You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Clay Davis <cd...@avionics-specialties.com> on 2007/08/14 16:09:19 UTC
Rule for PDF and eCard Spam Needed
Can someone recommend a SAR(E) to mitigate the influx of the PDF and eCard spams until I can learn the bayes?
(haven't been tuned into the list for a while... sorry.)
Thanks,
Clay
Re: Sample eCard Rules...
Posted by Matt Kettler <mk...@verizon.net>.
Jared Hall wrote:
> Some quick eCard rules:
>
> header JARED_ECARD Subject =~ /You\'ve received (a|an) (greeting|postcard|
> ecard|greeting ecard|greeting card) from a (admirer|class\-mate|colleague|
> family member|friend|mate|neighbor|neighbour|partner|school friend|school
> mate|school\-mate|worshipper|Class mate|Colleague|buddy|pal)\!?/i
>
A good start, but that rule could be simplified quite a lot.
For starters, don't do (a|an).. it's much faster to do an? instead.
Also, in this case the \!? at the end is pointless. Regexes match
substrings, so you could just leave that whole part off with zero change
in what will match.
In general, for regexes that are used to detect matches only (ie: SA
rules), if you end in . + * or ? you're doing something wasteful and
pointless and should re-examine the regex. Unless you add a $ at the
end, you don't have to match the whole text, so don't waste time trying
to match optional characters at the end.
Here's a variant I use..
header L_S_SUBJPOSTCARD Subject =~/\bYou've received an? (?:greeting)?(?:e|post)?card from a .{4,20}!/
describe L_S_SUBJPOSTCARD greeting card virus
Notes:
mine won't catch the "You've received a greeting from a" variant yours picks up, but I've never seen that one myself. Every one I've seen of this type as "card" in it somewhere.
Mine's also a bit less specific, as it just uses a .{4,20} where yours bothers to list out all the possible texts the virus uses. I feel it's unlikely to match anything nonspam, but greatly reduces the resource usage of the rule.
Mine requires the exclamation point at the end, where yours makes it optional (and should just leave it off as above).
Re: How to write a rule to filter this email?
Posted by Loren Wilton <lw...@earthlink.net>.
Take the :addr off.
Loren
----- Original Message -----
From: "chteh" <ch...@nav6.org>
To: <us...@SpamAssassin.apache.org>
Sent: Thursday, September 20, 2007 8:14 PM
Subject: How to write a rule to filter this email?
> Hi all,
>
> Recently I wrote a rule to filter a Viagra emails. I found that the
> pattern
> of this spam emails are the "From" is appear as "Viagra.com Inc
> <ch...@nav6.org>".
>
> In my local.cd, I have added a simple rule which like this:
> header No_Viagra_From From:addr =~ /viagra/i
> score No_Viagra_From 10.0
> describe No_Viagra_From From that contains a word viagra
>
> But unfortunately, it doesn't works. Anyone here can teach me how to write
> a
> rule to block this type of emails, please?
>
> I have attached the head of the spam mail here. Thanks in advanced!
>
> ----------------------------------------------------------------------------
>>>From chteng@pccs.net Fri Sep 21 06:55:39 2007
> Return-Path: <ch...@pccs.net>
> X-Original-To: chteh@nav6.org
> Delivered-To: chteh@nav6.org
> Received: from localhost (unknown [127.0.0.1])
> by nav6.org (Postfix) with ESMTP id 4A7F21D6010B
> for <ch...@nav6.org>; Thu, 20 Sep 2007 22:55:39 +0000 (UTC)
> X-Virus-Scanned: amavisd-new at nav6.org
> Received: from c66-235-44-65.sea2.cablespeed.com
> (c66-235-44-65.sea2.cablespeed.com [66.235.44.65])
> by nav6.org (Postfix) with SMTP id AF38F1D600CA
> for <ch...@nav6.org>; Fri, 21 Sep 2007 06:55:32 +0800 (MYT)
> Received: from Lupe Cash (10.12.13.16) by
> c66-235-44-65.sea2.cablespeed.com
> (PowerMTA(TM) v3.2r4) id hfp10o93d75j00 for <ch...@nav6.org>; Thu, 20 Sep
> 2007 02:52:29 -0800
> Message-Id: <20...@c66-235-44-65.sea2.cablespeed.com>
> To: <ch...@nav6.org>
> Subject: Lovers package at discount price!
> From: Viagra.com Inc <ch...@nav6.org>
> MIME-Version: 1.0
> Content-Type: text/html; charset="iso-8859-1"
> Content-Transfer-Encoding: 8bit
> Date: Fri, 21 Sep 2007 06:55:32 +0800 (MYT)
> X-UID: 3
> Status: RO
> X-Keywords:
> Content-Length: 2705
> ----------------------------------------------------------------------------
>
> Best Regards,
>
> Simon Teh
> Network and System Administrator
> National Advanced IPv6
> Centre of Excellence,
> School of Computer Science,
> Universiti Sains Malaysia
How to write a rule to filter this email?
