Hi Alex,
thank you for this nice collection ... I had started to add a few of them. I agree with you that this spammer probably is not german, but I would guess that the person uses a dictionary / translator and is composing the message on a keyboard without umlauts. As for the imageshack: soon after a ruleset was posted that was looking for the extremely short message, I have seen some slightly longer ones .... Wolfgang Hamann >> >> > Apart from the imageshack stuff just seem to generally have a lot of sp= >> am in >> > the german langauge getting through the filters, has anyone else experi= >> enced >> > the same. >> >> Certainly. It's getting through, because there are almost no german >> language specific rules in the default rules of SpamAssassin, and of >> course the spam messages are variated a lot. >> >> Here are two self-made rules from the german stock spams from the last >> few months I use in my local.cf: >> >> >> body __AW_BS1 /KAUFEN KAUFEN KAUFEN/ >> body __AW_BS2 /DER I[_.]?N[_.]?VESTORALARM!/ >> body __AW_BS3 /RALLYE IST GESTARTET\b/i >> body __AW_BS4 /AN ALLE F[_.]?INANZINVESTOREN!/i >> body __AW_BS5 /DIESE A[_.]?KTIE WIRD D[_.]?URCHSTARTEN!/ >> body __AW_BS6 /L[_.]?ASSEN SIE SICH D[_.]?IESE C[_.]?HANCE >> N[_.]?ICHT E[_.]?NTGEHEN!/ >> body __AW_BS7 /ES IST EIN U[_.]?NGLAUBLICHES P[_.]?ROFITPOTENTIAL!/ >> body __AW_BS8 /STOCK TRADER ALERT!/ >> body __AW_BS9 /V[_.]?ERLIERE D[_.]?IESE C[_.]?HANCE N[_.]?ICHT!/ >> body __AW_BS10 /IST FRANKFURT DAS NEUE/ >> body __AW_BS11 /DIESES ist das, das du gewartet hast!/ >> body __AW_BS12 /Unsere Auswahl des Monats fliegt!!!/ >> body __AW_BS13 /Our pick of the Month is Flying!!!/ >> body __AW_BS14 /Our Best Pick of the Week/ >> body __AW_BS15 /Kaufen waehrend es noch billig ist/i >> body __AW_BS16 /Es wird \d+% kurssprung erwartet/ >> body __AW_BS17 /eine schune Muglichkeit viel Geld zu verdinen/ >> body __AW_BS18 /Kaufen, kaufen und kaufen/ >> body __AW_BS19 /kursg[ew][ew]inn von \d+% in . tagen!/i >> body __AW_BS20 /STARTET DIE HAUSSE!/ >> >> meta AW_BOERSENSPAM __AW_BS1 || __AW_BS2 || __AW_BS3 || __AW_BS4 || >> __AW_BS5 || __AW_BS6 || __AW_BS7 || __AW_BS8 || __AW_BS9 || __AW_BS10 || >> __AW_BS11 || __AW_BS12 || __AW_BS13 || __AW_BS14 || __AW_BS15 || >> __AW_BS16 || __AW_BS17 || __AW_BS18 || __AW_BS19 || __AW_BS20 >> describe AW_BOERSENSPAM Promotion fuer penny stocks >> score AW_BOERSENSPAM 3.5 >> >> body __AW_PS1 /\b(?:C[_.]?ompany|Name |Firma): / >> body __AW_PS2 /\bW.?K.?N\b/ >> body __AW_PS3 /\bI.?S.?I.?N\b/ >> body __AW_PS4 /\b(?:M[_.]?arkt|Handelsplatz|Borsenplatz ): /i >> body __AW_PS5 /\b(?:K[_.]?urzel |Symbol): /i >> body __AW_PS6 /\b(?:P[_.]?reis|Kurs|Price|Last price): [01]?[.,]/ >> body __AW_PS7 /\bPr[_.]?ognose: / >> body __AW_PS8 /\b(?:S[_.]?panne|Weekrange): / >> body __AW_PS9 /\b[0-9]+[- ]tages?[- ]ziel\b:? /i >> meta AW_BOERSENSPAM2 (__AW_BS1 + __AW_BS2 + __AW_BS3 + __AW_BS4 + >> __AW_BS5 + __AW_BS6 + __AW_BS7 + __AW_BS8 + __AW_BS9 + __AW_BS10 + >> __AW_BS11 + __AW_BS12 + __AW_BS13 + __AW_BS14 + __AW_BS15 + __ >> AW_BS16 + __AW_BS17 + __AW_BS18 + __AW_BS19 + __AW_BS20 + __AW_PS1 + >> __AW_PS2 + __AW_PS3 + __AW_PS4+ __AW_PS5 + __AW_PS6 + __AW_PS7 + >> __AW_PS8 + __AW_PS9 > 3 ) >> describe AW_BOERSENSPAM2 Promotion fuer penny stocks 2 >> score AW_BOERSENSPAM2 3.5 >> >> >> If there is something that can be improved in these rules, please let me >> know. They are quite quick 'n dirty. >> >> Interesting is the spelling. It seems to me the author of the spam >> messages isn't german or of very low education, since his spelling and >> style is really awful - like a child of 15 years. And the spam sending >> software doesn't seem to be able to handle german Umlauts (=E4=F6=FC=DF=C4= >> =D6=DC). >> Well, perhaps that is a more generic spam indicator: german text but not >> a single Umlaut. I must think about that. >> >> Alex >>
