You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Mike French <mi...@misonlineservices.com> on 2004/07/02 22:04:45 UTC

Presistent little buggers

Hello list! I wondered if I might ask for a little help. Here are my Rules
currently:

-rw-r--r--    1 root     root         2983 Jun  8 10:01 23_bayes.cf
-rw-r--r--    1 root     root        38619 Jul  2 00:17 50_scores.cf
-rw-r--r--    1 root     root        31856 Jun 30 23:10 70_sare_adult.cf
-rw-r--r--    1 root     root         3927 Apr 24 16:05
70_sare_bayes_poison_nxm.cf
-rw-r--r--    1 root     root        97062 Jun 20 01:50 70_sare_genlsubj0.cf
-rw-r--r--    1 root     root        51876 Jun 13 20:06 70_sare_header0.cf
-rw-r--r--    1 root     root        25613 Jun 11 23:40 70_sare_html0.cf
-rw-r--r--    1 root     root        16584 Jun  2 17:40 70_sare_random.cf
-rw-r--r--    1 root     root        13445 May 16 11:57 70_sare_ratware.cf
-rw-r--r--    1 root     root         7725 Jun  4 22:31 70_sare_specific.cf
-rw-r--r--    1 root     root         6469 Jun 15 17:48 70_sare_spoof.cf
-rw-r--r--    1 root     root        13211 May 11 22:39
72_sare_bml_post25x.cf
-rw-r--r--    1 root     root        10149 Jun 30 23:12
99_sare_fraud_post25x.cf
-rw-r--r--    1 root     root        14284 Apr 28 12:22 antidrug.cf
-rw-r--r--    1 root     root        22393 Jun  8 10:06 backhair.cf
-rw-r--r--    1 root     root        70201 Jun 22 08:48 bigevil.cf
-rw-r--r--    1 root     root           38 Jul  1 21:13 blacklist.test
-rw-r--r--    1 root     root        86082 Jun  8 10:12
bogus-virus-warnings.cf
-rw-r--r--    1 root     root        23155 Jun 28 17:49 chickenpox.cf
-rw-r--r--    1 root     root        16337 May  5 22:23 evilnumbers.cf
-rw-------    1 root     root         2449 Jun 24 15:47 local.cf
-rw-r--r--    1 root     root          302 Apr 12 16:26 local.original
-rw-r--r--    1 root     root        58203 Jun  4 11:57 mangled.cf
-rw-r--r--    1 root     root         3410 Apr 12 04:56 midevil.cf
-rwxr-xr-x    1 root     root        30930 Jul  1 22:32 rules_du_jour
drwxr-xr-x    2 root     root         4096 Jul  2 14:51 RulesDuJour
-rw-r--r--    1 root     root        57580 Apr  2 16:34 tripwire.cf
-rw-r--r--    1 root     root         3880 Jun  8 10:05 weeds.cf
-rw-r--r--    1 root     root         2898 Jun 30 23:52 whitelist.cf

And they have been doing quite well! However I got this about a dozen times
today:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2600.0" name=GENERATOR></HEAD>
<BODY>
<DIV>&nbsp;</DIV>
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma 
size=2>-----Original Message-----<BR><B>From:</B> James 
[mailto:gatewmn@rr.com]<BR><B>Sent:</B> Thursday, July 01, 2004 10:56 
AM<BR><B>To:</B> XXXXXXX@misresourcegroup.com<BR><B>Subject:</B> 
<BR><BR></FONT></DIV>
<CENTER><FONT face=verdana size=+3>The permanent solution to Pe<A 
href=""></A>nis Enla<A href=""></A>rgement</FONT> <BR><BR><FONT face=arial 
size=+2><B><FONT color=#ffff00>LIMITED OFFER: </FONT></B>Add atleast 4
inches or 
get your money back</FONT> <BR><BR>
<P><FONT face=verdana size=+2><B>---&gt;</B> <A 
href="http://doc45.net/ngr/?a=000016">Click Here To See More!</A> 
<B>&lt;---</B></FONT> 
<P><BR><BR><FONT size=-2><A href="http://doc45.net/rvm/">No more 
offers</A></FONT> </P></CENTER></BODY></HTML>

This part " http://doc45.net/rvm/" seems to be the only consistent data in
the mails. How do I filter this with SA? I have yet to under take the
customization of rules and am still learning....

