You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Mike French <mi...@misonlineservices.com> on 2004/07/02 22:04:45 UTC
Presistent little buggers
Hello list! I wondered if I might ask for a little help. Here are my Rules
currently:
-rw-r--r-- 1 root root 2983 Jun 8 10:01 23_bayes.cf
-rw-r--r-- 1 root root 38619 Jul 2 00:17 50_scores.cf
-rw-r--r-- 1 root root 31856 Jun 30 23:10 70_sare_adult.cf
-rw-r--r-- 1 root root 3927 Apr 24 16:05
70_sare_bayes_poison_nxm.cf
-rw-r--r-- 1 root root 97062 Jun 20 01:50 70_sare_genlsubj0.cf
-rw-r--r-- 1 root root 51876 Jun 13 20:06 70_sare_header0.cf
-rw-r--r-- 1 root root 25613 Jun 11 23:40 70_sare_html0.cf
-rw-r--r-- 1 root root 16584 Jun 2 17:40 70_sare_random.cf
-rw-r--r-- 1 root root 13445 May 16 11:57 70_sare_ratware.cf
-rw-r--r-- 1 root root 7725 Jun 4 22:31 70_sare_specific.cf
-rw-r--r-- 1 root root 6469 Jun 15 17:48 70_sare_spoof.cf
-rw-r--r-- 1 root root 13211 May 11 22:39
72_sare_bml_post25x.cf
-rw-r--r-- 1 root root 10149 Jun 30 23:12
99_sare_fraud_post25x.cf
-rw-r--r-- 1 root root 14284 Apr 28 12:22 antidrug.cf
-rw-r--r-- 1 root root 22393 Jun 8 10:06 backhair.cf
-rw-r--r-- 1 root root 70201 Jun 22 08:48 bigevil.cf
-rw-r--r-- 1 root root 38 Jul 1 21:13 blacklist.test
-rw-r--r-- 1 root root 86082 Jun 8 10:12
bogus-virus-warnings.cf
-rw-r--r-- 1 root root 23155 Jun 28 17:49 chickenpox.cf
-rw-r--r-- 1 root root 16337 May 5 22:23 evilnumbers.cf
-rw------- 1 root root 2449 Jun 24 15:47 local.cf
-rw-r--r-- 1 root root 302 Apr 12 16:26 local.original
-rw-r--r-- 1 root root 58203 Jun 4 11:57 mangled.cf
-rw-r--r-- 1 root root 3410 Apr 12 04:56 midevil.cf
-rwxr-xr-x 1 root root 30930 Jul 1 22:32 rules_du_jour
drwxr-xr-x 2 root root 4096 Jul 2 14:51 RulesDuJour
-rw-r--r-- 1 root root 57580 Apr 2 16:34 tripwire.cf
-rw-r--r-- 1 root root 3880 Jun 8 10:05 weeds.cf
-rw-r--r-- 1 root root 2898 Jun 30 23:52 whitelist.cf
And they have been doing quite well! However I got this about a dozen times
today:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2600.0" name=GENERATOR></HEAD>
<BODY>
<DIV> </DIV>
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> James
[mailto:gatewmn@rr.com]<BR><B>Sent:</B> Thursday, July 01, 2004 10:56
AM<BR><B>To:</B> XXXXXXX@misresourcegroup.com<BR><B>Subject:</B>
<BR><BR></FONT></DIV>
<CENTER><FONT face=verdana size=+3>The permanent solution to Pe<A
href=""></A>nis Enla<A href=""></A>rgement</FONT> <BR><BR><FONT face=arial
size=+2><B><FONT color=#ffff00>LIMITED OFFER: </FONT></B>Add atleast 4
inches or
get your money back</FONT> <BR><BR>
<P><FONT face=verdana size=+2><B>---></B> <A
href="http://doc45.net/ngr/?a=000016">Click Here To See More!</A>
<B><---</B></FONT>
<P><BR><BR><FONT size=-2><A href="http://doc45.net/rvm/">No more
offers</A></FONT> </P></CENTER></BODY></HTML>
This part " http://doc45.net/rvm/" seems to be the only consistent data in
the mails. How do I filter this with SA? I have yet to under take the
customization of rules and am still learning....
Any help would get me in the good graces with the boss.....
Mike French
MIS OnlineServices
754 Port America Place
Suite 150
Grapevine, TX 76051
(888) 327-5647
(817) 488-1600
FAX (817) 488-1103
MikeF AT misonlineservices.com
www.misonlineservices.com
Re: Presistent little buggers
Posted by Jeff Chan <je...@surbl.org>.
On Friday, July 2, 2004, 1:08:50 PM, Don Newcomer wrote:
> Use the SURBL lists. Your message whacked three (3) of them for a total
> score of 13! As an added plus, if you use ws.surbl.org (I think that's the
> one), you can eliminate bigevil.cf and take some load off your system.
Yes, ws.surbl.org contains domains and some IP addresses from
sa-blacklist, BigEvil.cf, MidEvil.cd and some other sources
and can be used in place of all of them for the most part.
http://www.surbl.org/
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: Presistent little buggers
Posted by Don Newcomer <ne...@dickinson.edu>.
Use the SURBL lists. Your message whacked three (3) of them for a total
score of 13! As an added plus, if you use ws.surbl.org (I think that's the
one), you can eliminate bigevil.cf and take some load off your system.
