You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Monty Ree <ch...@hotmail.com> on 2006/10/17 09:30:01 UTC
How to detect this spam..
Hello..
I have received lots of spam mails like below...
S B N S.P K IS BLOWING UP ON HEAVY PR CAMPAIGNS!
WATCH S B N S.P K TRADE ON TUESDAY OCTOBER 17!
So I would like to make a rule to detect spam which use blank for each
characters(over 3 characters) like below..
S(blank) B(blank) N(blank)
Anyone who can make this rule?
Thanks...
_________________________________________________________________
고.. 감.. 도.. 사.. 랑.. 만.. 들.. 기.. MSN 러브
http://www.msn.co.kr/love/
Re: How to detect this spam..
Posted by Matt Kettler <mk...@verizon.net>.
Monty Ree wrote:
> Hello..
>
> I have received lots of spam mails like below...
>
> S B N S.P K IS BLOWING UP ON HEAVY PR CAMPAIGNS!
> WATCH S B N S.P K TRADE ON TUESDAY OCTOBER 17!
>
> So I would like to make a rule to detect spam which use blank for each
> characters(over 3 characters) like below..
>
> S(blank) B(blank) N(blank)
>
> Anyone who can make this rule?
Here's the regex that would do it. I've also made it caps-specific to
try to avoid FP cases. It may still FP on some "text message" style
abbreviated text, but I can't think of one off the top of my head that
would hit. But things like "Hi R U Mike" come pretty close.
/(?:[A-Z] ){3}/
Re: *****SPAM***** How to detect this spam..
Posted by "M.Lewis" <ca...@cajuninc.com>.
Monty Ree wrote:
> Hello..
>
> I have received lots of spam mails like below...
>
> S B N S.P K IS BLOWING UP ON HEAVY PR CAMPAIGNS!
> WATCH S B N S.P K TRADE ON TUESDAY OCTOBER 17!
>
> So I would like to make a rule to detect spam which use blank for each
> characters(over 3 characters) like below..
>
> S(blank) B(blank) N(blank)
>
> Anyone who can make this rule?
>
>
> Thanks...
>
> _________________________________________________________________
> 고.. 감.. 도.. 사.. 랑.. 만.. 들.. 기.. MSN 러브
> http://www.msn.co.kr/love/
70_sare_stocks.cf
http://www.rulesemporium.com/rules/70_sare_stocks.cf
HTH,
Mike
--
Stock item: We shipped it once before, and we can do it again, probably.
01:30:01 up 6 days, 2:21, 8 users, load average: 0.19, 0.12, 0.09
Linux Registered User #241685 http://counter.li.org
Re: How to detect this spam..
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Jonas Eckerman wrote:
> *If* the system is set up to use the SPF plugin *and* enable/allow user
> rules, it should still be possible for an end user to "whitelist_from_spf".
You don't need to enable user rules for whitelist_from_spf, or any other
whitelist method, to work.
Daryl
Re: How to detect this spam..
Posted by "John D. Hardin" <jh...@impsec.org>.
On Thu, 19 Oct 2006, Jonas Eckerman wrote:
> Come to think of it, it *might* be a good idea for the official ruleset to include:
>
> ifplugin Mail::SpamAssassin::Plugin::SPF
> whitelist_from_spf *@spamassassin.apache.org
> endif
+1
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
12 days until Halloween
Re: How to detect this spam..
Posted by Jonas Eckerman <jo...@frukt.org>.
Jo Rhett wrote:
>>> You can only exclude the mailing list if you're running SA from
>>> procmail or .forward or something like that.
>> No. You can exclude it in other situations as well.
> I was referring to the knobs available for tweaking by an end user.
Ah. Yes, that limits the possibilities. I have a tendancy to see things from an admin or programmers perspective.
*If* the system is set up to use the SPF plugin *and* enable/allow user rules, it should still be possible for an end user to "whitelist_from_spf".
Come to think of it, it *might* be a good idea for the official ruleset to include:
ifplugin Mail::SpamAssassin::Plugin::SPF
whitelist_from_spf *@spamassassin.apache.org
endif
Regards
/Jonas
--
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/
Re: How to detect this spam..
Posted by Jo Rhett <jr...@netconsonance.com>.
Jonas Eckerman wrote:
> Jo Rhett wrote:
>> You can only exclude the mailing list if you're running SA from
>> procmail or .forward or something like that.
>
> No. You can exclude it in other situations as well.
>
>> Usually it's running on the MX hosts.
>
> We're using SA on our MX host, daemonized in MIMEDefang (a milter).
> We're excluding SPF verified mail from "*@*.apache.org", as well as mail
> from "209.237.227.199" (hermes.apache.org), from the SA test.
>
> Just because some software running in some MX hosts can't do this kind
> of thing, it doesn't mean that no software in MX hosts can.
