You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Kenneth Porter <sh...@sewingwitch.com> on 2006/04/28 16:52:25 UTC
span float obfuscation (was: one SPAM)
On Sunday, April 23, 2006 3:36 PM +0900 MATSUDA Yoh-ichi <yo...@flcl.org>
wrote:
> describe OBFUSCATING_FLOAT <span style="border: 0px; float: right"> d
> </span>
Thanks, I was looking for a rule for this. Have you considered submitting
it to the devs?
<http://wiki.apache.org/spamassassin/ContributingNewRules>
new rules here (was Re: span float obfuscation)
Posted by MATSUDA Yoh-ichi <yo...@flcl.org>.
Hello Kenneth-san.
From: Kenneth Porter <sh...@sewingwitch.com>
Subject: Re: span float obfuscation
Date: Mon, 01 May 2006 07:53:12 -0700
> On Saturday, April 29, 2006 8:28 PM +0900 MATSUDA Yoh-ichi <yo...@flcl.org>
> wrote:
>
> > BTW, I have more rules for catching various types of spams.
> > Which is better for posting new rules?
> > (1) first, posting new rules to this users ML, next, posting to Bugzilla
> > (2) directly posting new rules to Bugzilla
>
> I'd post to bugzilla, after first looking to see if someone's already
> posted either a similar rule or a methodology that eliminates the need for
> the rule.
Thank you for your advice.
So, I've posted 2 kinds of rule.
Everyone in this ML, please test them.
Below rules are for detecting some types of Japanese spams.
(1) Another way of RCVD_ILLEGAL_IP
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4459
header FORGED_RCVD_IP Received =~ /(\W(9[6-9]|1[01]\d|120|2(2[3-9]|[3-9]\d)|[3-9]\d\d)(\.\d{1,3}){3}[^\w\.-]|\d{1,3}\.(2(5[6-9]|[6-9]\d)|[3-9]\d\d)(\.\d{1,3}){2}|(\d{1,3}\.){2}(2(5[6-9]|[6-9]\d)|[3-9]\d\d)(\.\d{1,3})|(\d{1,3}\.){3}(2(5[6-9]|[6-9]\d)|[3-9]\d\d))/
describe FORGED_RCVD_IP Invalid IP number, over 255.
score FORGED_RCVD_IP 2.5
(2) detecting same HELO and BY
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4889
header HELO_BY_SAME X-Spam-Relays-Untrusted =~ /ip=(?!(127\.0\.0\.1|192\.168(\.\d{1,3}){2}|172\.(1[6-9]|2\d|3[01](\.\d{1,3}){2}|10(\.\d{1,3}){3})))\d{2,3}(\.\d{1,3}){3} rdns=[^\[]* helo=([\w\.-]+) by=\7/
describe HELO_BY_SAME HELO is same received MTA's FQDN
score HELO_BY_SAME 1.5
header HELO_BY_PARTIALSAME X-Spam-Relays-Untrusted =~ /ip=(?!(127\.0\.0\.1|192\.168(\.\d{1,3}){2}|172\.(1[6-9]|2\d|3[01](\.\d{1,3}){2}|10(\.\d{1,3}){3})))\d{2,3}(\.\d{1,3}){3} rdns=[^\[]* helo=([\w\.-]+) by=[\w\.]+\7/
describe HELO_BY_PARTIALSAME HELO is same received MTA's domain name
score HELO_BY_PARTIALSAME 1.5
--
Nothing but a peace sign.
MATSUDA Yoh-ichi(yoh)
mailto:yoh@flcl.org
http://www.flcl.org/~yoh/diary/ (only Japanese)
Re: span float obfuscation
Posted by Kenneth Porter <sh...@sewingwitch.com>.
On Saturday, April 29, 2006 8:28 PM +0900 MATSUDA Yoh-ichi <yo...@flcl.org>
wrote:
> BTW, I have more rules for catching various types of spams.
> Which is better for posting new rules?
> (1) first, posting new rules to this users ML, next, posting to Bugzilla
> (2) directly posting new rules to Bugzilla
I'd post to bugzilla, after first looking to see if someone's already
posted either a similar rule or a methodology that eliminates the need for
the rule.
Re: span float obfuscation
Posted by MATSUDA Yoh-ichi <yo...@flcl.org>.
Kenneth-san, thank you for your kindly advice.
I've posted new rules to Bugzilla.
But, it's a little bit difficult for me. ^^;
BTW, I have more rules for catching various types of spams.
Which is better for posting new rules?
(1) first, posting new rules to this users ML, next, posting to Bugzilla
(2) directly posting new rules to Bugzilla
From: Kenneth Porter <sh...@sewingwitch.com>
Subject: Re: span float obfuscation
Date: Fri, 28 Apr 2006 10:05:56 -0700
> On Saturday, April 29, 2006 1:48 AM +0900 MATSUDA Yoh-ichi <yo...@flcl.org>
> wrote:
>
> > May I post my rules to Bugzilla?
>
> Sounds good to me. I would have done so myself but wanted to make sure you
> get attribution. You'll probably want to subscribe to the -devel list as
> all bugzilla traffic goes through there. And as the wiki page recommends,
> attach a sample spam to illustrate what the rule is supposed to catch.
>
> Once the rule is captured in bugzilla, a dev can get it into the automated
> testing sandbox and we can see how the rule performs on their corpora.
>
>
--
Nothing but a peace sign.
MATSUDA Yoh-ichi(yoh)
mailto:yoh@flcl.org
http://www.flcl.org/~yoh/diary/ (only Japanese)
Re: span float obfuscation
Posted by Kenneth Porter <sh...@sewingwitch.com>.
On Saturday, April 29, 2006 1:48 AM +0900 MATSUDA Yoh-ichi <yo...@flcl.org>
wrote:
> May I post my rules to Bugzilla?
Sounds good to me. I would have done so myself but wanted to make sure you
get attribution. You'll probably want to subscribe to the -devel list as
all bugzilla traffic goes through there. And as the wiki page recommends,
attach a sample spam to illustrate what the rule is supposed to catch.
Once the rule is captured in bugzilla, a dev can get it into the automated
testing sandbox and we can see how the rule performs on their corpora.
Re: span float obfuscation
Posted by MATSUDA Yoh-ichi <yo...@flcl.org>.
Hello, Kenneth-san and all spamassassiners.
From: Kenneth Porter <sh...@sewingwitch.com>
Subject: span float obfuscation (was: <something> one SPAM)
Date: Fri, 28 Apr 2006 07:52:25 -0700
> On Sunday, April 23, 2006 3:36 PM +0900 MATSUDA Yoh-ichi <yo...@flcl.org>
> wrote:
>
> > describe OBFUSCATING_FLOAT <span style="border: 0px; float: right"> d
> > </span>
>
> Thanks, I was looking for a rule for this. Have you considered submitting
> it to the devs?
No, I've not yet.
> <http://wiki.apache.org/spamassassin/ContributingNewRules>
May I post my rules to Bugzilla?
--
Nothing but a peace sign.
MATSUDA Yoh-ichi(yoh)
mailto:yoh@flcl.org
http://www.flcl.org/~yoh/diary/ (only Japanese)