Watches and pain relief

[Geoff Soper <ge...@alphaworks.co.uk>]

My current spam problem consists almost entirely of spam advertising
watches and various pain relief products. I have a reasonable variety of
rulesets installed including the following (it's not definitive as I don't
have access to the server right now):
SARE General Subject
SARE HEADER
SARE html0
SARE OEM
SARE Random
SARE Ratware Detection
SARE Specific
SARE Spoof
EvilNumber

Can anyone suggest what might catch these watch and pain relief spams
before I start writing some of my own?

Thanks,
Geoff

Re: Watches and pain relief

[Loren Wilton <lw...@earthlink.net>]

Here are my current watch-catchers.  These will end up in a ruleset at some
point, doubtless with modifications.  you probably will have to fiddle the
scores on these a little.

body  LW_ROLEX  /\broll?ex\b/i
score  LW_ROLEX  1
describe LW_ROLEX  Mentions Rolex

body  __LW_OBREPLICA /\brepIicas?\b/i
body  __LW_REPLICA /\breplicas?\b/i
body  __LW_WATCHES /\bwatch(?:es)?\b/i

meta  LW_ROLEXWATCH LW_ROLEX && __LW_WATCHES
score  LW_ROLEXWATCH 1
describe LW_ROLEXWATCH Mentions rolex watches

meta  LW_FAKEROLEX LW_ROLEX && __LW_REPLICA
score  LW_FAKEROLEX 5
describe LW_FAKEROLEX Talks about rolex and replicas

body  LW_WANTAROLEX /Want a (?:\w+ ){0,3}Rolex(?: Watch)?\?/i  # Want a
cheap Rolex Watch?
score  LW_WANTAROLEX 5
describe LW_WANTAROLEX Asks if you want a rolex watch

meta  LW_ROLEXOBFU __LW_OBREPLICA && LW_ROLEX
score  LW_ROLEXOBFU 5
describe LW_ROLEXOBFU Obfuscating replica rolexes!


As for pain meds, you shouldn't be having problems on 3.0 since Anitdrug is
part of it.  On 2.64, you need to be running Antidruf as well as the SARE
things.

        Loren

Re: Watches and pain relief

[jdow <jd...@earthlink.net>]

Someone passed some ROLEX rules through the list a week or two ago. They
are in my user_prefs and working just fine. I'd recommend them to the
SARE people.

{^_^}
----- Original Message ----- 
From: "Geoff Soper" <ge...@alphaworks.co.uk>


> My current spam problem consists almost entirely of spam advertising
> watches and various pain relief products. I have a reasonable variety of
> rulesets installed including the following (it's not definitive as I don't
> have access to the server right now):
> SARE General Subject
> SARE HEADER
> SARE html0
> SARE OEM
> SARE Random
> SARE Ratware Detection
> SARE Specific
> SARE Spoof
> EvilNumber
>
> Can anyone suggest what might catch these watch and pain relief spams
> before I start writing some of my own?
>
> Thanks,
> Geoff

Re: Watches and pain relief

[Matthew Newton <mc...@leicester.ac.uk>]

Hi

On Mon, Dec 13, 2004 at 04:43:28PM -0800, jdow wrote:
> > I've seen another variant about by Matthew Newton that makes a bunch of
> > rules for both subject and body separately. I generally don't do this as
> > the body rules will match the subject line, so there's really no need,
> > other than as a score amplifier. I usually only make subject rules when a
> > body rule isn't appropriate. He's also done separate regular and
> gappy-text
> > rules, but doesn't pick up on character-sub obfuscations.. It is a decent
> > set however..
> >
> > One good rule I've seen that Matthew Newton wrote is this one:
> >
> > rawbody   UOLCC_WATCH_BODY   /^(Do you )?[Ww]ant (a )?(cheap
> > )?([Ww]ristw|[Ww])atch\?\s*$/m
> > describe  UOLCC_WATCH_BODY   Body asks if you want a watch
> > score     UOLCC_WATCH_BODY   1.5
> >
> > Very targeted, but effective with low risk of FPs.
> 
> Here is the full set of his stuff I am running. So far it has hit no ham.

