You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Matthew Newton <mc...@leicester.ac.uk> on 2005/03/10 16:41:11 UTC

Obvious spam (from subject) getting through

Hi

Anyone got a rule to catch e-mails I've been getting with this subject?

Subject: intelligent XANAA, V1CODD1N, S0MMA, CODE1NE, V1AAGRRA, C1AAL1S, Z0L0FT, \/AL1IUM & MANY MORE AT CHEEAP added happen

Only rule that has much effect is a SARE subject rule I've just added to
my collection, but it seems it should be easy to catch this?

X-Spam-Score: (+++) 3.7
X-Spam-Report: This e-mail has been scored by SpamAssassin 3.0.2
        Pts Rule name              Description
        ---- ---------------------- ---------------------------------------
        3.3 SARE_SUB_CHEAP_OB      subject has obfuscated spammer topic
        0.2 HTTP_EXCESSIVE_ESCAPES URI: Completely unnecessary %-escapes inside a URL
        0.0 HTML_40_50             BODY: Message is 40% to 50% HTML
        0.0 HTML_MESSAGE           BODY: HTML included in message
        0.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60% [score: 0.5000]
        0.1 HTML_FONT_BIG          BODY: HTML tag for a big font size

If there isn't a "standard" rule out there then I'll put one together
for it.

Thanks!

-- 
Matthew Newton <mc...@le.ac.uk>

UNIX and e-mail Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Leicester LE1 7RH, United Kingdom

Re: Obvious spam (from subject) getting through

Posted by Martin Hepworth <ma...@solid-state-logic.com>.

Matthew

the antidrug.cf on www.rulesemporium.com? But that should be part of the 
base SA 3 set (20_drugs.cf).

If you can put up the full email on a web/ftpsite I can run again my 
setup which has lots of SARE rules and I'll drop back the rules I hit.


--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


Matthew Newton wrote:
> Hi
> 
> Anyone got a rule to catch e-mails I've been getting with this subject?
> 
> Subject: intelligent XANAA, V1CODD1N, S0MMA, CODE1NE, V1AAGRRA, C1AAL1S, Z0L0FT, \/AL1IUM & MANY MORE AT CHEEAP added happen
> 
> Only rule that has much effect is a SARE subject rule I've just added to
> my collection, but it seems it should be easy to catch this?
> 
> X-Spam-Score: (+++) 3.7
> X-Spam-Report: This e-mail has been scored by SpamAssassin 3.0.2
>         Pts Rule name              Description
>         ---- ---------------------- ---------------------------------------
>         3.3 SARE_SUB_CHEAP_OB      subject has obfuscated spammer topic
>         0.2 HTTP_EXCESSIVE_ESCAPES URI: Completely unnecessary %-escapes inside a URL
>         0.0 HTML_40_50             BODY: Message is 40% to 50% HTML
>         0.0 HTML_MESSAGE           BODY: HTML included in message
>         0.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60% [score: 0.5000]
>         0.1 HTML_FONT_BIG          BODY: HTML tag for a big font size
> 
> If there isn't a "standard" rule out there then I'll put one together
> for it.
> 
> Thanks!
> 

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

Re: Obvious spam (from subject) getting through

Posted by Robert Menschel <Ro...@Menschel.net>.

Hello Matthew,

Thursday, March 10, 2005, 7:41:11 AM, you wrote:

MN> Hi

MN> Anyone got a rule to catch e-mails I've been getting with this subject?

MN> Subject: intelligent XANAA, V1CODD1N, S0MMA, CODE1NE, V1AAGRRA,
MN> C1AAL1S, Z0L0FT, \/AL1IUM & MANY MORE AT CHEEAP added happen 

MN> Only rule that has much effect is a SARE subject rule I've just
MN> added to my collection, but it seems it should be easy to catch
MN> this?

I'm guessing that the 3.0 adoption of antidrug didn't catch this
primarily because the obfuscations used here were carefully crafted to
avoid obfuscation-detecting rules. I'm surprised the z0l0ft word
didn't hit, but I can see why the others might have missed.

If you and others can send me as many examples of obfuscated drug
names used in subjects as possible, Matt Kettler and I can go through
them and build a good set of rules to go into either a new antidrug.cf
or the genlsubj file set.

Thanks.

Bob Menschel