On Fri, 22 Feb 2013, Kevin A. McGrail wrote:
On 2/22/2013 3:27 PM, David F. Skoll wrote:
On Fri, 22 Feb 2013 12:20:22 -0800
Marc Perkel <supp...@junkemailfilter.com> wrote:
We need a rule to catch this. It looks like more data than it is but
it's really little more than a single link. Like to see a rule that
identifies it.
Our product lets you make compound rules. It should not be very hard
to translate this to SpamAssassin:
Header Matches RegExp ^To:(.*?@.*?){5} AND
Envelope Sender Ends with @yahoo.com AND
MessageSize < 6000
Well, ok... the MessageSize condition is tricky. And this rule does
kick up some false-positives, but overall it works pretty well for us.
Here's the current version I'm using based on 3.4.0 trunk:
#YAHOO COMPROMISED ACCOUNT SPAMS - SCORED HIGH BECAUSE THESE ARE COMPROMISED
ACCOUNTS WHICH MAKES ALL OF YAHOO!'s PROCEDURES QUESTIONABLE
header __KAM_YAHOO1 From =~
/\@(yahoo.com|yahoo.com.id|rocketmail.com)/i
header __KAM_YAHOO2 Subject =~ /^(FOR |Hey$|hi$|look at
this$|great!?$|amazing!?|the best!?$|excellent!?$|very good!?$|great!?$)/
body __KAM_YAHOO3 /\d{1,2}[\\\/]\d{1,2}[\\\/]\d{2,4}
\d{1,2}\:\d{1,2}\:\d{1,2} (AM|PM)/
header __KAM_YAHOO4 From:name =~ /Connor Hopkins/i
meta KAM_YAHOO (__KAM_YAHOO1 + __KAM_YAHOO2 + __KAM_YAHOO3 +
__KAM_YAHOO4 + __KAM_BODY_LENGTH_LT_128 + MISSING_SUBJECT >= 3)
describe KAM_YAHOO Compromised Yahoo! Accounts Sending Spam
score KAM_YAHOO 9.0
Just to add a late reply to the game, I'm still getting these. Kevin, it
looks like your rules YAHOO1 and YAHOO3 are still appropriate, but neither
of the others. I think there's a few other things I've noticed that I
don't know how to match:
the body doesn't "contain" the link, it pretty much "IS" the link.
However, I don't know how to write a rule that says "contains a link and
NOTHING ELSE". I also don't know how to write rules that say "the
text/plain portion contains a link, and the text/html portion contains
more". I'm not aware of how "body" gets interpreted in
multipart/alternative messages. Kevin, if you're able to tell me more
about this, I'm happy to learn.
Writing rules is easy for some, but I'm more about solving the problem.
The answer isn't "many people write many custom rulesets", it's "surbl
catches up faster" or "yahoo acknowledges the problem."
While yahoo's abuse reporting procedures leave much to be desired, this is
actually one of the reasons I was asking about a channel to autoreport
mail to spamcop (and yahoo, if they were willing to take it, but they
don't seem to be -- blog post coming on that, soon).
-Dan
--
"One...plus two...plus one...plus one."
-Tim Curry, Clue
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