I've recently updated some of these to try and match a few that were
slipping through. The UOLCC_WATCH_BODY has now been modified to accept
"rolex" in the place of "cheap", as one like that arrived the other day.
The UOLCC_HTM_HTML_URL one is slightly less picky about which characters
can appear in the "proverb" line and the "name" line, just looking for
more than 8 "words" and less than 15 "words". I figured out that it's
more the repeated URLs that will be unique to the spam, rather than the
formatting of the two text lines. Oh, and the URL can now contain 0-9
and -, too.

Didn't realise that the body test checks the subject, too, but I don't
suppose it can hurt with both tests.

Current set below.

Matthew


---------------------------------------------------------------------

header    UOLCC_ROLEX_SUB1   Subject =~ /\brolex\b/i
describe  UOLCC_ROLEX_SUB1   Subject contains the word 'rolex'
score     UOLCC_ROLEX_SUB1   0.5

header    UOLCC_ROLEX_SUB2   Subject =~ /\br.{1,2}o.{1,2}l.{1,2}e.{1,2}x\b/i
describe  UOLCC_ROLEX_SUB2   Subject contains a gappy version of 'rolex'
score     UOLCC_ROLEX_SUB2   1.5

body      UOLCC_ROLEX_BODY1  /\brolex\b/i
describe  UOLCC_ROLEX_BODY1  Body contains the word 'rolex'
score     UOLCC_ROLEX_BODY1  0.5

body      UOLCC_ROLEX_BODY2  /\br.{1,2}o.{1,2}l.{1,2}e.{1,2}x\b/i
describe  UOLCC_ROLEX_BODY2  Body contains a gappy version of 'rolex'
score     UOLCC_ROLEX_BODY2  1.5

rawbody   UOLCC_WATCH_BODY  /^(Do\syou\s)?[Ww]ant\s(a\s)?(rolex\s|cheap\s)?[Ww](ristw)?atch\?\s*$/m
describe  UOLCC_WATCH_BODY  Body asks if you want a watch
score     UOLCC_WATCH_BODY  2

full      UOLCC_HTM_HTML_URL /\n(http:\/\/[a-z0-9-]+\.[a-z]{3,4}\/[0-9a-f]{5,35}\/[[:alnum:]]{5,20}=?\.htm)\s*\n\s*\n\s*([^\s]+)(\s+[^\s]+){6,}\n\s*\n[^\s,.]+(\s[^\s,.]+){0,15}\n\s*\n\1l/s
describe  UOLCC_HTM_HTML_URL Matches pattern of spam mail (.htm .html)
score     UOLCC_HTM_HTML_URL 3.5

full      UOLCC_BBONE        /\n[bB1 ]{8,20}\n[bB1 ]{8,20}\n/s
describe  UOLCC_BBONE        Contains two code lines with b, B and 1
score     UOLCC_BBONE        2

body      UOLCC_CAPWORD_TEST /([A-Z][a-z]{3,}\s{1,2}){15,}/s
describe  UOLCC_CAPWORD_TEST String of words that all begin with caps letter
score     UOLCC_CAPWORD_TEST 1.2

---------------------------------------------------------------------

-- 
Matthew Newton <mc...@le.ac.uk>

UNIX Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Leicester LE1 7RH, United Kingdom

Re: Watches and pain relief

[Matt Kettler <mk...@comcast.net>]

At 04:43 PM 12/13/2004 -0800, jdow wrote:
>Here is the full set of his stuff I am running. So far it has hit no ham.

Yep, that's the set.. it's pretty decent stuff. The only limitation I see 
is it won't catch r0lex, rol3x, or roIex, just rolex. Hence I quickly 
hacked one up that uses the same character-substitutions and gap-clauses I 
use in antidrug. Thus far I've not seen obfu attempts on the scale of drug 
spam, but I've seen a lot of simple obfuscations like the ones above..

