You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Jonathan Nichols <jn...@pbp.net> on 2005/12/15 19:09:38 UTC

geocities.yahoo.com.br rule help

Ok, I gave it a shot..

This rule *does* work.

uri GEOCITIES             /^http:\/\/[a-z0-9-]{1,30}\.geocities\.com\b/i
describe GEOCITIES        High amounts of spam from Geocities.
score GEOCITIES  6.01


This rule does NOT work.

uri GEOCITIES_YAHOO 
/^http:\/\/[a-z0-9-]{1,30}\.geocities\.yahoo\.com\.br\b/i
describe GEOCITIES_YAHOO        High amounts of spam from Geocities.
score GEOCITIES_YAHOO  6.01


My regexp foo is non existent, but at least I *did* try. Can someone 
tell me what went wrong? :-)

(I get a LOT of spam with geocities dot yahoo dot com dot br slipping 
through. Bayes isn't catching it. One slipped through earlier..

X-Spam-Status: No, score=1.951 tagged_above=-999 required=6
  tests=[DATE_IN_FUTURE_06_12=1.498, SARE_SUB_GETRID=0.151,
  SARE_SUB_MISC_1=0.302]

Re: geocities.yahoo.com.br rule help

Posted by Matt Kettler <mk...@evi-inc.com>.

Jonathan Nichols wrote:
> 
>>
>> But that's not the format, there's nothing between the / and the
>> geocities.
>>
>> Try this regex instead:
>>
>> /^http:\/\/geocities\.yahoo\.com\.br\b/i
> 
> 
> Cool, I shall try that. Thanks! For some reason, I thought one had
> www.geocities.yahoo.com.br in it, but I could be mistaken.
> 

Well then you can stick (?:www\.)? in between the / and geocities. However, the
original code would require the . and at least one letter, so it would never
match one that didn't have any prefix.

/^http:\/\/(?:www\.)?geocities\.yahoo\.com\.br\b/i

Re: geocities.yahoo.com.br rule help

Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.

Jonathan Nichols wrote:
> 
>>
>> But that's not the format, there's nothing between the / and the 
>> geocities.
>>
>> Try this regex instead:
>>
>> /^http:\/\/geocities\.yahoo\.com\.br\b/i
> 
> Cool, I shall try that. Thanks! For some reason, I thought one had 
> www.geocities.yahoo.com.br in it, but I could be mistaken.

[dos@latitude ~]$ host www.geocities.yahoo.com.br
Host www.geocities.yahoo.com.br not found: 3(NXDOMAIN)

Re: geocities.yahoo.com.br rule help

Posted by Jonathan Nichols <jn...@pbp.net>.

> 
> But that's not the format, there's nothing between the / and the geocities.
> 
> Try this regex instead:
> 
> /^http:\/\/geocities\.yahoo\.com\.br\b/i

Cool, I shall try that. Thanks! For some reason, I thought one had 
www.geocities.yahoo.com.br in it, but I could be mistaken.

Re: geocities.yahoo.com.br rule help

Posted by Jonathan Nichols <jn...@pbp.net>.

> Try this regex instead:
> 
> /^http:\/\/geocities\.yahoo\.com\.br\b/i

hahaha, this worked - and it tagged that broken autoresponder we've been 
seeing.

	boundary="--=ce94da72-0632-49d0-99bb-3f8c8149300b"
X-Virus-Scanned: by amavisd-new at mailgate.pbp.net
X-Spam-Status: Yes, score=9.704 tagged_above=-999 required=6
  tests=[GEOCITIES_YAHOO=6.01, NO_REAL_NAME=0.55, SARE_SUB_BULK_EMAIL=0.144,
  VIRUS_WARNING395=3]
X-Spam-Score: 9.704
X-Spam-Level: *********
X-Spam-Flag: YES

:-D

Re: geocities.yahoo.com.br rule help

Posted by Matt Kettler <mk...@evi-inc.com>.

