You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by David Hooton <dj...@platformhosting.com> on 2004/02/03 16:26:54 UTC

Mr Wiggly has changed

Looks like the clever fellow who brought you Mr Wigglies V word email has
changed his modus operandi.

I've just received a new version of the same old message which was missed by
the Mr Wiggly rules.

Message source here: http://www.mailsecurity.net.au/tmp/mrwiggly.txt

Chris - let me know if you need any more copies, I'm sure our spamtraps will
have hundreds shortly.

Regards,

David Hooton


========================================================================
 Pain free spam & virus protection by:          www.mailsecurity.net.au
 Forward undetected SPAM to:                   spam@mailsecurity.net.au
========================================================================

Re[4]: Mr Wiggly has changed

Posted by Robert Menschel <Ro...@Menschel.net>.

Hello Jason,

Wednesday, February 4, 2004, 6:58:58 AM, you wrote:

JC> OVERALL     SPAM      HAM     S/O   SCORE  NAME
JC>   91185    73148    18037    0.802   0.00    0.00  (all messages)
JC>    5345     5254       91    0.934   0.81   3.00  AMB_IMAGE_CONTENT

JC> OVERALL%   SPAM%     HAM%     S/O    RANK   SCORE  NAME
JC>   91185    73148    18037    0.802   0.00    0.00  (all messages)
JC> 100.000  80.2193  19.7807    0.802   0.00    0.00  (all messages as %)
JC>   5.862   7.1827   0.5045    0.934   0.81    3.00  AMB_IMAGE_CONTENT

JC> Could you tell me how you produce this report? If I need to RTFM
JC> please let me know what manual to read. :)

See http://www.exit0.us/index.php/Against%20a%20Corpus and then
http://www.exit0.us/index.php/BobCorpusTest for some guidance.

Bob Menschel

RE: Re[2]: Mr Wiggly has changed

Posted by Jason Crowe <jc...@midwestglove.com>.


-----Original Message-----
From: Robert Menschel [mailto:Robert@Menschel.net] 
Sent: Wednesday, February 04, 2004 8:53 AM
To: Andy Blanchard
Cc: spamassassin-users@incubator.apache.org
Subject: Re[2]: Mr Wiggly has changed

A nice rule, but does hit ham here:

OVERALL     SPAM      HAM     S/O   SCORE  NAME
  91185    73148    18037    0.802   0.00    0.00  (all messages)
   5345     5254       91    0.934   0.81   3.00  AMB_IMAGE_CONTENT

OVERALL%   SPAM%     HAM%     S/O    RANK   SCORE  NAME
  91185    73148    18037    0.802   0.00    0.00  (all messages)
100.000  80.2193  19.7807    0.802   0.00    0.00  (all messages as %)
  5.862   7.1827   0.5045    0.934   0.81    3.00  AMB_IMAGE_CONTENT


Could you tell me how you produce this report? If I need to RTFM please let
me know what manual to read. :)

Thanks,
Jason

Re[2]: Mr Wiggly has changed

Posted by Robert Menschel <Ro...@Menschel.net>.

Hello Andy,

Tuesday, February 3, 2004, 10:22:15 AM, you wrote:

>> I've just received a new version of the same old message which was missed
>> by the Mr Wiggly rules.

AB> Persistant little swine this one...  The following works nicely for me and
AB> has generated no false positives yet (hence the high score), YMMV:

AB> # Look for URIs linking to a .GIF or .JPG with one or two letters
AB> # then one or two numbers as the name
AB> uri       AMB_IMAGE_CONTENT  /\/[a-z][a-z]?[0-9][0-9]?\.(gif|jpg)/i
AB> describe  AMB_IMAGE_CONTENT  Contains URI linking to numbered GIF or JPG
AB> score     AMB_IMAGE_CONTENT  3.0

A nice rule, but does hit ham here:

OVERALL     SPAM      HAM     S/O   SCORE  NAME
  91185    73148    18037    0.802   0.00    0.00  (all messages)
   5345     5254       91    0.934   0.81   3.00  AMB_IMAGE_CONTENT

OVERALL%   SPAM%     HAM%     S/O    RANK   SCORE  NAME
  91185    73148    18037    0.802   0.00    0.00  (all messages)
100.000  80.2193  19.7807    0.802   0.00    0.00  (all messages as %)
  5.862   7.1827   0.5045    0.934   0.81    3.00  AMB_IMAGE_CONTENT

Hits 7% of my spam, and 0.5% of my ham.

Hits heavily on about.com's newsletters, and thebluebook.com's notices.

I'm going to try a modification that excludes those specific graphics,
and see what happens...

Bob Menschel

Re: Mr Wiggly has changed

Posted by Andy Blanchard <an...@zocalo.uk.com>.

> I've just received a new version of the same old message which was missed
> by the Mr Wiggly rules.
>
> Message source here: http://www.mailsecurity.net.au/tmp/mrwiggly.txt

Persistant little swine this one...  The following works nicely for me and
has generated no false positives yet (hence the high score), YMMV:

# Look for URIs linking to a .GIF or .JPG with one or two letters
# then one or two numbers as the name
uri       AMB_IMAGE_CONTENT  /\/[a-z][a-z]?[0-9][0-9]?\.(gif|jpg)/i
describe  AMB_IMAGE_CONTENT  Contains URI linking to numbered GIF or JPG
score     AMB_IMAGE_CONTENT  3.0

Andy