You could simplify my rule a bit if it bothers you by shortening the gap 
clause:
body ROLEX_BODY 
/(?:\b|\s)[_\W]{0,3}r[_\W]{0,3}[o0\xF2-\xF6][_\W]{0,3}[l!|1][_\W]{0,3}[e3\xE8-\xEB][_\W]{0,3}x[_\W]{0,3}(?:\b|\s)/i

becomes
body ROLEX_BODY 
/(?:\b|\s).?r.?[o0\xF2-\xF6].?[l!|1].?[e3\xE8-\xEB].?x.?(?:\b|\s)/i

But I'm really more of a fan of [_\W]{0,3} over .? when it comes to 
gapping, fewer potential FPs. I've also definitely found the 
leading/trailing gap, and the (?:\b|\s) at the beginning and end help a 
lot. Particularly for words like __R_O_L_E_X__ which won't hit the standard 
.?'s in the middle with \b's on each end. (_ is a word-character, so X_ 
doesn't match \b after the X)

Re: Watches and pain relief

[jdow <jd...@earthlink.net>]

From: "Matt Kettler" <mk...@evi-inc.com>

> At 05:51 PM 12/13/2004, Geoff Soper wrote:
> >My current spam problem consists almost entirely of spam advertising
> >watches and various pain relief products. I have a reasonable variety of
> >rulesets installed including the following (it's not definitive as I
don't
> >have access to the server right now):
> >SARE General Subject
> >SARE HEADER
> >SARE html0
> >SARE OEM
> >SARE Random
> >SARE Ratware Detection
> >SARE Specific
> >SARE Spoof
> >EvilNumber
> >
> >Can anyone suggest what might catch these watch and pain relief spams
> >before I start writing some of my own?
>
> What version of SA do you use? If 2.6x, look at antidrug for the pain
> relief side.
>
>

...

> I've seen another variant about by Matthew Newton that makes a bunch of
> rules for both subject and body separately. I generally don't do this as
> the body rules will match the subject line, so there's really no need,
> other than as a score amplifier. I usually only make subject rules when a
> body rule isn't appropriate. He's also done separate regular and
gappy-text
> rules, but doesn't pick up on character-sub obfuscations.. It is a decent
> set however..
>
> One good rule I've seen that Matthew Newton wrote is this one:
>
> rawbody   UOLCC_WATCH_BODY   /^(Do you )?[Ww]ant (a )?(cheap
> )?([Ww]ristw|[Ww])atch\?\s*$/m
> describe  UOLCC_WATCH_BODY   Body asks if you want a watch
> score     UOLCC_WATCH_BODY   1.5
>
> Very targeted, but effective with low risk of FPs.

Here is the full set of his stuff I am running. So far it has hit no ham.
--8<--
header    UOLCC_ROLEX_SUB1   Subject =~ /\brolex\b/i
describe  UOLCC_ROLEX_SUB1   Subject contains the word 'rolex'
score     UOLCC_ROLEX_SUB1   0.5

header    UOLCC_ROLEX_SUB2   Subject =~ /\br.{1,2}o.{1,2}l.{1,2}e.{1,2}x\b/i
describe  UOLCC_ROLEX_SUB2   Subject contains a gappy version of 'rolex'
score     UOLCC_ROLEX_SUB2   1.5

body      UOLCC_ROLEX_BODY1  /\brolex\b/i
describe  UOLCC_ROLEX_BODY1  Body contains the word 'rolex'
score     UOLCC_ROLEX_BODY1  0.5

body      UOLCC_ROLEX_BODY2  /\br.{1,2}o.{1,2}l.{1,2}e.{1,2}x\b/i
describe  UOLCC_ROLEX_BODY2  Body contains a gappy version of 'rolex'
score     UOLCC_ROLEX_BODY2  1.5

rawbody   UOLCC_WATCH_BODY   /^(Do you )?[Ww]ant
(a )?(cheap )?([Ww]ristw|W)atch\?\s*$/m
describe  UOLCC_WATCH_BODY   Body asks if you want a watch
score     UOLCC_WATCH_BODY   2