Don Newcomer
Senior Manager, Systems
Infrastructure Systems Department
Library and Information Services
Dickinson College
P.O. Box 1773
Carlisle, PA 17013
717-245-1256 (Voice)
717-245-1690 (FAX)
newcomer@dickinson.edu
On Fri, 2 Jul 2004, Mike French wrote:
> Hello list! I wondered if I might ask for a little help. Here are my Rules
> currently:
>
> -rw-r--r-- 1 root root 2983 Jun 8 10:01 23_bayes.cf
> -rw-r--r-- 1 root root 38619 Jul 2 00:17 50_scores.cf
> -rw-r--r-- 1 root root 31856 Jun 30 23:10 70_sare_adult.cf
> -rw-r--r-- 1 root root 3927 Apr 24 16:05
> 70_sare_bayes_poison_nxm.cf
> -rw-r--r-- 1 root root 97062 Jun 20 01:50 70_sare_genlsubj0.cf
> -rw-r--r-- 1 root root 51876 Jun 13 20:06 70_sare_header0.cf
> -rw-r--r-- 1 root root 25613 Jun 11 23:40 70_sare_html0.cf
> -rw-r--r-- 1 root root 16584 Jun 2 17:40 70_sare_random.cf
> -rw-r--r-- 1 root root 13445 May 16 11:57 70_sare_ratware.cf
> -rw-r--r-- 1 root root 7725 Jun 4 22:31 70_sare_specific.cf
> -rw-r--r-- 1 root root 6469 Jun 15 17:48 70_sare_spoof.cf
> -rw-r--r-- 1 root root 13211 May 11 22:39
> 72_sare_bml_post25x.cf
> -rw-r--r-- 1 root root 10149 Jun 30 23:12
> 99_sare_fraud_post25x.cf
> -rw-r--r-- 1 root root 14284 Apr 28 12:22 antidrug.cf
> -rw-r--r-- 1 root root 22393 Jun 8 10:06 backhair.cf
> -rw-r--r-- 1 root root 70201 Jun 22 08:48 bigevil.cf
> -rw-r--r-- 1 root root 38 Jul 1 21:13 blacklist.test
> -rw-r--r-- 1 root root 86082 Jun 8 10:12
> bogus-virus-warnings.cf
> -rw-r--r-- 1 root root 23155 Jun 28 17:49 chickenpox.cf
> -rw-r--r-- 1 root root 16337 May 5 22:23 evilnumbers.cf
> -rw------- 1 root root 2449 Jun 24 15:47 local.cf
> -rw-r--r-- 1 root root 302 Apr 12 16:26 local.original
> -rw-r--r-- 1 root root 58203 Jun 4 11:57 mangled.cf
> -rw-r--r-- 1 root root 3410 Apr 12 04:56 midevil.cf
> -rwxr-xr-x 1 root root 30930 Jul 1 22:32 rules_du_jour
> drwxr-xr-x 2 root root 4096 Jul 2 14:51 RulesDuJour
> -rw-r--r-- 1 root root 57580 Apr 2 16:34 tripwire.cf
> -rw-r--r-- 1 root root 3880 Jun 8 10:05 weeds.cf
> -rw-r--r-- 1 root root 2898 Jun 30 23:52 whitelist.cf
>
> And they have been doing quite well! However I got this about a dozen times
> today:
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML><HEAD>
> <META http-equiv=Content-Type content="text/html; charset=us-ascii">
> <META content="MSHTML 6.00.2600.0" name=GENERATOR></HEAD>
> <BODY>
> <DIV> </DIV>
> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
> size=2>-----Original Message-----<BR><B>From:</B> James
> [mailto:gatewmn@rr.com]<BR><B>Sent:</B> Thursday, July 01, 2004 10:56
> AM<BR><B>To:</B> XXXXXXX@misresourcegroup.com<BR><B>Subject:</B>
> <BR><BR></FONT></DIV>
> <CENTER><FONT face=verdana size=+3>The permanent solution to Pe<A
> href=""></A>nis Enla<A href=""></A>rgement</FONT> <BR><BR><FONT face=arial
> size=+2><B><FONT color=#ffff00>LIMITED OFFER: </FONT></B>Add atleast 4
> inches or
> get your money back</FONT> <BR><BR>
> <P><FONT face=verdana size=+2><B>---></B> <A
> href="http://doc45.net/ngr/?a=000016">Click Here To See More!</A>
> <B><---</B></FONT>
> <P><BR><BR><FONT size=-2><A href="http://doc45.net/rvm/">No more
> offers</A></FONT> </P></CENTER></BODY></HTML>
>
> This part " http://doc45.net/rvm/" seems to be the only consistent data in
> the mails. How do I filter this with SA? I have yet to under take the
> customization of rules and am still learning....
>
> Any help would get me in the good graces with the boss.....
>
>
>
> Mike French
> MIS OnlineServices
> 754 Port America Place
> Suite 150
> Grapevine, TX 76051
> (888) 327-5647
> (817) 488-1600
> FAX (817) 488-1103
> MikeF AT misonlineservices.com
> www.misonlineservices.com
>
>
>
Re: Presistent little buggers
Posted by Kelson Vibber <ke...@speed.net>.
On Friday 02 July 2004 01:04 pm, Mike French wrote:
> This part " http://doc45.net/rvm/" seems to be the only consistent data in
> the mails. How do I filter this with SA? I have yet to under take the
> customization of rules and am still learning....
Interesting side note... someone reported one of these to us this morning
because it was sent through an IP that had a WHOIS contact of
somebody@speed.net.tw - and they didn't see the .tw part.
Aside from that, I agree - SURBL is the way to go for this. It's even
reasonably quick at picking up new domain names. There's a particular
spammer who's been hitting me for about a month now, who has managed to evade
just about everything else (even Bayes - they use different spellings every
time and append a different random bit of prose every single time). They
even rotate in a new domain name every few days, but SURBL has been catching
them regularly since I started using it.
--
Kelson Vibber
SpeedGate Communications, <www.speed.net>