Re: some problem with spam

Tue, 12 Dec 2023 06:26:42 -0800 

Hi
thenx i try in this ruleset

W dniu 12.12.2023 o 14:59, Jimmy pisze:

These rules should matched

rawbody __DOUBLE_HTML /<\/a><html></p>\s*<body><html>/
uri           __LONG_LINK_URL  /https?:\/\/.{50,128}\.[a-z]{2,}\/\.[a-z]{2,}\//i 



On Tue, Dec 12, 2023 at 8:44 PM natan <na...@epf.pl> wrote:

    Hi
    Thenx but link is random too like:

    https://paste.debian.net/1300874/


    W dniu 12.12.2023 o 12:21, Jimmy pisze:


    uri     __ADB_CPN_LINK /\.campaign\.adobe\.com\/r\/\?/
    rawbody __IMG_SRC_CID   /<img src=\"cid:\d/

    meta ADB_CPN_ABUSE __ADB_CPN_LINK && __IMG_SRC_CID
    describe ADB_CPN_ABUSE Possible malware link
    score ADB_CPN_ABUSE 2.5000

    Establishing a rule for "CONFIDENTIALITY NOTICE" is ineffective,
    it can be false positive. Since I don't have visibility into all
    headers, consider create rules based on specific headers or other
    rule that match these. Append these rules to the meta-rule and
    boost the overall score accordingly.

    Jimmy


    On Tue, Dec 12, 2023 at 5:53 PM natan <na...@epf.pl> wrote:

        Hi
        I have a SpamAssassin version 3.4.6

        And I try resolv two problem

        1)I put eml with spam and learn SA like:
        sa-learn --spam /root/spamik/

        In /root/spamik/ is 4 e-mail
        Worsk great but after 7 day i must learn agin like SA forgot
        what he learned

        2)I have a problem with one type a spam like:
        https://paste.debian.net/1300865/
        beacuse:
        contents - random
        from - random
        IP - random

        The construction is only somewhat similar like base64 + html
        and png
        All wass signed by DKIM

        And I had to work around it in the following way but it is
        not a solution

        rawbody  EMAIL_20231207    /(necessary to delete the message
        completely|email message and any attachments are
        intended|automatically archived by Mimecast|sender and take
        the steps necessary)/i
        describe EMAIL_20231207    Spam fake IQ password
        score    EMAIL_20231207    2

        rawbody  EMAIL_20231207_1   /FONT\-FAMILY\:Arial/
        score    EMAIL_20231207_1   0.1
        rawbody  EMAIL_20231207_2
        
/BORDER-LEFT\:0\;MARGIN\:0\;PADDING-RIGHT\:0\;BACKGROUND\-COLOR\:white\;font\-stretch\:inherit/
        meta     EMAIL_20231207_ALL IQ_EMAIL_20231207_1 &&
        IQ_EMAIL_20231207_2 && KAM_HTML_FONT_INVALID && MIME_HTML_ONLY
        score    EMAIL_20231207_ALL 2

        Any idea ?
--
-- 

--

Reply via email to