Posted by chteh <ch...@nav6.org>.
Hi all,
Recently I wrote a rule to filter a Viagra emails. I found that the pattern
of this spam emails are the "From" is appear as "Viagra.com Inc
<ch...@nav6.org>".
In my local.cd, I have added a simple rule which like this:
header No_Viagra_From From:addr =~ /viagra/i
score No_Viagra_From 10.0
describe No_Viagra_From From that contains a word viagra
But unfortunately, it doesn't works. Anyone here can teach me how to write a
rule to block this type of emails, please?
I have attached the head of the spam mail here. Thanks in advanced!
----------------------------------------------------------------------------
>From chteng@pccs.net Fri Sep 21 06:55:39 2007
Return-Path: <ch...@pccs.net>
X-Original-To: chteh@nav6.org
Delivered-To: chteh@nav6.org
Received: from localhost (unknown [127.0.0.1])
by nav6.org (Postfix) with ESMTP id 4A7F21D6010B
for <ch...@nav6.org>; Thu, 20 Sep 2007 22:55:39 +0000 (UTC)
X-Virus-Scanned: amavisd-new at nav6.org
Received: from c66-235-44-65.sea2.cablespeed.com
(c66-235-44-65.sea2.cablespeed.com [66.235.44.65])
by nav6.org (Postfix) with SMTP id AF38F1D600CA
for <ch...@nav6.org>; Fri, 21 Sep 2007 06:55:32 +0800 (MYT)
Received: from Lupe Cash (10.12.13.16) by c66-235-44-65.sea2.cablespeed.com
(PowerMTA(TM) v3.2r4) id hfp10o93d75j00 for <ch...@nav6.org>; Thu, 20 Sep
2007 02:52:29 -0800
Message-Id: <20...@c66-235-44-65.sea2.cablespeed.com>
To: <ch...@nav6.org>
Subject: Lovers package at discount price!
From: Viagra.com Inc <ch...@nav6.org>
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Date: Fri, 21 Sep 2007 06:55:32 +0800 (MYT)
X-UID: 3
Status: RO
X-Keywords:
Content-Length: 2705
----------------------------------------------------------------------------
Best Regards,
Simon Teh
Network and System Administrator
National Advanced IPv6
Centre of Excellence,
School of Computer Science,
Universiti Sains Malaysia
Sample eCard Rules...
Posted by Jared Hall <jh...@tbi.net>.
Some quick eCard rules:
header JARED_ECARD Subject =~ /You\'ve received (a|an) (greeting|postcard|
ecard|greeting ecard|greeting card) from a (admirer|class\-mate|colleague|
family member|friend|mate|neighbor|neighbour|partner|school friend|school
mate|school\-mate|worshipper|Class mate|Colleague|buddy|pal)\!?/i
score JARED_ECARD 2.5
header JARED_ECARD1 Subject =~ /^(School\-mate|Worshipper|Neighbour|
Colleague|Admirer|School mate|Mate|Class\-mate|Neighbor|Friend|Partner|Family
member|Class mate) sent you (a|an) (greeting|postcard|ecard|greeting ecard|
greeting card) from ((postcardsfrom|Greeting\-Cards|e\-cards|1LoveCards|
postcard|greetingCard|netfuncards|freewebcards|AmericanGreetings|
GreetingCards|2000Greetings|FunnyPostcard|mypostcards|egreetings|dgreetings|
VintagePostcards|123Greetings|riversongs|Hallmark|greet2k|egreetings|
all\-yours|bluemountain|Postcards)\.(com|net|org))\!?/i
score JARED_ECARD1 2.0
header JARED_ECARD2 Subject =~ /^(Animated|Funny|Greeting|Holiday|Thank you|
Musical|Love|Birthday|Movie\-quality)[\s](ecard|card|postcard)[\s]$/i
score JARED_ECARD2 2.0
$0.02,
Jared Hall
General Telecom, LLC.
On Tuesday 14 August 2007 11:33, John Rudd wrote:
> Doc Schneider wrote:
> > Loren Wilton wrote:
> >> PDFinfo plugin from SARE helps a lot with the pdf mess.
> >
> > I found that ClamAV catches most all those greeting card spamscam
> > viruses.
> >
> > But the PDFInfo from SARE works GREAT!
