You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Matthew Newton <mc...@leicester.ac.uk> on 2005/03/10 16:41:11 UTC
Obvious spam (from subject) getting through
Hi
Anyone got a rule to catch e-mails I've been getting with this subject?
Subject: intelligent XANAA, V1CODD1N, S0MMA, CODE1NE, V1AAGRRA, C1AAL1S, Z0L0FT, \/AL1IUM & MANY MORE AT CHEEAP added happen
Only rule that has much effect is a SARE subject rule I've just added to
my collection, but it seems it should be easy to catch this?
X-Spam-Score: (+++) 3.7
X-Spam-Report: This e-mail has been scored by SpamAssassin 3.0.2
Pts Rule name Description
---- ---------------------- ---------------------------------------
3.3 SARE_SUB_CHEAP_OB subject has obfuscated spammer topic
0.2 HTTP_EXCESSIVE_ESCAPES URI: Completely unnecessary %-escapes inside a URL
0.0 HTML_40_50 BODY: Message is 40% to 50% HTML
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5000]
0.1 HTML_FONT_BIG BODY: HTML tag for a big font size
If there isn't a "standard" rule out there then I'll put one together
for it.
Thanks!
--
Matthew Newton <mc...@le.ac.uk>
UNIX and e-mail Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Leicester LE1 7RH, United Kingdom
Re: Obvious spam (from subject) getting through
Posted by Martin Hepworth <ma...@solid-state-logic.com>.
Matthew
the antidrug.cf on www.rulesemporium.com? But that should be part of the
base SA 3 set (20_drugs.cf).
If you can put up the full email on a web/ftpsite I can run again my
setup which has lots of SARE rules and I'll drop back the rules I hit.
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
Matthew Newton wrote:
> Hi
>
> Anyone got a rule to catch e-mails I've been getting with this subject?
>
> Subject: intelligent XANAA, V1CODD1N, S0MMA, CODE1NE, V1AAGRRA, C1AAL1S, Z0L0FT, \/AL1IUM & MANY MORE AT CHEEAP added happen
>
> Only rule that has much effect is a SARE subject rule I've just added to
> my collection, but it seems it should be easy to catch this?
>
> X-Spam-Score: (+++) 3.7
> X-Spam-Report: This e-mail has been scored by SpamAssassin 3.0.2
> Pts Rule name Description
> ---- ---------------------- ---------------------------------------
> 3.3 SARE_SUB_CHEAP_OB subject has obfuscated spammer topic
> 0.2 HTTP_EXCESSIVE_ESCAPES URI: Completely unnecessary %-escapes inside a URL
> 0.0 HTML_40_50 BODY: Message is 40% to 50% HTML
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5000]
> 0.1 HTML_FONT_BIG BODY: HTML tag for a big font size
>
> If there isn't a "standard" rule out there then I'll put one together
> for it.
>
> Thanks!
>
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.
**********************************************************************
Re: Obvious spam (from subject) getting through
Posted by Robert Menschel <Ro...@Menschel.net>.
Hello Matthew,
Thursday, March 10, 2005, 7:41:11 AM, you wrote:
MN> Hi
MN> Anyone got a rule to catch e-mails I've been getting with this subject?
MN> Subject: intelligent XANAA, V1CODD1N, S0MMA, CODE1NE, V1AAGRRA,
MN> C1AAL1S, Z0L0FT, \/AL1IUM & MANY MORE AT CHEEAP added happen
MN> Only rule that has much effect is a SARE subject rule I've just
MN> added to my collection, but it seems it should be easy to catch
MN> this?
I'm guessing that the 3.0 adoption of antidrug didn't catch this
primarily because the obfuscations used here were carefully crafted to
avoid obfuscation-detecting rules. I'm surprised the z0l0ft word
didn't hit, but I can see why the others might have missed.
If you and others can send me as many examples of obfuscated drug
names used in subjects as possible, Matt Kettler and I can go through
them and build a good set of rules to go into either a new antidrug.cf
or the genlsubj file set.
Thanks.
Bob Menschel