugs
are never mentioned in the body of the mail.
{^_^}
Hello jdow,
Friday, May 6, 2005, 4:21:49 AM, you wrote:
j From: Cialis $89, Soma $59, Viagra $69 [EMAIL PROTECTED]
j Guess what? It passes right through all the tests because the drugs
j are never mentioned in the body of the mail.
The next version of the SARE header rules should help out...
75 matches
Mail list logo