>
> ClamAV does even better if you use the Sanesecurity, MSRBL, and MBL
> signatures in addition to the main ClamAV signatures. We went from
> rejecting a few thousand "viruses" a day with just the base ClamAV
> signatures, to rejecting high 10's of thousands of messages a day
> (mostly due to Sanesecurity). No complaints about false positives yet.
Re: Rule for PDF and eCard Spam Needed
Posted by John Rudd <jr...@ucsc.edu>.
Doc Schneider wrote:
> Loren Wilton wrote:
>> PDFinfo plugin from SARE helps a lot with the pdf mess.
>
> I found that ClamAV catches most all those greeting card spamscam viruses.
>
> But the PDFInfo from SARE works GREAT!
>
ClamAV does even better if you use the Sanesecurity, MSRBL, and MBL
signatures in addition to the main ClamAV signatures. We went from
rejecting a few thousand "viruses" a day with just the base ClamAV
signatures, to rejecting high 10's of thousands of messages a day
(mostly due to Sanesecurity). No complaints about false positives yet.
Re: Rule for PDF and eCard Spam Needed
Posted by Doc Schneider <ma...@maddoc.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Loren Wilton wrote:
> PDFinfo plugin from SARE helps a lot with the pdf mess. Theo has also
> published a number of rules that catch them, I believe. You can get
> them form one of the standard SA update channels.
>
> I suppose we ought to publish some SARE rules for the greeting cards,
> although our experience is they tend to get caught pretty well without
> help. Apparently though others need more help :-)
>
> There have been 3-4 rules in various emails about these things over the
> last week or two. Scan back in the archives of the list for greeting
> cards and you will probably find some good rules.
>
> Loren
>
I found that ClamAV catches most all those greeting card spamscam viruses.
But the PDFInfo from SARE works GREAT!
- --
-Doc
Penguins: Do it on the ice.
8:44am up 4 days, 16:55, 17 users, load average: 0.18, 0.30, 0.37
SARE HQ http://www.rulesemporium.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org
iD8DBQFGwcm+qOEeBwEpgcsRApTfAJwK8MsCtvSzVGGHnD6M2kZJ6qLgLQCgmFDm
PTAamwOZZpn4ASetvokjZ7E=
=bEzA
-----END PGP SIGNATURE-----
Re: Rule for PDF and eCard Spam Needed
Posted by "John D. Hardin" <jh...@impsec.org>.
On Thu, 16 Aug 2007, Joe Zitnik wrote:
> I've been looking at the rule, and POSTCARD_02 and POSTCARD_03
> along with DQ_URI_ONLY_ARGS has no associated score line. Is this
> an intentional omission?
Yes. That uses the default score of 1.0
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
I would buy a Mac today if I was not working at Microsoft.
-- James Allchin, Microsoft VP of Platforms
-----------------------------------------------------------------------
9 days until The 1928th anniversary of the destruction of Pompeii
Re: Rule for PDF and eCard Spam Needed
Posted by Joe Zitnik <JZ...@hfcc.net>.
>>> On 8/14/2007 at 6:31 PM, "John D. Hardin" <jh...@impsec.org>
wrote:
On Tue, 14 Aug 2007, Diego Pomatta wrote:
> and this ruleset for postcards&ecards ->
> http://www.impsec.org/~jhardin/antispam/postcards.cf
We're starting to get into whack-a-mole territory with the postcard
spams. There will be another update out tonight.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...every time I sit down in front of a Windows machine I feel as
if the computer is just a place for the manufacturers to put their
advertising. -- fwadling on Y! SCOX
----------------------------------------------------------------------
Tomorrow: The 62nd anniversary of the end of World War II
John,
I've been looking at the rule, and POSTCARD_02 and POSTCARD_03 along
with DQ_URI_ONLY_ARGS has no associated score line. Is this an
intentional omission?
Re: Rule for PDF and eCard Spam Needed
Posted by Kai Schaetzl <ma...@conactive.com>.
$0200000a@msys1>
Reply-To: users@spamassassin.apache.org
X-Rcpt-To: <us...@spamassassin.apache.org>
Robert - elists wrote on Wed, 15 Aug 2007 18:12:28 -0700:
> consider helping Jo ?
I think Jo could help himself quite good if he wanted to.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
RE: Rule for PDF and eCard Spam Needed
Posted by Robert - elists <li...@abbacomm.net>.
>
> Sigh, I give up.
>
> Kai
>
Give up what?
Trying to run destructive interference or consider helping Jo ?
:-)
- rh
Re: Rule for PDF and eCard Spam Needed
Posted by Jo Rhett <jr...@netconsonance.com>.
> Jo Rhett wrote on Wed, 15 Aug 2007 15:47:37 -0700:
>> The SA-team has an environment designed to do this, I don't. Nor do
>> most people on this list.
