Re: More spam getting through

Tue, 08 Nov 2005 10:20:06 -0800 

>...
>I'm running SA 3.1 and I have started to notice more spam come through
>recently.
>
>Some are porn and some are medication.  They don't hit much of anything
>beyond Razor2 and Chickenpox, which isn't enough to mark them as spam.
>
>Some of the medication spams are using an obnoxious html table structure
>that makes the contents of each cell print vertically.
>
>For example:
>  <table>
>    <tr>
>      <td>a d g</td>
>      <td>b e h</td>
>      <td>c f i</td>
>      <td width=100%></td>
>    <\tr>
>  </table>
>
>This results in:
>a b c
>d e f
>g h i
>
>Has anyone else been having this problem?  Any rules to catch medication
>names in those types of tables?
>
>Bowie
>
        They should hit a well trained BAYES, and both Pyzor and DCC as
well as Razor2 (your site may not be able to use them due to licensing
issues).  I believe that Loren has written some SARE rules for these
also (check the archives).  These are Leo Kuvayev's pill spams, and
also very often fail many net tests (XBL, SBL, etc. and after a while
they will hit the SURBLs and other URI tests as long as you are not
at the very start of a spam run).  They tend to run > 20 points here,
peaking over 40 points at the end of a run (or a subsequent spam run).
I believe some people using the SARE rules report ~100 points for them
(after half a day or so, they fail every net test, and very many "small"
rules).  Also, the typical ones are delivered by zombies, so often the
DUL tests hit right away, and if you can afford to refuse bad DNS at
the MTA level (many large sites can't), you'll never see most of them.

        The last one I got hit:
BAYES_99,DIGEST_MULTIPLE,FORGED_MUA_IMS,HELO_DYNAMIC_COMCAST,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DSBL,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,URIBL_AB_SURBL,URIBL_COMPLETEWHOIS,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_RHS_ABUSE,URIBL_RHS_AHBL,URIBL_RHS_DSN,URIBL_RHS_NOCOMPLAINTS,URIBL_RHS_NOSTDMAIL,URIBL_RHS_POST,URIBL_RHS_URIBL_BLACK,URIBL_RHS_WHOIS,URIBL_SBL,URIBL_SBL_COMWHOIS,URIBL_SC_SURBL,URIBL_WS_SURBL,URIBL_XS_SURBL

        A slightly earlier one got a much lower score with:
BAYES_99,DCC_CHECK,DIGEST_MULTIPLE,HTML_80_90,HTML_MESSAGE,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_XBL,UPPERCASE_25_50,URIBL_RHS_POST,URIBL_RHS_WHOIS

        In both cases local URI rules increased the score, but were not
needed (i.e. they would be over most "reasonable" limits anyway). 

        Paul Shupak
        [EMAIL PROTECTED]

Reply via email to