You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by JP Kelly <li...@jpkvideo.net> on 2008/01/21 18:06:32 UTC
google spams
Enough is enough!
SA has been working so well for me all these years I guess I am spoiled.
I woke up this morning and had 5 Google spams and one legit email and
I've had it.
I noticed a somewhat lengthy discussion on the subject here.
I am not able to write my own rules or regex.
Is there a quick and dirty way to give these spams a higher score?
I am using SA 3.2.3 and these message typically score around 4.5.
Thanks.
Re: google spams
Posted by David Gibbs <da...@midrange.com>.
mouss wrote:
> uri GOOGLE_SEARCH_BTNI m{gooo?gle\..*/search.*btnI=}
Loose the last equals sign, I've seen similar samples come through
without it.
david
Re: google spams
Posted by mouss <mo...@netoyen.net>.
JP Kelly wrote:
>
>
>
> From: Avis.Hathaway@thinkexist.com
> Subject: She'll Beg for More..
> Date: January 21, 2008 10:34:15 AM PST
> To: jp@jpkvideo.com
> Return-Path: <av...@bloggingstocks.com>
> Delivered-To: 33-jpkelly@jpkvideo.net
> Delivered-To: 7-jp@jpkvideo.com
> X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on
> jpkvideo.net
> X-Spam-Level: ****
> X-Spam-Status: No, score=4.5 required=5.0
> tests=BAYES_99,MISSING_MID, RCVD_IN_PBL,RDNS_DYNAMIC autolearn=no
> version=3.2.3
> Received: (qmail 8030 invoked by uid 110); 21 Jan 2008 08:35:21 -0800
> Received: (qmail 7999 invoked from network); 21 Jan 2008 08:35:20
> -0800
> Received: from 190.75-207-15.dyn.dsl.cantv.net (HELO
> equipo05.cantv.net) (190.75.207.15) by smallgod.com with SMTP; 21 Jan
> 2008 08:35:19 -0800
> Received-Spf: none (smallgod.com: domain at bloggingstocks.com
> does not designate permitted sender hosts)
> Content-Transfer-Encoding: 7bit
>
> body:
> ------------------------------
>
> Mon, 21 Jan 2008 17:34:15 -0100
>
> http://google.com//search?hl=en&q=inurl:rhtawy.com%2BVPXL%2BMade%2BEasy&btnI=79547
>
so that's similar to the one discussed in the thread
"Re: Googlepages & Livefilestore spams"
see that thread and look for a message by Ben Lentz (10-10-2008 04:56).
maybe something like this (Warning: untested):
uri GOOGLE_SEARCH_BTNI m{gooo?gle\..*/search.*btnI=}
score GOOGLE_SEARCH_BTNI 2.0
describe GOOGLE_SEARCH_BTNI contains
PS. who is smallgod.com? I would block the blasphematory MTA ;-p
If it's your MTA, then see if the PBL is safe for you to use at the MTA
level.
Re: google spams
Posted by "John D. Hardin" <jh...@impsec.org>.
On Mon, 21 Jan 2008, JP Kelly wrote:
> > JP Kelly wrote:
>
> >> I am not able to write my own rules or regex.
Does that mean "I don't know how to write regular expressions", or "my
SA install doesn't permit me to add rules"?
If the former, then the rules I and others have posted over the past
week will work. Use my rule, or the rulesets others have posted.
If the latter, then ask whoever *can* add rules to your SA to add some
google rules - point them at the list archives.
If you do have the adminstrative rights to add rules but you don't
know how to do that, that's another topic - "how do I add custom
rules?" - that has nothing do do with Google spams per se.
> http://google.com//search?hl=en&q=inurl:rhtawy.com%2BVPXL%2BMade%2BEasy&btnI=79547
Yeah, that's what we've posted rules for.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
USMC Rules of Gunfighting #20: The faster you finish the fight,
the less shot you will get.
-----------------------------------------------------------------------
Today: John Moses Browning's 153rd Birthday
Re: google spams
Posted by JP Kelly <li...@jpkvideo.net>.
On Jan 21, 2008, at 9:26 AM, mouss wrote:
> JP Kelly wrote:
>> Enough is enough!
>> SA has been working so well for me all these years I guess I am
>> spoiled.
>> I woke up this morning and had 5 Google spams and one legit email
>> and I've had it.
>>
>> I noticed a somewhat lengthy discussion on the subject here.
>> I am not able to write my own rules or regex.
>> Is there a quick and dirty way to give these spams a higher score?
>> I am using SA 3.2.3 and these message typically score around 4.5.
>
>
> show samples. Otherwise, it's hard to know that everybody is talking
> about the same spam.
here is a typical example:
------------------------------
headers:
------------------------------
From: Avis.Hathaway@thinkexist.com
Subject: She'll Beg for More..
Date: January 21, 2008 10:34:15 AM PST
To: jp@jpkvideo.com
Return-Path: <av...@bloggingstocks.com>
Delivered-To: 33-jpkelly@jpkvideo.net
Delivered-To: 7-jp@jpkvideo.com
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on jpkvideo.net
X-Spam-Level: ****
X-Spam-Status: No, score=4.5 required=5.0 tests=BAYES_99,MISSING_MID,
RCVD_IN_PBL,RDNS_DYNAMIC autolearn=no version=3.2.3
Received: (qmail 8030 invoked by uid 110); 21 Jan 2008 08:35:21 -0800
Received: (qmail 7999 invoked from network); 21 Jan 2008 08:35:20 -0800
Received: from 190.75-207-15.dyn.dsl.cantv.net (HELO
equipo05.cantv.net) (190.75.207.15) by smallgod.com with SMTP; 21 Jan
2008 08:35:19 -0800
Received-Spf: none (smallgod.com: domain at bloggingstocks.com does
not designate permitted sender hosts)
Content-Transfer-Encoding: 7bit
body:
------------------------------
Mon, 21 Jan 2008 17:34:15 -0100
http://google.com//search?hl=en&q=inurl:rhtawy.com%2BVPXL%2BMade%2BEasy&btnI=79547
Re: google spams
Posted by mouss <mo...@netoyen.net>.
JP Kelly wrote:
> Enough is enough!
> SA has been working so well for me all these years I guess I am spoiled.
> I woke up this morning and had 5 Google spams and one legit email and
> I've had it.
>
> I noticed a somewhat lengthy discussion on the subject here.
> I am not able to write my own rules or regex.
> Is there a quick and dirty way to give these spams a higher score?
> I am using SA 3.2.3 and these message typically score around 4.5.
show samples. Otherwise, it's hard to know that everybody is talking
about the same spam.