Kai Schaetzl wrote:
> Sigh, I give up.
I find it vastly amusing that when there is real work to do (ie fix a
broken rule) the list grows very silent. But when there is an
opportunity to be rude to someone, people just can't wait to do so.
Priorities are a bit off, wouldn't you think?
--
Jo Rhett
Net Consonance ... net philanthropy, open source and other randomness
Re: Rule for PDF and eCard Spam Needed
Posted by Kai Schaetzl <ma...@conactive.com>.
Jo Rhett wrote on Wed, 15 Aug 2007 15:47:37 -0700:
> The SA-team has an environment designed to do this, I don't. Nor do
> most people on this list.
Sigh, I give up.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
Re: Rule for PDF and eCard Spam Needed
Posted by Jo Rhett <jr...@netconsonance.com>.
On Aug 15, 2007, at 3:31 AM, Kai Schaetzl wrote:
> I can just tell you what *I* would do.
>
> - test the rules
> - test the rules
> - test the rules
> - gather statistics about hits, FPs and FNs
The SA-team has an environment designed to do this, I don't. Nor do
most people on this list.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
Re: Rule for PDF and eCard Spam Needed
Posted by Kai Schaetzl <ma...@conactive.com>.
Jo Rhett wrote on Tue, 14 Aug 2007 17:42:02 -0700:
> People refer to rulesets they've created. I am not an SA committer,
> so I can't run these through their test environment and them commit
> them to the tree. So I'm asking someone who is if they'd be willing
> to do this.
I can just tell you what *I* would do.
- test the rules
- test the rules
- test the rules
- gather statistics about hits, FPs and FNs
- ask the author of the rule to submit as a feature request or whatever
else is available for stuff like this on the bugzilla.
But maybe that's the wrong way.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
Re: Rule for PDF and eCard Spam Needed
Posted by Jo Rhett <jr...@netconsonance.com>.
On Aug 14, 2007, at 2:31 PM, Kai Schaetzl wrote:
>> What can be done to get these tested and included in the main
>> ruleset?
>
> What is "these"? I don't see that you offered any rules catching that
> stuff. So, what do you want the developers or anyone to test?
People refer to rulesets they've created. I am not an SA committer,
so I can't run these through their test environment and them commit
them to the tree. So I'm asking someone who is if they'd be willing
to do this.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
Re: Rule for PDF and eCard Spam Needed
Posted by Kai Schaetzl <ma...@conactive.com>.
Jo Rhett wrote on Tue, 14 Aug 2007 13:27:20 -0700:
> Well first I don't think many of us want to waste CPU cycles trying
> to analyze the contents of PDF files.
Right, and not only of PDFs. That's why "many of us" reject this stuff
already at MTA for technical reasons and thus rarely see this stuff.
Problem solved. Without complaining.
But if you don't want to detect with SA you *have* to analyze the PDF as
the spammy content is in the PDF and not elsewhere. You cannot rely on
some signs in the mail itself as they may easily change from day to day.
> What can be done to get these tested and included in the main ruleset?
What is "these"? I don't see that you offered any rules catching that
stuff. So, what do you want the developers or anyone to test?
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
Re: Rule for PDF and eCard Spam Needed
Posted by Jo Rhett <jr...@netconsonance.com>.
> Jo Rhett escribió:
>> I think that rules which did a better job on these messages would
>> be greatly appreciated.
On Aug 14, 2007, at 12:42 PM, Diego Pomatta wrote:
> I use PDFinfo plugin from http://rulesemporium.com/plugins.htm
Well first I don't think many of us want to waste CPU cycles trying
to analyze the contents of PDF files. Very rarely am I sent PDF
files, and those would be handled by other rules. Frankly I could
just add 3 points for PDF or GIF attachments.
That said, it doesn't work for all people.
> and this ruleset for postcards&ecards -> http://www.impsec.org/
> ~jhardin/antispam/postcards.cf <http://www.impsec.org/%7Ejhardin/
> antispam/postcards.cf>
> which I customised a bit myself,
> and they are catching like 98% of all pdf and greeting cards spam,
> if not more. Haven't really done the math, but that kind of spam
> was a real pain in the butt, and now I'd almost forgotten about it. :p
And again, your message proves that the supplied SA rules aren't
catching these messages.
What can be done to get these tested and included in the main ruleset?
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
Re: Rule for PDF and eCard Spam Needed
Posted by Diego Pomatta <in...@abelsonsa.com.ar>.
Interesting Tech Republic article, Putting a stop to PDF spam
<http://blogs.techrepublic.com.com/networking/?p=314&tag=nl.e019>
which mentions the pdfinfo plugin for SA.