Jonathan Nichols wrote:
> Ok, I gave it a shot..
> 
> This rule *does* work.
> 
> uri GEOCITIES             /^http:\/\/[a-z0-9-]{1,30}\.geocities\.com\b/i
> describe GEOCITIES        High amounts of spam from Geocities.
> score GEOCITIES  6.01
> 
> 
> This rule does NOT work.
> 
> uri GEOCITIES_YAHOO
> /^http:\/\/[a-z0-9-]{1,30}\.geocities\.yahoo\.com\.br\b/i
> describe GEOCITIES_YAHOO        High amounts of spam from Geocities.
> score GEOCITIES_YAHOO  6.01
> 
> 
> My regexp foo is non existent, but at least I *did* try. Can someone
> tell me what went wrong? :-)

Ok, I did look around and found an example:

These particular links look like:

http://geocities.yahoo.com.br/xxxxxxxxx/

Obviously, neither of the above rules will match.

The problem with the second rule is that it's looking for
http://xxxxxxx.geocities.yahoo.com.br/

But that's not the format, there's nothing between the / and the geocities.

Try this regex instead:

/^http:\/\/geocities\.yahoo\.com\.br\b/i

Re[2]: geocities.yahoo.com.br rule help

Posted by Robert Menschel <Ro...@Menschel.net>.

Hello Jonathan,

Thursday, December 15, 2005, 11:12:23 AM, you wrote:

>> Have you tried the 70_sare_specific.cf filter?  I am not sure it will catch
>> that specific problem but it catches spam with geocities and tripod url's for
>> me.

JN> Yeah, I'm using that list. It's been great, but the *.br one kept 
JN> getting through.

JN> I DID see THIS in there, though..

JN> header    SARE_SPEC_CLIENT_TOS2    From =~ m'\bscomp\@aol.net'i
JN> describe  SARE_SPEC_CLIENT_TOS2    known spammer address
JN> score     SARE_SPEC_CLIENT_TOS2    2.222

JN> scomp@aol.net is the AOL Postmaster feedback loop address. I don't think
JN>   that one oughta be in there.. unless spammers are forging it. Eeeek!

Yes, it seems to me here that spammers are forging it -- I'm getting
spam to addresses that have not requested the AOL feedback with these
symptoms.  I'm hoping to have an update to specific.cf shortly which
will either tighten up the rule to catch only the forgeries, or do
away with altogether (and let the spammers win until we find a better
way).

Bob Menschel

Re: geocities.yahoo.com.br rule help

Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.

Jonathan Nichols wrote:
> 
>> Have you tried the 70_sare_specific.cf filter?  I am not sure it will 
>> catch that specific problem but it catches spam with geocities and 
>> tripod url's for me.
> 
> Yeah, I'm using that list. It's been great, but the *.br one kept 
> getting through.
> 
> I DID see THIS in there, though..
> 
> header    SARE_SPEC_CLIENT_TOS2    From =~ m'\bscomp\@aol.net'i
> describe  SARE_SPEC_CLIENT_TOS2    known spammer address
> score     SARE_SPEC_CLIENT_TOS2    2.222
> 
> scomp@aol.net is the AOL Postmaster feedback loop address. I don't think 
>  that one oughta be in there.. unless spammers are forging it. Eeeek!

This came up the other day (or week).  Apparently no one at SARE was 
aware of the 'legit' scomp mail but had seen spam with this address forged.

If you're using SA 3.1, I'd keep this rule and add a whitelist_from_spf 
scomp@aol.net entry to whitelist mail verified by AOL's SPF records.

Daryl

Re: geocities.yahoo.com.br rule help

Posted by Jonathan Nichols <jn...@pbp.net>.

> Have you tried the 70_sare_specific.cf filter?  I am not sure it will catch 
> that specific problem but it catches spam with geocities and tripod url's for 
> me.

Yeah, I'm using that list. It's been great, but the *.br one kept 
getting through.

I DID see THIS in there, though..

header    SARE_SPEC_CLIENT_TOS2    From =~ m'\bscomp\@aol.net'i
describe  SARE_SPEC_CLIENT_TOS2    known spammer address
score     SARE_SPEC_CLIENT_TOS2    2.222

scomp@aol.net is the AOL Postmaster feedback loop address. I don't think 
  that one oughta be in there.. unless spammers are forging it. Eeeek!

