You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Jonathan Engbrecht <je...@ryerson.ca> on 2006/03/10 20:59:09 UTC

SA rule for userid in subject?

hello assassin-types,

I'm seeing a lot of image-only spam of the following form:

rcpt to:  <userid>@domain.com
Subject:  Fw: <userid>

Is there a way to create a simple spamassassin rule that will hit on 
this?  I could use () and \1 in regular expressions and a giant, 
multi-line matching RE (probably), but I'm worried about processing time 
- two regular expressions would probably be better.

thoughts?

Re: SA rule for userid in subject?

Posted by Loren Wilton <lw...@earthlink.net>.

> I was wondering how to modify Lorens rule for the follwing type of emails
> which I have been getting a lot of:
>
> In the subject I get: "some word[s]-userid" or  "some word[s]-some
> word[s]-userid"

You aren't too specific about the subject form, and you aren't specific 
about the To: form.  That leaves lots of room to guess and get things wrong. 
I'm guessing these aren't the fake forwards that were causing the OP 
problems.

You could try something like the following.  It is UNTESTED and may not 
work.

header RULE_NAME ALL =~ 
/\nTo:\s[^\@\n]*[\s<]([^\@>\n]+).+\nSubject:\s[^\n]{0,30}\b\1\b/i

        Loren

>
>> >
>> >   Loren answered that a month ago. Is in the archives. You may use:
>> >
>> > header RULE_NAME ALL =~ /\nTo: ([^\@\n]+).+\nSubject:\s*Fw:
>> .{0,30}\s*\1\b/i
>> >
>> >   That covers "Fw: userid" and "Fw: (some word[s]) userid".
>> >
>>
>
> -- 
> View this message in context: 
> http://www.nabble.com/SA-rule-for-userid-in-subject--tf1261071.html#a12119080
> Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

RE: SA rule for userid in subject?

Posted by jeffsal <je...@charter.net>.

I was wondering how to modify Lorens rule for the follwing type of emails
which I have been getting a lot of:

In the subject I get: "some word[s]-userid" or  "some word[s]-some
word[s]-userid"

> >
> >   Loren answered that a month ago. Is in the archives. You may use:
> >
> > header RULE_NAME ALL =~ /\nTo: ([^\@\n]+).+\nSubject:\s*Fw:
> .{0,30}\s*\1\b/i
> >
> >   That covers "Fw: userid" and "Fw: (some word[s]) userid".
> >
> 

-- 
View this message in context: http://www.nabble.com/SA-rule-for-userid-in-subject--tf1261071.html#a12119080
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

RE: SA rule for userid in subject?

Posted by Ruben Cardenal <ru...@ruben.cn>.

That doesn't kill performance, sorry. I get average times of 0.1-0.3
seconds/mail using that rule (and a lot of other ones) while the cpu lives
happily. In several servers. You don't need a plugin for that.

Ruben

> -----Mensaje original-----
> De: Matt Kettler [mailto:mkettler@evi-inc.com]
> Enviado el: viernes, 10 de marzo de 2006 21:57
> Para: Ruben Cardenal
> CC: users@spamassassin.apache.org
> Asunto: Re: SA rule for userid in subject?
> 
> Ruben Cardenal wrote:
> > Hi,
> >
> >   Loren answered that a month ago. Is in the archives. You may use:
> >
> > header RULE_NAME ALL =~ /\nTo: ([^\@\n]+).+\nSubject:\s*Fw:
> .{0,30}\s*\1\b/i
> >
> >   That covers "Fw: userid" and "Fw: (some word[s]) userid".
> >
> 
> True, but that's using () and \1, which is exactly what Jonathan said he
> did not
> want to use.
> 
> So you can do it that way, but you'll suffer the performance penalty of a
> multi-line regex with backreferences.
> 
> The only *efficient* way to do it is to write a plugin.

Re: SA rule for userid in subject?

Posted by Matt Kettler <mk...@evi-inc.com>.

Ruben Cardenal wrote:
> Hi,
> 
>   Loren answered that a month ago. Is in the archives. You may use:
> 
> header RULE_NAME ALL =~ /\nTo: ([^\@\n]+).+\nSubject:\s*Fw: .{0,30}\s*\1\b/i
> 
>   That covers "Fw: userid" and "Fw: (some word[s]) userid".
> 

True, but that's using () and \1, which is exactly what Jonathan said he did not
want to use.

So you can do it that way, but you'll suffer the performance penalty of a
multi-line regex with backreferences.

The only *efficient* way to do it is to write a plugin.

RE: SA rule for userid in subject?

Posted by Ruben Cardenal <ru...@ruben.cn>.

Hi,

  Loren answered that a month ago. Is in the archives. You may use:

header RULE_NAME ALL =~ /\nTo: ([^\@\n]+).+\nSubject:\s*Fw: .{0,30}\s*\1\b/i

  That covers "Fw: userid" and "Fw: (some word[s]) userid".

Ruben.