Re: Rule for PDF and eCard Spam Needed
Posted by "John D. Hardin" <jh...@impsec.org>.
On Tue, 14 Aug 2007, Diego Pomatta wrote:
> and this ruleset for postcards&ecards ->
> http://www.impsec.org/~jhardin/antispam/postcards.cf
We're starting to get into whack-a-mole territory with the postcard
spams. There will be another update out tonight.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...every time I sit down in front of a Windows machine I feel as
if the computer is just a place for the manufacturers to put their
advertising. -- fwadling on Y! SCOX
----------------------------------------------------------------------
Tomorrow: The 62nd anniversary of the end of World War II
Re: Rule for PDF and eCard Spam Needed
Posted by Diego Pomatta <in...@abelsonsa.com.ar>.
Jo Rhett escribió:
> On Aug 14, 2007, at 8:22 AM, Loren Wilton wrote:
>> PDFinfo plugin from SARE helps a lot with the pdf mess. Theo has
>> also published a number of rules that catch them, I believe. You can
>> get them form one of the standard SA update channels.
>> I suppose we ought to publish some SARE rules for the greeting cards,
>> although our experience is they tend to get caught pretty well
>> without help. Apparently though others need more help :-)
>
> Just to make it clear what I and others keep saying on this topic: I'm
> using 4 different systems that have various 3.x versions of
> spamassassin, all of which use sa-update, and none of which are doing
> an adequate job of catching gif, pdf or ecard spam. It's upwards of
> 20 an hour on several systems.
>
> I think that rules which did a better job on these messages would be
> greatly appreciated.
I use PDFinfo plugin from http://rulesemporium.com/plugins.htm
and this ruleset for postcards&ecards ->
http://www.impsec.org/~jhardin/antispam/postcards.cf
<http://www.impsec.org/%7Ejhardin/antispam/postcards.cf>
which I customised a bit myself,
and they are catching like 98% of all pdf and greeting cards spam, if
not more. Haven't really done the math, but that kind of spam was a real
pain in the butt, and now I'd almost forgotten about it. :p
/Regards
Re: Rule for PDF and eCard Spam Needed
Posted by Jo Rhett <jr...@netconsonance.com>.
Robert - elists wrote:
> I don't use alternative files that I am aware of anyways... just stock
> clamav
the ecard stuff is not the normal clamav virus databases.
> And... I hear ya, yet clamav plugin *integration* into SA scores as I
> understand it, where stock clamav quarantines
We use amavis which integrates them cleanly.
> Therefore you can score high and smtp reject as opposed to just quarantine
> and some other email event for admin or rcpt person(s)...
We never quarantine. Reject or tag and pass through depending on the
user's settings. Quarantine requires someone to go clean it up, etc.
--
Jo Rhett
Net Consonance ... net philanthropy, open source and other randomness
RE: Rule for PDF and eCard Spam Needed
Posted by Robert - elists <li...@abbacomm.net>.
>
> I'm using stock clamav with freshclam, and getting 10-12 an hour in
> each maibox. So no, stock clamav does not catch these.
>
> --
> Jo Rhett
Hmmmmmm interesting
I was telling the same thing recently on this same thread.
YES, they do catch and quarantine them all them rotten buggers.
When I do my clamav, i roll my own rpm and use a spec file from crash-hat
http://crash.fce.vutbr.cz/crash-hat/5/clamav/
I used to just use his and re-roll yet I do not have time to wait when there
are clamav updates.
He (petr) does it differently than DAG as near as I can tell.
Maybe you can have time and can check out the particulars and if it will
help you.
I know we do not actively go snag the clamav extra sigs
Ummm, here is how we originally used to roll our own from someone elses...
http://qmail.jms1.net/clamav/rpm.shtml
again, now I just snag source and mod the .spec etc and do it that way...
- rh
RE: Rule for PDF and eCard Spam Needed
Posted by Robert - elists <li...@abbacomm.net>.
>
> I'm using stock clamav with freshclam, and getting 10-12 an hour in
> each maibox. So no, stock clamav does not catch these.
>
> --
> Jo Rhett
Hmmmmmm interesting
I was telling the same thing recently on this same thread.
YES, they do catch and quarantine them all them rotten buggers.
When I do my clamav, i roll my own rpm and use a spec file from crash-hat
http://crash.fce.vutbr.cz/crash-hat/5/clamav/
I used to just use his and re-roll yet I do not have time to wait when there
are clamav updates.
He (petr) does it differently than DAG as near as I can tell.
Maybe you can have time and can check out the particulars and if it will
help you.
I know we do not actively go snag the clamav extra sigs
Ummm, here is how we originally used to roll our own from someone elses...
http://qmail.jms1.net/clamav/rpm.shtml
again, now I just snag source and mod the .spec etc and do it that way...