I'm sorry, I guess I should have rephrased that to say that "unless you
have root access..." Obviously anyone with root access can accomplish
anything they want. Duh. That's an obvious in any situation.
I was referring to the knobs available for tweaking by an end user.
--
Jo Rhett
Network/Software Engineer
Net Consonance
Re: How to detect this spam..
Posted by Jonas Eckerman <jo...@frukt.org>.
Jo Rhett wrote:
> You can only exclude the mailing list if you're running SA from
> procmail or .forward or something like that.
No. You can exclude it in other situations as well.
> Usually it's running on the MX hosts.
We're using SA on our MX host, daemonized in MIMEDefang (a milter).
We're excluding SPF verified mail from "*@*.apache.org", as well as mail from "209.237.227.199" (hermes.apache.org), from the SA test.
Just because some software running in some MX hosts can't do this kind of thing, it doesn't mean that no software in MX hosts can.
Regards
/Jonas
--
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/
Re: How to detect this spam..
Posted by Bob McClure Jr <bo...@bobcatos.com>.
On Tue, Oct 17, 2006 at 09:56:13PM -0700, Jo Rhett wrote:
> On Oct 17, 2006, at 6:53 PM, John D. Hardin wrote:
> >Anyone who runs the SA mailing list through SA deserves what they
> >get... :)
>
> You can only exclude the mailing list if you're running SA from
> procmail or .forward or something like that. I haven't seen a
> company (or individual actually) who still does this in a long time.
> Usually it's running on the MX hosts.
Hmm, I and my three clients must be living in the backwaters. We run
SA out of procmail. Per-user Bayes, too. Works fine.
> So given that scenario, what do you perceive as the problem?
>
> --
> Jo Rhett
> Senior Network Engineer
> Network Consonance
Cheers,
--
Bob McClure, Jr. Bobcat Open Systems, Inc.
bob@bobcatos.com http://www.bobcatos.com
"Where you go in the hereafter depends on what you were after here."
- Thanks to Graffiti, 2 March 2004
Re: How to detect this spam..
Posted by Jo Rhett <jr...@netconsonance.com>.
On Oct 17, 2006, at 6:53 PM, John D. Hardin wrote:
> Anyone who runs the SA mailing list through SA deserves what they
> get... :)
You can only exclude the mailing list if you're running SA from
procmail or .forward or something like that. I haven't seen a
company (or individual actually) who still does this in a long time.
Usually it's running on the MX hosts.
So given that scenario, what do you perceive as the problem?
--
Jo Rhett
Senior Network Engineer
Network Consonance
RE: How to detect this spam..
Posted by "John D. Hardin" <jh...@impsec.org>.
On Wed, 18 Oct 2006, Christopher Martin wrote:
> Also, be careful about putting samples out of spam in your mails.
> Sometimes people might actually pick you up as the spam, and,
> potentially worse, train their Bayesian filters to exclude you,
> automatically.
Anyone who runs the SA mailing list through SA deserves what they
get... :)
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
14 days until Halloween
RE: How to detect this spam..
Posted by Christopher Martin <ch...@ebit.com.au>.
The regex would be:
[a-zA-Z]\s[a-zA-Z]\s[a-zA-z]\s
So, (IIRC) the rule could be:
body LOCAL_GAPPY_WORDS /[a-zA-Z]\s[a-zA-Z]\s[a-zA-z]\s/
score LOCAL_GAPPY_WORDS 2
Try it with a low score to start with. I use the LOCAL_ prefix for any rules
I put into local.cf.
But, I am sure that the Rules or Rules DeJure pack would include a rule
about this. I use these from FreeBSD ports, so I would expect there would be
a apt-get/yum equivalent for the Linux users out these.
If anything, try and find the rule that covers this and then up its score in
local.cf.
Also, be careful about putting samples out of spam in your mails. Sometimes
people might actually pick you up as the spam, and, potentially worse, train
their Bayesian filters to exclude you, automatically.
> -----Original Message-----
> From: Monty Ree [mailto:chulmin2@hotmail.com]
> Sent: Tuesday, 17 October 2006 5:30 PM
> To: users@spamassassin.apache.org
> Subject: How to detect this spam..
>
>
> Hello..
>
> I have received lots of spam mails like below...
>
> S B N S.P K IS BLOWING UP ON HEAVY PR CAMPAIGNS!
> WATCH S B N S.P K TRADE ON TUESDAY OCTOBER 17!
>
> So I would like to make a rule to detect spam which use blank
> for each
> characters(over 3 characters) like below..
>
> S(blank) B(blank) N(blank)
>
> Anyone who can make this rule?
>
>
> Thanks...
>
> _________________________________________________________________
> 고.. 감.. 도.. 사.. 랑.. 만.. 들.. 기.. MSN 러브
> http://www.msn.co.kr/love/
>