> -----Mensaje original-----
> De: Matt Kettler [mailto:mkettler@evi-inc.com]
> Enviado el: viernes, 10 de marzo de 2006 21:17
> Para: Jonathan Engbrecht
> CC: users@spamassassin.apache.org
> Asunto: Re: SA rule for userid in subject?
> 
> Jonathan Engbrecht wrote:
> > hello assassin-types,
> >
> > I'm seeing a lot of image-only spam of the following form:
> >
> > rcpt to:  <userid>@domain.com
> > Subject:  Fw: <userid>
> >
> > Is there a way to create a simple spamassassin rule that will hit on
> > this?  I could use () and \1 in regular expressions and a giant,
> > multi-line matching RE (probably), but I'm worried about processing time
> > - two regular expressions would probably be better.
> >
> > thoughts?
> >
> 
> You'd need to write a plugin to do this efficiently.
> 
> That said, I get a lot of them too, with drug-spam ads in them. My most
> recent
> one racked up a hell of a score without any extra help on my part.
> 
> X-EVI-MailScanner-SpamCheck: spam, SpamAssassin (score=37.608, required 5,
> 	autolearn=spam, BAYES_50 0.00, DATE_IN_PAST_06_12 0.83,
> 	DCC_CHECK 1.50, DIGEST_MULTIPLE 0.77, EXTRA_MPART_TYPE 1.09,
> 	HELO_DYNAMIC_ADELPHIA 1.79, HTML_IMAGE_ONLY_12 1.87,
> 	HTML_MESSAGE 0.00, HTML_SHORT_LINK_IMG_2 1.58,
> 	INFO_GREYLIST_NOTDELAYED -0.00, INFO_TLD 0.50,
> 	RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E8_51_100 1.50,
> 	RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 1.56,
> 	RCVD_IN_NJABL_DUL 1.95, URIBL_AB_SURBL 3.81, URIBL_BLACK 2.50,
> 	URIBL_JP_SURBL 4.09, URIBL_OB_SURBL 3.01, URIBL_SBL 1.64,
> 	URIBL_SC_SURBL 4.50, URIBL_WS_SURBL 2.14)
> 
> Admittedly most of that score comes from the image being wrapped as a HTML
> link
> to the drug-spammer's website, which racked up all the URIBLS and Razor's
> e8...

Re: SA rule for userid in subject?

Posted by Matt Kettler <mk...@evi-inc.com>.

Jonathan Engbrecht wrote:
> hello assassin-types,
> 
> I'm seeing a lot of image-only spam of the following form:
> 
> rcpt to:  <userid>@domain.com
> Subject:  Fw: <userid>
> 
> Is there a way to create a simple spamassassin rule that will hit on
> this?  I could use () and \1 in regular expressions and a giant,
> multi-line matching RE (probably), but I'm worried about processing time
> - two regular expressions would probably be better.
> 
> thoughts?
> 

You'd need to write a plugin to do this efficiently.

That said, I get a lot of them too, with drug-spam ads in them. My most recent
one racked up a hell of a score without any extra help on my part.

X-EVI-MailScanner-SpamCheck: spam, SpamAssassin (score=37.608, required 5,
	autolearn=spam, BAYES_50 0.00, DATE_IN_PAST_06_12 0.83,
	DCC_CHECK 1.50, DIGEST_MULTIPLE 0.77, EXTRA_MPART_TYPE 1.09,
	HELO_DYNAMIC_ADELPHIA 1.79, HTML_IMAGE_ONLY_12 1.87,
	HTML_MESSAGE 0.00, HTML_SHORT_LINK_IMG_2 1.58,
	INFO_GREYLIST_NOTDELAYED -0.00, INFO_TLD 0.50,
	RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E8_51_100 1.50,
	RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 1.56,
	RCVD_IN_NJABL_DUL 1.95, URIBL_AB_SURBL 3.81, URIBL_BLACK 2.50,
	URIBL_JP_SURBL 4.09, URIBL_OB_SURBL 3.01, URIBL_SBL 1.64,
	URIBL_SC_SURBL 4.50, URIBL_WS_SURBL 2.14)

Admittedly most of that score comes from the image being wrapped as a HTML link
to the drug-spammer's website, which racked up all the URIBLS and Razor's e8...

Re: SA rule for userid in subject?

Posted by Theo Van Dinter <fe...@apache.org>.

On Fri, Mar 10, 2006 at 02:59:09PM -0500, Jonathan Engbrecht wrote:
> I'm seeing a lot of image-only spam of the following form:
> 
> rcpt to:  <userid>@domain.com
> Subject:  Fw: <userid>

Yeah, there's a lot of that.

> Is there a way to create a simple spamassassin rule that will hit on 
> this?  I could use () and \1 in regular expressions and a giant, 
> multi-line matching RE (probably), but I'm worried about processing time 
> - two regular expressions would probably be better.

There's already a rule that looks for this type of thing
(LOCALPART_IN_SUBJECT), but it doesn't look for the "Fw:" pattern.
However, there are other rules which catch these mails more efficiently
than looking for the username.  Two rules you can use for now (these
and others will likely be published via sa-update after the upcoming
3.1.1 release):

body TVD_FW_MESG1 /^-+ Original Message -+ From: (?:\w+ )+To: \S+ (?:Sent|Date):.{1,60}Subject: \w+\s*$/
body TVD_FW_MESG2 /^-- Best Regards, \w+ \w+\s+mailto:/

-- 
Randomly Generated Tagline:
I used up all my sick days, so I'm calling in dead.