- rh
Re: Rule for PDF and eCard Spam Needed
Posted by Bill Randle <bi...@neocat.org>.
On Sat, 2007-08-18 at 19:26 -0700, Jo Rhett wrote:
> Loren Wilton wrote:
> > From: "Jo Rhett" <jr...@netconsonance.com>
> >
> >> So the only thing which is actually working to catch these is bayes
> >> and bayes-based systems. Not rules, and not AV.
> >
> > Is that a statement about your own system? MANY people have responded
> > that quite a number of other things like pdfinfo and clamav and various
> > rules are working just fine for them. So youur statement would seem to
> > be about your own system, rather than the ability in general to stop
> > these things.
>
> The comment was in response to the quoted text above it.
>
> I have asked which alternate signatures, and everyone keeps popping up
> saying stock clamav, which has no signatures for ecards.
The alternate signatures from Sane Security
<http://www.sanesecurity.com/clamav/> seem to be catching most of them
for me.
-Bill
Re: Rule for PDF and eCard Spam Needed
Posted by Jo Rhett <jr...@netconsonance.com>.
Loren Wilton wrote:
> From: "Jo Rhett" <jr...@netconsonance.com>
>
>> So the only thing which is actually working to catch these is bayes
>> and bayes-based systems. Not rules, and not AV.
>
> Is that a statement about your own system? MANY people have responded
> that quite a number of other things like pdfinfo and clamav and various
> rules are working just fine for them. So youur statement would seem to
> be about your own system, rather than the ability in general to stop
> these things.
The comment was in response to the quoted text above it.
I have asked which alternate signatures, and everyone keeps popping up
saying stock clamav, which has no signatures for ecards.
Re: Rule for PDF and eCard Spam Needed
Posted by Loren Wilton <lw...@earthlink.net>.
From: "Jo Rhett" <jr...@netconsonance.com>
> So the only thing which is actually working to catch these is bayes and
> bayes-based systems. Not rules, and not AV.
Is that a statement about your own system? MANY people have responded that
quite a number of other things like pdfinfo and clamav and various rules are
working just fine for them. So youur statement would seem to be about your
own system, rather than the ability in general to stop these things.
Loren
Re: Rule for PDF and eCard Spam Needed
Posted by "John D. Hardin" <jh...@impsec.org>.
On Thu, 16 Aug 2007, Jo Rhett wrote:
> So the only thing which is actually working to catch these is
> bayes and bayes-based systems. Not rules, and not AV.
The postcard spams? Modulo the fact that they are a whack-a-mole
solution, the Subject rules I maintain are apparently quite effective
in concert with Bayes.
http://www.impsec.org/~jhardin/antispam/
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Men by their constitutions are naturally divided in to two parties:
1. Those who fear and distrust the people and wish to draw all
powers from them into the hands of the higher classes. 2. Those who
identify themselves with the people, have confidence in them,
cherish and consider them as the most honest and safe, although not
the most wise, depository of the public interests.
-- Thomas Jefferson
-----------------------------------------------------------------------
9 days until The 1928th anniversary of the destruction of Pompeii
Re: Rule for PDF and eCard Spam Needed
Posted by Jo Rhett <jr...@netconsonance.com>.
So the only thing which is actually working to catch these is bayes and
bayes-based systems. Not rules, and not AV.
Martin.Hepworth wrote:
> Ecard spams get scored as follows.
>
> 5.40 BAYES_99 Bayesian spam probability is 99 to 100%
> 4.00 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
> 0.77 DIGEST_MULTIPLE Message hits more than one network digest check
> 0.90 HOST_EQ_RO
> 4.00 NORMAL_HTTP_TO_IP Uses a dotted-decimal IP address in URL
> 0.96 NO_REAL_NAME From: does not include a real name
> 0.50 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
> 1.50 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50%
> 0.50 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
>
> Similar for postcard.exe's (which also trigger my AV).
>
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
>
>> -----Original Message-----
>> From: Jo Rhett [mailto:jrhett@netconsonance.com]
>> Sent: 15 August 2007 23:46
>> To: Arthur Dent
>> Cc: users@spamassassin.apache.org
>> Subject: Re: Rule for PDF and eCard Spam Needed
>>
>> On Aug 15, 2007, at 12:47 AM, Arthur Dent wrote:
>>> I am only a home user, but I have found that bog-standard clamAV
>>> (updated with freshclam) has caught all but one of the greeting
>>> card scams:
>> I'm using stock clamav with freshclam, and getting 10-12 an hour in
>> each maibox. So no, stock clamav does not catch these.
