You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Fred T <sp...@freddyt.com> on 2006/03/22 18:33:40 UTC
Re[2]: HTML spam not detected
Hello Jean-Paul,
Here's the rules I use, I've had these rules for a few weeks but I
just noticed today the use of extra spaces between each letter, so
here's an updated set of rules. This might be easier converted to a
replace_tags ruleset but it works fine like it is.
body FB_CIALIS_LEO2 /C\s?[a-z]\s?I\s?[a-z]\s?A\s?[a-z]\s?L\s?[a-z]\s?[il]\s?[a-z]\s?S/
score FB_CIALIS_LEO2 1.669
#counts FB_CIALIS_LEO2 0s/0h of 12241 corpus (6567s/5674h CT) 03/22/06
#counts FB_CIALIS_LEO2 3s/0h of 9220 corpus (6987s/2233h AxB) 03/22/06
#counts FB_CIALIS_LEO2 0s/0h of 22939 corpus (17226s/5713h MY) 03/22/06
#counts FB_CIALIS_LEO2 288s/0h of 72746 corpus (51980s/20766h ML) 03/22/06
#counts FB_CIALIS_LEO2 92s/0h of 111691 corpus (74068s/37623h DOC) 03/22/06
body FB_VALIUM_LEO2 /V\s?[a-z]\s?A\s?[a-z]\s?L\s?[a-z]\s?I\s?[a-z]\s?U\s?[a-z]\s?M/
score FB_VALIUM_LEO2 1.668
#counts FB_VALIUM_LEO2 14s/0h of 12241 corpus (6567s/5674h CT) 03/22/06
#counts FB_VALIUM_LEO2 4s/0h of 9220 corpus (6987s/2233h AxB) 03/22/06
#counts FB_VALIUM_LEO2 1s/0h of 22939 corpus (17226s/5713h MY) 03/22/06
#counts FB_VALIUM_LEO2 785s/0h of 72746 corpus (51980s/20766h ML) 03/22/06
#counts FB_VALIUM_LEO2 216s/0h of 111691 corpus (74068s/37623h DOC) 03/22/06
body FB_VIAGRA_LEO2 /V\s?[a-z]\s?[il]\s?[a-z]\s?A\s?[a-z]\s?G\s?[a-z]\s?R\s?[a-z]\s?A/
score FB_VIAGRA_LEO2 1.669
#counts FB_VIAGRA_LEO2 0s/0h of 12241 corpus (6567s/5674h CT) 03/22/06
#counts FB_VIAGRA_LEO2 4s/0h of 9220 corpus (6987s/2233h AxB) 03/22/06
#counts FB_VIAGRA_LEO2 0s/0h of 22939 corpus (17226s/5713h MY) 03/22/06
#counts FB_VIAGRA_LEO2 421s/0h of 72746 corpus (51980s/20766h ML) 03/22/06
#counts FB_VIAGRA_LEO2 129s/0h of 111691 corpus (74068s/37623h DOC) 03/22/06
body FB_SAVE_LEO /S\s?[a-z]\s?A\s?[a-z]\s?V\s?[a-z]\s?E\s?[a-z]/
score FB_SAVE_LEO 1.555
#counts FB_SAVE_LEO 0s/0h of 12241 corpus (6567s/5674h CT) 03/22/06
#counts FB_SAVE_LEO 0s/0h of 9220 corpus (6987s/2233h AxB) 03/22/06
#counts FB_SAVE_LEO 0s/0h of 22939 corpus (17226s/5713h MY) 03/22/06
#counts FB_SAVE_LEO 105s/0h of 72746 corpus (51980s/20766h ML) 03/22/06
#counts FB_SAVE_LEO 31s/0h of 111691 corpus (74068s/37623h DOC) 03/22/06
Watch for line wraps!
--
Best regards,
Fred mailto:spamassassin@freddyt.com
Re: Re[2]: HTML spam not detected
Posted by Jeremy Fairbrass <jf...@hotmail.com>.
Hi Jean-Paul,
I'll send you my own rule for these spams off-list - they may also help.
Fred's rules look like they're searching within the plain text part of those
spams, whereas mine searches within the HTML part and is a bit less specific
than Fred's, in that it doesn't care what specific letters are used to make
up the drug names - instead it's looking for the HTML obfuscation "trick"
the spammer uses.
