span float obfuscation (was: one SPAM)

[Kenneth Porter <sh...@sewingwitch.com>]

On Sunday, April 23, 2006 3:36 PM +0900 MATSUDA Yoh-ichi <yo...@flcl.org> 
wrote:

> describe OBFUSCATING_FLOAT <span style="border: 0px; float: right"> d
> </span>

Thanks, I was looking for a rule for this. Have you considered submitting 
it to the devs?

<http://wiki.apache.org/spamassassin/ContributingNewRules>

new rules here (was Re: span float obfuscation)

[MATSUDA Yoh-ichi <yo...@flcl.org>]

Hello Kenneth-san.

From: Kenneth Porter <sh...@sewingwitch.com>
Subject: Re: span float obfuscation
Date: Mon, 01 May 2006 07:53:12 -0700

> On Saturday, April 29, 2006 8:28 PM +0900 MATSUDA Yoh-ichi <yo...@flcl.org> 
> wrote:
> 
> > BTW, I have more rules for catching various types of spams.
> > Which is better for posting new rules?
> >  (1) first, posting new rules to this users ML, next, posting to Bugzilla
> >  (2) directly posting new rules to Bugzilla
> 
> I'd post to bugzilla, after first looking to see if someone's already 
> posted either a similar rule or a methodology that eliminates the need for 
> the rule.

Thank you for your advice.
So, I've posted 2 kinds of rule.

Everyone in this ML, please test them.
Below rules are for detecting some types of Japanese spams.

(1) Another way of RCVD_ILLEGAL_IP
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4459

header FORGED_RCVD_IP Received =~ /(\W(9[6-9]|1[01]\d|120|2(2[3-9]|[3-9]\d)|[3-9]\d\d)(\.\d{1,3}){3}[^\w\.-]|\d{1,3}\.(2(5[6-9]|[6-9]\d)|[3-9]\d\d)(\.\d{1,3}){2}|(\d{1,3}\.){2}(2(5[6-9]|[6-9]\d)|[3-9]\d\d)(\.\d{1,3})|(\d{1,3}\.){3}(2(5[6-9]|[6-9]\d)|[3-9]\d\d))/
describe FORGED_RCVD_IP Invalid IP number, over 255.
score FORGED_RCVD_IP 2.5

(2) detecting same HELO and BY
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4889

header HELO_BY_SAME X-Spam-Relays-Untrusted =~ /ip=(?!(127\.0\.0\.1|192\.168(\.\d{1,3}){2}|172\.(1[6-9]|2\d|3[01](\.\d{1,3}){2}|10(\.\d{1,3}){3})))\d{2,3}(\.\d{1,3}){3} rdns=[^\[]* helo=([\w\.-]+) by=\7/
describe HELO_BY_SAME HELO is same received MTA's FQDN
score HELO_BY_SAME 1.5

header HELO_BY_PARTIALSAME X-Spam-Relays-Untrusted =~ /ip=(?!(127\.0\.0\.1|192\.168(\.\d{1,3}){2}|172\.(1[6-9]|2\d|3[01](\.\d{1,3}){2}|10(\.\d{1,3}){3})))\d{2,3}(\.\d{1,3}){3} rdns=[^\[]* helo=([\w\.-]+) by=[\w\.]+\7/
describe HELO_BY_PARTIALSAME HELO is same received MTA's domain name
score HELO_BY_PARTIALSAME 1.5
--
Nothing but a peace sign.
MATSUDA Yoh-ichi(yoh)
mailto:yoh@flcl.org
http://www.flcl.org/~yoh/diary/ (only Japanese)

Re: span float obfuscation

[Kenneth Porter <sh...@sewingwitch.com>]

On Saturday, April 29, 2006 8:28 PM +0900 MATSUDA Yoh-ichi <yo...@flcl.org> 
wrote:

> BTW, I have more rules for catching various types of spams.
> Which is better for posting new rules?
>  (1) first, posting new rules to this users ML, next, posting to Bugzilla
>  (2) directly posting new rules to Bugzilla

I'd post to bugzilla, after first looking to see if someone's already 
posted either a similar rule or a methodology that eliminates the need for 
the rule.

Re: span float obfuscation

[MATSUDA Yoh-ichi <yo...@flcl.org>]

Kenneth-san, thank you for your kindly advice.
I've posted new rules to Bugzilla.
But, it's a little bit difficult for me. ^^;

BTW, I have more rules for catching various types of spams.
Which is better for posting new rules?
 (1) first, posting new rules to this users ML, next, posting to Bugzilla
 (2) directly posting new rules to Bugzilla

From: Kenneth Porter <sh...@sewingwitch.com>
Subject: Re: span float obfuscation
Date: Fri, 28 Apr 2006 10:05:56 -0700

> On Saturday, April 29, 2006 1:48 AM +0900 MATSUDA Yoh-ichi <yo...@flcl.org> 
> wrote:
> 
> > May I post my rules to Bugzilla?
> 
> Sounds good to me. I would have done so myself but wanted to make sure you 
> get attribution. You'll probably want to subscribe to the -devel list as 
> all bugzilla traffic goes through there. And as the wiki page recommends, 
> attach a sample spam to illustrate what the rule is supposed to catch.
> 
> Once the rule is captured in bugzilla, a dev can get it into the automated 
> testing sandbox and we can see how the rule performs on their corpora.
> 
> 

--
Nothing but a peace sign.
MATSUDA Yoh-ichi(yoh)
mailto:yoh@flcl.org
http://www.flcl.org/~yoh/diary/ (only Japanese)

Re: span float obfuscation

[Kenneth Porter <sh...@sewingwitch.com>]

On Saturday, April 29, 2006 1:48 AM +0900 MATSUDA Yoh-ichi <yo...@flcl.org> 
wrote:

> May I post my rules to Bugzilla?

Sounds good to me. I would have done so myself but wanted to make sure you 
get attribution. You'll probably want to subscribe to the -devel list as 
all bugzilla traffic goes through there. And as the wiki page recommends, 
attach a sample spam to illustrate what the rule is supposed to catch.

Once the rule is captured in bugzilla, a dev can get it into the automated 
testing sandbox and we can see how the rule performs on their corpora.

Re: span float obfuscation

[MATSUDA Yoh-ichi <yo...@flcl.org>]

Hello, Kenneth-san and all spamassassiners.

From: Kenneth Porter <sh...@sewingwitch.com>
Subject: span float obfuscation (was: <something> one SPAM)
Date: Fri, 28 Apr 2006 07:52:25 -0700

> On Sunday, April 23, 2006 3:36 PM +0900 MATSUDA Yoh-ichi <yo...@flcl.org> 
> wrote:
> 
> > describe OBFUSCATING_FLOAT <span style="border: 0px; float: right"> d
> > </span>
> 
> Thanks, I was looking for a rule for this. Have you considered submitting 
> it to the devs?

No, I've not yet.

> <http://wiki.apache.org/spamassassin/ContributingNewRules>

May I post my rules to Bugzilla?
--
Nothing but a peace sign.
MATSUDA Yoh-ichi(yoh)
mailto:yoh@flcl.org
http://www.flcl.org/~yoh/diary/ (only Japanese)