>>
>> --
>> Jo Rhett
>> Net Consonance : consonant endings by net philanthropy, open source
>> and other randomness
>>
>
>
>
>
>
> **********************************************************************
> Confidentiality : This e-mail and any attachments are intended for the
> addressee only and may be confidential. If they come to you in error
> you must take no action based on them, nor must you copy or show them
> to anyone. Please advise the sender by replying to this e-mail
> immediately and then delete the original from your computer.
> Opinion : Any opinions expressed in this e-mail are entirely those of
> the author and unless specifically stated to the contrary, are not
> necessarily those of the author's employer.
> Security Warning : Internet e-mail is not necessarily a secure
> communications medium and can be subject to data corruption. We advise
> that you consider this fact when e-mailing us.
> Viruses : We have taken steps to ensure that this e-mail and any
> attachments are free from known viruses but in keeping with good
> computing practice, you should ensure that they are virus free.
>
> Red Lion 49 Ltd T/A Solid State Logic
> Registered as a limited company in England and Wales
> (Company No:5362730)
> Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU,
> United Kingdom
> **********************************************************************
>
--
Jo Rhett
Net Consonance ... net philanthropy, open source and other randomness
RE: Rule for PDF and eCard Spam Needed
Posted by "Martin.Hepworth" <ma...@solidstatelogic.com>.
Ecard spams get scored as follows.
5.40 BAYES_99 Bayesian spam probability is 99 to 100%
4.00 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
0.77 DIGEST_MULTIPLE Message hits more than one network digest check
0.90 HOST_EQ_RO
4.00 NORMAL_HTTP_TO_IP Uses a dotted-decimal IP address in URL
0.96 NO_REAL_NAME From: does not include a real name
0.50 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
1.50 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50%
0.50 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
Similar for postcard.exe's (which also trigger my AV).
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
> -----Original Message-----
> From: Jo Rhett [mailto:jrhett@netconsonance.com]
> Sent: 15 August 2007 23:46
> To: Arthur Dent
> Cc: users@spamassassin.apache.org
> Subject: Re: Rule for PDF and eCard Spam Needed
>
> On Aug 15, 2007, at 12:47 AM, Arthur Dent wrote:
> > I am only a home user, but I have found that bog-standard clamAV
> > (updated with freshclam) has caught all but one of the greeting
> > card scams:
>
> I'm using stock clamav with freshclam, and getting 10-12 an hour in
> each maibox. So no, stock clamav does not catch these.
>
> --
> Jo Rhett
> Net Consonance : consonant endings by net philanthropy, open source
> and other randomness
>
**********************************************************************
Confidentiality : This e-mail and any attachments are intended for the
addressee only and may be confidential. If they come to you in error
you must take no action based on them, nor must you copy or show them
to anyone. Please advise the sender by replying to this e-mail
immediately and then delete the original from your computer.
Opinion : Any opinions expressed in this e-mail are entirely those of
the author and unless specifically stated to the contrary, are not
necessarily those of the author's employer.
Security Warning : Internet e-mail is not necessarily a secure
communications medium and can be subject to data corruption. We advise
that you consider this fact when e-mailing us.
Viruses : We have taken steps to ensure that this e-mail and any
attachments are free from known viruses but in keeping with good
computing practice, you should ensure that they are virus free.
Red Lion 49 Ltd T/A Solid State Logic
Registered as a limited company in England and Wales
(Company No:5362730)
Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU,
United Kingdom
**********************************************************************
Re: Rule for PDF and eCard Spam Needed
Posted by Jo Rhett <jr...@netconsonance.com>.
On Aug 15, 2007, at 12:47 AM, Arthur Dent wrote:
> I am only a home user, but I have found that bog-standard clamAV
> (updated with freshclam) has caught all but one of the greeting
> card scams:
I'm using stock clamav with freshclam, and getting 10-12 an hour in
each maibox. So no, stock clamav does not catch these.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
Re: Rule for PDF and eCard Spam Needed
Posted by Arthur Dent <sa...@troodos.demon.co.uk>.
On Tue, Aug 14, 2007 at 07:53:56PM -0700, Robert - elists wrote:
>
> > Apparently with alternate virus files, which I had not yet tested.
> > Someone mentioned that earlier today and I'm investigating it.
> >
> > --
> > Jo Rhett
>
> Jo
>
> I don't use alternative files that I am aware of anyways... just stock
> clamav
>
Me too....
I am only a home user, but I have found that bog-standard clamAV (updated with freshclam) has caught all but one of the greeting card scams:
Subject: You've received a postcard from a Colleague!
X-Virus-Status: Yes
X-Virus-Report: Email.Phishing.RB-1223 FOUND
X-Virus-Checker-Version: clamassassin 1.2.4 with clamscan / ClamAV 0.91.1/3848/Thu Aug 2 21:22:06 2007
I use clamav via procmail *before* SA and any positives identified by clamav get whisked off into a quarantine folder so I don't know whether SA would have caught them or not.