Any help would get me in the good graces with the boss.....



Mike French
MIS OnlineServices
754 Port America Place
Suite 150
Grapevine, TX 76051
(888) 327-5647
(817) 488-1600
FAX (817) 488-1103
MikeF AT misonlineservices.com
www.misonlineservices.com

Re: Presistent little buggers

Posted by Jeff Chan <je...@surbl.org>.

On Friday, July 2, 2004, 1:08:50 PM, Don Newcomer wrote:
> Use the SURBL lists.  Your message whacked three (3) of them for a total
> score of 13!  As an added plus, if you use ws.surbl.org (I think that's the
> one), you can eliminate bigevil.cf and take some load off your system.

Yes, ws.surbl.org contains domains and some IP addresses from
sa-blacklist, BigEvil.cf, MidEvil.cd and some other sources
and can be used in place of all of them for the most part.

  http://www.surbl.org/

Jeff C.
-- 
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/

Re: Presistent little buggers

Posted by Don Newcomer <ne...@dickinson.edu>.

Use the SURBL lists.  Your message whacked three (3) of them for a total
score of 13!  As an added plus, if you use ws.surbl.org (I think that's the
one), you can eliminate bigevil.cf and take some load off your system.

Don Newcomer
Senior Manager, Systems
Infrastructure Systems Department
Library and Information Services
Dickinson College
P.O. Box 1773
Carlisle, PA  17013
717-245-1256 (Voice)
717-245-1690 (FAX)
newcomer@dickinson.edu

On Fri, 2 Jul 2004, Mike French wrote:

> Hello list! I wondered if I might ask for a little help. Here are my Rules
> currently:
>
> -rw-r--r--    1 root     root         2983 Jun  8 10:01 23_bayes.cf
> -rw-r--r--    1 root     root        38619 Jul  2 00:17 50_scores.cf
> -rw-r--r--    1 root     root        31856 Jun 30 23:10 70_sare_adult.cf
> -rw-r--r--    1 root     root         3927 Apr 24 16:05
> 70_sare_bayes_poison_nxm.cf
> -rw-r--r--    1 root     root        97062 Jun 20 01:50 70_sare_genlsubj0.cf
> -rw-r--r--    1 root     root        51876 Jun 13 20:06 70_sare_header0.cf
> -rw-r--r--    1 root     root        25613 Jun 11 23:40 70_sare_html0.cf
> -rw-r--r--    1 root     root        16584 Jun  2 17:40 70_sare_random.cf
> -rw-r--r--    1 root     root        13445 May 16 11:57 70_sare_ratware.cf
> -rw-r--r--    1 root     root         7725 Jun  4 22:31 70_sare_specific.cf
> -rw-r--r--    1 root     root         6469 Jun 15 17:48 70_sare_spoof.cf
> -rw-r--r--    1 root     root        13211 May 11 22:39
> 72_sare_bml_post25x.cf
> -rw-r--r--    1 root     root        10149 Jun 30 23:12
> 99_sare_fraud_post25x.cf
> -rw-r--r--    1 root     root        14284 Apr 28 12:22 antidrug.cf
> -rw-r--r--    1 root     root        22393 Jun  8 10:06 backhair.cf
> -rw-r--r--    1 root     root        70201 Jun 22 08:48 bigevil.cf
> -rw-r--r--    1 root     root           38 Jul  1 21:13 blacklist.test
> -rw-r--r--    1 root     root        86082 Jun  8 10:12
> bogus-virus-warnings.cf
> -rw-r--r--    1 root     root        23155 Jun 28 17:49 chickenpox.cf
> -rw-r--r--    1 root     root        16337 May  5 22:23 evilnumbers.cf
> -rw-------    1 root     root         2449 Jun 24 15:47 local.cf
> -rw-r--r--    1 root     root          302 Apr 12 16:26 local.original
> -rw-r--r--    1 root     root        58203 Jun  4 11:57 mangled.cf
> -rw-r--r--    1 root     root         3410 Apr 12 04:56 midevil.cf
> -rwxr-xr-x    1 root     root        30930 Jul  1 22:32 rules_du_jour
> drwxr-xr-x    2 root     root         4096 Jul  2 14:51 RulesDuJour
> -rw-r--r--    1 root     root        57580 Apr  2 16:34 tripwire.cf
> -rw-r--r--    1 root     root         3880 Jun  8 10:05 weeds.cf
> -rw-r--r--    1 root     root         2898 Jun 30 23:52 whitelist.cf
>
> And they have been doing quite well! However I got this about a dozen times
> today:
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML><HEAD>
> <META http-equiv=Content-Type content="text/html; charset=us-ascii">
> <META content="MSHTML 6.00.2600.0" name=GENERATOR></HEAD>
> <BODY>
> <DIV>&nbsp;</DIV>
> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
> size=2>-----Original Message-----<BR><B>From:</B> James
> [mailto:gatewmn@rr.com]<BR><B>Sent:</B> Thursday, July 01, 2004 10:56
> AM<BR><B>To:</B> XXXXXXX@misresourcegroup.com<BR><B>Subject:</B>
> <BR><BR></FONT></DIV>
> <CENTER><FONT face=verdana size=+3>The permanent solution to Pe<A
> href=""></A>nis Enla<A href=""></A>rgement</FONT> <BR><BR><FONT face=arial
> size=+2><B><FONT color=#ffff00>LIMITED OFFER: </FONT></B>Add atleast 4
> inches or
> get your money back</FONT> <BR><BR>
> <P><FONT face=verdana size=+2><B>---&gt;</B> <A
> href="http://doc45.net/ngr/?a=000016">Click Here To See More!</A>
> <B>&lt;---</B></FONT>
> <P><BR><BR><FONT size=-2><A href="http://doc45.net/rvm/">No more
> offers</A></FONT> </P></CENTER></BODY></HTML>
>
> This part " http://doc45.net/rvm/" seems to be the only consistent data in
> the mails. How do I filter this with SA? I have yet to under take the
> customization of rules and am still learning....
>
> Any help would get me in the good graces with the boss.....
>
>
>
> Mike French
> MIS OnlineServices
> 754 Port America Place
> Suite 150
> Grapevine, TX 76051
> (888) 327-5647
> (817) 488-1600
> FAX (817) 488-1103
> MikeF AT misonlineservices.com
> www.misonlineservices.com
>
>
>

Re: Presistent little buggers

Posted by Kelson Vibber <ke...@speed.net>.

On Friday 02 July 2004 01:04 pm, Mike French wrote:
> This part " http://doc45.net/rvm/" seems to be the only consistent data in
> the mails. How do I filter this with SA? I have yet to under take the
> customization of rules and am still learning....

Interesting side note... someone reported one of these to us this morning 
because it was sent through an IP that had a WHOIS contact of 
somebody@speed.net.tw - and they didn't see the .tw part.

Aside from that, I agree - SURBL is the way to go for this.  It's even 
reasonably quick at picking up new domain names.  There's a particular 
spammer who's been hitting me for about a month now, who has managed to evade 
just about everything else (even Bayes - they use different spellings every 
time and append a different random bit of prose every single time).  They 
even rotate in a new domain name every few days, but SURBL has been catching 
them regularly since I started using it.

-- 
Kelson Vibber
SpeedGate Communications, <www.speed.net>