#Checking messages with two lines of just b, B, space and 1 in them.
#Seems to be some sort of code used in spam, maybe:

full      UOLCC_BBONE        /\n[bB1 ]{8,20}\n[bB1 ]{8,20}\n/s
describe  UOLCC_BBONE        Contains two code lines with b, B and 1
score     UOLCC_BBONE        2

#Checking one particular type of spam that has a URL (that follows a
#certain pattern, ends .htm), blank line, line of proverb or something,
#blank, line of name, blank, exact same URL with "l" on the end (i.e.
#ends .html). I guess the rules should be small, but this one has picked
#up loads of spam for me:

full      UOLCC_HTM_HTML_URL
/\n(http:\/\/[a-z]+\.[a-z]{3,4}\/[0-9a-f]{5,35}\/[[:alnum:]]{5,20}=?\.htm)\s
\n\s*\n[[:alnum:]\?\.',\s:,-]+\n\s*\n[^\s,.]+(\s[^\s,.]+){0,15}\n\s*\n\1l/s
describe  UOLCC_HTM_HTML_URL Matches pattern of spam mail (.htm .html)
score     UOLCC_HTM_HTML_URL 3.5
--8<--

{^_^}

Re: Watches and pain relief

[Matt Kettler <mk...@evi-inc.com>]

At 05:51 PM 12/13/2004, Geoff Soper wrote:
>My current spam problem consists almost entirely of spam advertising
>watches and various pain relief products. I have a reasonable variety of
>rulesets installed including the following (it's not definitive as I don't
>have access to the server right now):
>SARE General Subject
>SARE HEADER
>SARE html0
>SARE OEM
>SARE Random
>SARE Ratware Detection
>SARE Specific
>SARE Spoof
>EvilNumber
>
>Can anyone suggest what might catch these watch and pain relief spams
>before I start writing some of my own?

What version of SA do you use? If 2.6x, look at antidrug for the pain 
relief side.


You could do an antidrug-eque version of a rolex rule...

Something like this:

body    __ROLEX_PLAIN   /rolex/i
body 
ROLEX_BODY 
/(?:\b|\s)[_\W]{0,3}r[_\W]{0,3}[o0\xF2-\xF6][_\W]{0,3}[l!|1][_\W]{0,3}[e3\xE8-\xEB][_\W]{0,3}x[_\W]{0,3}(?:\b|\s)/i
describe ROLEX_BODY     refers to a rolex in body or subject
score ROLEX_BODY                0.5

meta ROLEX_OBFU (ROLEX_BODY && !__ROLEX_PLAIN)
describe ROLEX_OBFU     obfuscated rolex reference
score ROLEX_OBFU        2.0

(note: OBFU fires in cascade with BODY, so an obfuscated rolex reference 
will hit for 2.5)

I've seen another variant about by Matthew Newton that makes a bunch of 
rules for both subject and body separately. I generally don't do this as 
the body rules will match the subject line, so there's really no need, 
other than as a score amplifier. I usually only make subject rules when a 
body rule isn't appropriate. He's also done separate regular and gappy-text 
rules, but doesn't pick up on character-sub obfuscations.. It is a decent 
set however..

One good rule I've seen that Matthew Newton wrote is this one:

rawbody   UOLCC_WATCH_BODY   /^(Do you )?[Ww]ant (a )?(cheap 
)?([Ww]ristw|[Ww])atch\?\s*$/m
describe  UOLCC_WATCH_BODY   Body asks if you want a watch
score     UOLCC_WATCH_BODY   1.5

Very targeted, but effective with low risk of FPs.