Fred, will you be adding these rules to one of your 88_FVGT rulesets at
RulesEmporium? Would be neat if you did! :)
Cheers,
Jeremy
"Fred T" <sp...@freddyt.com> wrote in message
news:178157010.20060322123340@freddyt.com...
> Hello Jean-Paul,
>
> Here's the rules I use, I've had these rules for a few weeks but I
> just noticed today the use of extra spaces between each letter, so
> here's an updated set of rules. This might be easier converted to a
> replace_tags ruleset but it works fine like it is.
>
>
> body FB_CIALIS_LEO2
> /C\s?[a-z]\s?I\s?[a-z]\s?A\s?[a-z]\s?L\s?[a-z]\s?[il]\s?[a-z]\s?S/
> score FB_CIALIS_LEO2 1.669
> #counts FB_CIALIS_LEO2 0s/0h of 12241 corpus (6567s/5674h CT)
> 03/22/06
> #counts FB_CIALIS_LEO2 3s/0h of 9220 corpus (6987s/2233h AxB)
> 03/22/06
> #counts FB_CIALIS_LEO2 0s/0h of 22939 corpus (17226s/5713h MY)
> 03/22/06
> #counts FB_CIALIS_LEO2 288s/0h of 72746 corpus (51980s/20766h
> ML) 03/22/06
> #counts FB_CIALIS_LEO2 92s/0h of 111691 corpus (74068s/37623h
> DOC) 03/22/06
>
>
>
> body FB_VALIUM_LEO2
> /V\s?[a-z]\s?A\s?[a-z]\s?L\s?[a-z]\s?I\s?[a-z]\s?U\s?[a-z]\s?M/
> score FB_VALIUM_LEO2 1.668
> #counts FB_VALIUM_LEO2 14s/0h of 12241 corpus (6567s/5674h CT)
> 03/22/06
> #counts FB_VALIUM_LEO2 4s/0h of 9220 corpus (6987s/2233h AxB)
> 03/22/06
> #counts FB_VALIUM_LEO2 1s/0h of 22939 corpus (17226s/5713h MY)
> 03/22/06
> #counts FB_VALIUM_LEO2 785s/0h of 72746 corpus (51980s/20766h
> ML) 03/22/06
> #counts FB_VALIUM_LEO2 216s/0h of 111691 corpus (74068s/37623h
> DOC) 03/22/06
>
>
>
>
>
>
> body FB_VIAGRA_LEO2
> /V\s?[a-z]\s?[il]\s?[a-z]\s?A\s?[a-z]\s?G\s?[a-z]\s?R\s?[a-z]\s?A/
> score FB_VIAGRA_LEO2 1.669
> #counts FB_VIAGRA_LEO2 0s/0h of 12241 corpus (6567s/5674h CT)
> 03/22/06
> #counts FB_VIAGRA_LEO2 4s/0h of 9220 corpus (6987s/2233h AxB)
> 03/22/06
> #counts FB_VIAGRA_LEO2 0s/0h of 22939 corpus (17226s/5713h MY)
> 03/22/06
> #counts FB_VIAGRA_LEO2 421s/0h of 72746 corpus (51980s/20766h
> ML) 03/22/06
> #counts FB_VIAGRA_LEO2 129s/0h of 111691 corpus (74068s/37623h
> DOC) 03/22/06
>
>
>
>
>
>
> body FB_SAVE_LEO /S\s?[a-z]\s?A\s?[a-z]\s?V\s?[a-z]\s?E\s?[a-z]/
> score FB_SAVE_LEO 1.555
> #counts FB_SAVE_LEO 0s/0h of 12241 corpus (6567s/5674h CT)
> 03/22/06
> #counts FB_SAVE_LEO 0s/0h of 9220 corpus (6987s/2233h AxB)
> 03/22/06
> #counts FB_SAVE_LEO 0s/0h of 22939 corpus (17226s/5713h MY)
> 03/22/06
> #counts FB_SAVE_LEO 105s/0h of 72746 corpus (51980s/20766h
> ML) 03/22/06
> #counts FB_SAVE_LEO 31s/0h of 111691 corpus (74068s/37623h
> DOC) 03/22/06
>
>
>
>
>
> Watch for line wraps!
>
>
> --
> Best regards,
> Fred mailto:spamassassin@freddyt.com
>
>