...just my £0.02...
Best Regards
AD
RE: Rule for PDF and eCard Spam Needed
Posted by Robert - elists <li...@abbacomm.net>.
>
> Apparently with alternate virus files, which I had not yet tested.
> Someone mentioned that earlier today and I'm investigating it.
>
> --
> Jo Rhett
Jo
I don't use alternative files that I am aware of anyways... just stock
clamav
And... I hear ya, yet clamav plugin *integration* into SA scores as I
understand it, where stock clamav quarantines
http://wiki.apache.org/spamassassin/ClamAVPlugin
I haven't figured it out yet as there appears to be some good and bad
experiences and differing outlooks on this solution
Therefore you can score high and smtp reject as opposed to just quarantine
and some other email event for admin or rcpt person(s)...
Maybe I am wrong...
Just food for thought.
- rh
Re: Rule for PDF and eCard Spam Needed
Posted by Jo Rhett <jr...@netconsonance.com>.
On Aug 14, 2007, at 2:22 PM, Robert - elists wrote:
> You might consider the clamav integration into SA, as clamav is
> catching all
> the ecard ones
Apparently with alternate virus files, which I had not yet tested.
Someone mentioned that earlier today and I'm investigating it.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
RE: Rule for PDF and eCard Spam Needed
Posted by Robert - elists <li...@abbacomm.net>.
>
> Just to make it clear what I and others keep saying on this topic:
> I'm using 4 different systems that have various 3.x versions of
> spamassassin, all of which use sa-update, and none of which are doing
> an adequate job of catching gif, pdf or ecard spam. It's upwards of
> 20 an hour on several systems.
>
> I think that rules which did a better job on these messages would be
> greatly appreciated.
>
> See my other post about the PDF not matching, with an example spam
> included.
>
> --
> Jo Rhett
Jo,
Dunno if this is the best option...
And food for thought only...
You might consider the clamav integration into SA, as clamav is catching all
the ecard ones
- rh
Re: Rule for PDF and eCard Spam Needed
Posted by John Rudd <jr...@ucsc.edu>.
Jo Rhett wrote:
> On Aug 14, 2007, at 8:22 AM, Loren Wilton wrote:
>> PDFinfo plugin from SARE helps a lot with the pdf mess. Theo has also
>> published a number of rules that catch them, I believe. You can get
>> them form one of the standard SA update channels.
>> I suppose we ought to publish some SARE rules for the greeting cards,
>> although our experience is they tend to get caught pretty well without
>> help. Apparently though others need more help :-)
>
> Just to make it clear what I and others keep saying on this topic: I'm
> using 4 different systems that have various 3.x versions of
> spamassassin, all of which use sa-update, and none of which are doing an
> adequate job of catching gif, pdf or ecard spam. It's upwards of 20 an
> hour on several systems.
>
> I think that rules which did a better job on these messages would be
> greatly appreciated.
>
> See my other post about the PDF not matching, with an example spam
> included.
>
Have you tried BOTNET?
Have you tried clamav with sanesecurity?
Re: Rule for PDF and eCard Spam Needed
Posted by Jo Rhett <jr...@netconsonance.com>.
On Aug 14, 2007, at 8:22 AM, Loren Wilton wrote:
> PDFinfo plugin from SARE helps a lot with the pdf mess. Theo has
> also published a number of rules that catch them, I believe. You
> can get them form one of the standard SA update channels.
> I suppose we ought to publish some SARE rules for the greeting
> cards, although our experience is they tend to get caught pretty
> well without help. Apparently though others need more help :-)
Just to make it clear what I and others keep saying on this topic:
I'm using 4 different systems that have various 3.x versions of
spamassassin, all of which use sa-update, and none of which are doing
an adequate job of catching gif, pdf or ecard spam. It's upwards of
20 an hour on several systems.
I think that rules which did a better job on these messages would be
greatly appreciated.
See my other post about the PDF not matching, with an example spam
included.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
Re: Rule for PDF and eCard Spam Needed
Posted by Loren Wilton <lw...@earthlink.net>.
PDFinfo plugin from SARE helps a lot with the pdf mess. Theo has also
published a number of rules that catch them, I believe. You can get them
form one of the standard SA update channels.
I suppose we ought to publish some SARE rules for the greeting cards,
although our experience is they tend to get caught pretty well without help.
Apparently though others need more help :-)
There have been 3-4 rules in various emails about these things over the last
week or two. Scan back in the archives of the list for greeting cards and
you will probably find some good rules.
Loren