You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Peter Clark <ni...@webexpress.com> on 2004/10/24 15:35:50 UTC

Ruleset to kill rolex spam

Apparently hawking Rolexes is the in thing with spammers these days.   I 
haven't seen any rulesets around that would help combat it, so I wrote 
one.

It's available at http://www.violetdreams.com/sa/rolex.cf if anyone would 
like to try it or critique it.

It was written and tested under SA 3.0.1.

Re: Ruleset to kill rolex spam

Posted by Eric Hart <eh...@hartlaser.net>.

Hi Peter, 

You use the * character in body rules.  For example, you do:

body __REAL_ROLEX_REPLICA1	/real.*replica.*role.?x/i

I got badly burned doing this sort of thing early on.  These rules
consume huge amounts of memory and processor time.  I would do
something like this instead:

body __REAL_ROLEX_REPLICA1	/real.{0,50}replica.{0,50}role.?x/i

Cordially,

Eric
ehart@npi.net

On Sun, 24 Oct 2004 06:35:50 -0700 (MST), you wrote:

>
>Apparently hawking Rolexes is the in thing with spammers these days.   I 
>haven't seen any rulesets around that would help combat it, so I wrote 
>one.
>
>It's available at http://www.violetdreams.com/sa/rolex.cf if anyone would 
>like to try it or critique it.
>
>It was written and tested under SA 3.0.1.

(Please note new personal email address)

Eric Hart
ehart@hartlaser.net
www.hartlaser.net
802-859-0808 x213 (w)
802-863-3846 (h)

Re: Ruleset to kill rolex spam

Posted by Jeff Chan <je...@surbl.org>.

On Sunday, October 24, 2004, 8:43:16 AM, Fred Bacon wrote:
> On Sun, 2004-10-24 at 10:19, Chris wrote:
>> 
>> Peter, as shown below, network checks and the SURBL's have no problems 
>> picking up the Rolex stuff:

> Ah, but it is still useful for those of us waiting for a suitable moment
> to upgrade from SA 2.64 to 3.0.1.  The time-line at my place of work is
> the US Thanksgiving holiday.  While everyone else is away from work for
> the holiday, I'll be shutting down the mail server and upgrading all of
> the software, including SA.  Looking forward to using SURBL, but it will
> be a few more weeks before I can make the switch.

If you'd like, you can use Eric Kolve's SpamCopURI SA patch to get
SURBL support within SA 2.63 or 2.64:

  http://sourceforge.net/projects/spamcopuri/
  http://www.surbl.org/

Jeff C.
-- 
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/

Re: Ruleset to kill rolex spam

Posted by "Fred W. Bacon" <ba...@rigidrotor.com>.

On Sun, 2004-10-24 at 10:19, Chris wrote:
> 
> Peter, as shown below, network checks and the SURBL's have no problems 
> picking up the Rolex stuff:

Ah, but it is still useful for those of us waiting for a suitable moment
to upgrade from SA 2.64 to 3.0.1.  The time-line at my place of work is
the US Thanksgiving holiday.  While everyone else is away from work for
the holiday, I'll be shutting down the mail server and upgrading all of
the software, including SA.  Looking forward to using SURBL, but it will
be a few more weeks before I can make the switch.

The Rolex ads have been driving me crazy for the past week or so.  I
have written a number of ROLEX rules of my own, but they're pretty
crude.  I don't have much time available to devote to proper rule
design.  A failed hard drive mirror and overheated capacitors on the
motherboard have been more pressing problems in October. :-(    Bayes
has been really slow to recognize the Rolex spams, despite the fact that
I've been feeding them to sa-learn for nearly a week.

In the last month performance of my SA system has dropped from about 98%
of spam detected to only about 90% for some accounts.  I'm not sure why
the sudden increase in false negatives.

-- 
Fred W. Bacon <ba...@rigidrotor.com>
Rigid Rotor

Re: Ruleset to kill rolex spam

Posted by Chris <cp...@earthlink.net>.