Re: geocities.yahoo.com.br rule help

Posted by Pollywog <li...@shadypond.com>.

On 12/15/2005 06:09 pm, Jonathan Nichols wrote:
> Ok, I gave it a shot..
>
> This rule *does* work.
>
> uri GEOCITIES             /^http:\/\/[a-z0-9-]{1,30}\.geocities\.com\b/i
> describe GEOCITIES        High amounts of spam from Geocities.
> score GEOCITIES  6.01
>

Have you tried the 70_sare_specific.cf filter?  I am not sure it will catch 
that specific problem but it catches spam with geocities and tripod url's for 
me.

8)

RE: SA not using SARE rules?

Posted by Martin Hepworth <ma...@solid-state-logic.com>.

Hi

So a "spamassassin -D --lint" for a first stab at debugging.

You don't mention how you are calling SA, so maybe there's file permission
issues?????


--
Martin Hepworth 
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

> -----Original Message-----
> From: JP Kelly [mailto:listuser@jpkvideo.net]
> Sent: 16 December 2005 05:31
> To: SpamAssassin
> Cc: Robert Menschel
> Subject: SA not using SARE rules?
> 
> It seems SA is not using the SARE rulesets for me?
> I see no mention of SARE in any of my tagged spam.
> I have been using rules_du_jour and downloading current rulesets.
> Any ideas why SA would not be using SARE rulesets?


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

SA not using SARE rules?

Posted by JP Kelly <li...@jpkvideo.net>.

It seems SA is not using the SARE rulesets for me?
I see no mention of SARE in any of my tagged spam.
I have been using rules_du_jour and downloading current rulesets.
Any ideas why SA would not be using SARE rulesets?

Re: geocities.yahoo.com.br rule help

Posted by Jonathan Nichols <jn...@pbp.net>.

Matt Kettler wrote:
> Jonathan Nichols wrote:
> 
>>Ok, I gave it a shot..
>>
>>This rule *does* work.
>>
>>uri GEOCITIES             /^http:\/\/[a-z0-9-]{1,30}\.geocities\.com\b/i
>>describe GEOCITIES        High amounts of spam from Geocities.
>>score GEOCITIES  6.01
>>
>>
>>This rule does NOT work.
>>
>>uri GEOCITIES_YAHOO
>>/^http:\/\/[a-z0-9-]{1,30}\.geocities\.yahoo\.com\.br\b/i
>>describe GEOCITIES_YAHOO        High amounts of spam from Geocities.
>>score GEOCITIES_YAHOO  6.01
>>
>>
>>My regexp foo is non existent, but at least I *did* try. Can someone
>>tell me what went wrong? :-)
> 
> 
> 
> Can you post a sample URI that failed to match?
> 
> If the first rule matches, and the second rule doesn't I can conclude that the
> URI is definitely does NOT contain the string geocities.yahoo.com.br. If it did,
> the first rule would not match.

I'll post it the next time one shows up.. the cron job that feeds spam 
to Bayes picked it up out of the training folder and ate it. :-)

Re: geocities.yahoo.com.br rule help

Posted by Matt Kettler <mk...@evi-inc.com>.

Jonathan Nichols wrote:
> Ok, I gave it a shot..
> 
> This rule *does* work.
> 
> uri GEOCITIES             /^http:\/\/[a-z0-9-]{1,30}\.geocities\.com\b/i
> describe GEOCITIES        High amounts of spam from Geocities.
> score GEOCITIES  6.01
> 
> 
> This rule does NOT work.
> 
> uri GEOCITIES_YAHOO
> /^http:\/\/[a-z0-9-]{1,30}\.geocities\.yahoo\.com\.br\b/i
> describe GEOCITIES_YAHOO        High amounts of spam from Geocities.
> score GEOCITIES_YAHOO  6.01
> 
> 
> My regexp foo is non existent, but at least I *did* try. Can someone
> tell me what went wrong? :-)


Can you post a sample URI that failed to match?

If the first rule matches, and the second rule doesn't I can conclude that the
URI is definitely does NOT contain the string geocities.yahoo.com.br. If it did,
the first rule would not match.