On Sunday 24 October 2004 08:35 am, Peter Clark wrote:
> Apparently hawking Rolexes is the in thing with spammers these days.   I
> haven't seen any rulesets around that would help combat it, so I wrote
> one.
>
> It's available at http://www.violetdreams.com/sa/rolex.cf if anyone would
> like to try it or critique it.
>
> It was written and tested under SA 3.0.1.

Peter, as shown below, network checks and the SURBL's have no problems 
picking up the Rolex stuff:

X-Spam-DCC: neonova: cpollock 1127; Body=1 Fuz1=many Fuz2=many
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on cpollock
X-Spam-Level: *************************************
X-Spam-Status: Yes, hits=37.7 required=5.0 tests=AB_URI_RBL,BAYES_99,
        BE_AMAZED,DATE_IN_FUTURE_12_24,DCC_CHECK,HTML_50_60,HTML_MESSAGE,
        JP_URI_RBL,MIME_HTML_ONLY,OB_URI_RBL,PYZOR_CHECK,
        RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_DSBL,SPAMCOP_URI_RBL,
        WS_URI_RBL autolearn=no version=2.63
X-Spam-Pyzor: Reported 2292 times.
X-Spam-Report: 
        *  0.1 BE_AMAZED BODY: Apparently, you'll be amazed
        *  0.1 HTML_MESSAGE BODY: HTML included in message
        *  1.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence between 
51 and 100
        *      [cf: 100]
        *  4.3 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
        *      [score: 1.0000]
        *  0.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
        *  0.1 HTML_50_60 BODY: Message is 50% to 60% HTML
        *  2.1 OB_URI_RBL URI's domain appears in ws database at 
ob.surbl.org
        *      [iyikkrpeatdocu.nteri.com is blacklisted in URI]
        [RBL at multi.surbl.org]
        *  3.0 SPAMCOP_URI_RBL URI's domain appears in spamcop database at 
sc.surbl.org
        *      [iyikkrpeatdocu.nteri.com is blacklisted in URI]
        [RBL at multi.surbl.org]
        *  2.1 WS_URI_RBL URI's domain appears in ws database at 
ws.surbl.org
        *      [iyikkrpeatdocu.nteri.com is blacklisted in URI]
        [RBL at multi.surbl.org]
        *  4.0 JP_URI_RBL URI's domain appears in JP at 
http://www.surbl.org/lists.html
        *      [iyikkrpeatdocu.nteri.com is blacklisted in URI]
        [RBL at multi.surbl.org]
        *  5.0 AB_URI_RBL URI's domain appears in ab.surbl.org
        *      [iyikkrpeatdocu.nteri.com is blacklisted in URI]
        [RBL at ab.surbl.org]
        *  3.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
        *  2.5 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
        *  2.7 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
        *  3.2 DATE_IN_FUTURE_12_24 Date: is 12 to 24 hours after Received: 
date
        *  3.2 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org
        *      [<http://dsbl.org/listing?203.251.49.206>]

-- 
Chris
Registered Linux User 283774 http://counter.li.org
9:16am up 16:26, 1 user, load average: 0.25, 0.18, 0.10
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Usage: fortune -P [] -a [xsz] [Q: [file]] [rKe9] -v6[+] dataspec ... 
inputdir
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Re: Ruleset to kill rolex spam

Posted by Rakesh <ra...@netcore.co.in>.

i really dont think there is a need of rolex specific ruleset, Razor, 
DCC and URI checks took care of them for me.


Peter Clark wrote:

>
> Apparently hawking Rolexes is the in thing with spammers these days.   
> I haven't seen any rulesets around that would help combat it, so I 
> wrote one.
>
> It's available at http://www.violetdreams.com/sa/rolex.cf if anyone 
> would like to try it or critique it.
>
> It was written and tested under SA 3.0.1.



-- 
Regards, 
Rakesh B. Pal
Emergic CleanMail Team.
Netcore Solutions Pvt. Ltd.

==================================================================
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
==================================================================



----------------------------------------------------------
Netcore's New Website
http://www.netcore.co.in
----------------------------------------------------------