You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "--[ UxBoD ]--" <ux...@splatnix.net> on 2007/01/27 12:49:03 UTC
Drug Spam
Sorry for asking as I am sure that it has already been covered. But if
there a rule for the new spate of drug SPAM where the URL has "Remove
"*" to make the link working!" in it ?
Thanks,
--
This message has been scanned for viruses and dangerous content by MailScanner, and is
believed to be clean.
Re: Re: Drug Spam
Posted by Nick Leverton <nj...@leverton.org>.
On Thursday 08 February 2007 15:21, Ben Wylie wrote:
> As I understand it, these undefined dependencies are errors where a meta
> rule has been written to depend on another rule, which does not exist.
> These don't have catastrophic consequences, it just means that rule may
> not be effective.
Google suggests these rules were once in the FVGT ruleset, this is what the
FM_ ones looked like:
meta FM_NO_TO (!__MY_TO)
describe FM_NO_TO Message is missing To
score FM_NO_TO 0.001
meta FM_NO_FROM_OR_TO (!__MY_FROM && !__MY_TO)
describe FM_NO_FROM_OR_TO Message is missing From and To
score FM_NO_FROM_OR_TO 0.001
I don't have a copy of __URIBL_ANY anywhere but I don't think it's
necessary, since KAM's rules that use it also name each individual URIBL
as well.
Nick
Re: Re: Drug Spam
Posted by Ben Wylie <sa...@benwylie.co.uk>.
As I understand it, these undefined dependencies are errors where a meta
rule has been written to depend on another rule, which does not exist.
These don't have catastrophic consequences, it just means that rule may
not be effective.
Ben
Spamassassin List wrote:
> <div class="moz-text-flowed" style="font-family: -moz-fixed">>
> http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf
>
> I had encountered errors
>
> [21895] info: rules: meta test KAM_RPTR_PASSED has undefined dependency
> '__URIBL_ANY'
> [21895] info: rules: meta test KAM_REAL has undefined dependency
> '__KAMREAL1'
> [21895] info: rules: meta test KAM_REAL has undefined dependency
> '__KAMREAL2'
> [21895] info: rules: meta test KAM_REAL has undefined dependency
> '__KAMREAL3'
> [21895] info: rules: meta test KAM_BLANK01 has undefined dependency
> 'FM_NO_FROM_OR_TO'
> [21895] info: rules: meta test KAM_BLANK01 has undefined dependency
> 'FM_NO_TO'
>
>
> Any idea?
>
> Thanks
>
>
> </div>
Re: Drug Spam
Posted by Spamassassin List <sp...@gmail.com>.
> http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf
I had encountered errors
[21895] info: rules: meta test KAM_RPTR_PASSED has undefined dependency
'__URIBL_ANY'
[21895] info: rules: meta test KAM_REAL has undefined dependency
'__KAMREAL1'
[21895] info: rules: meta test KAM_REAL has undefined dependency
'__KAMREAL2'
[21895] info: rules: meta test KAM_REAL has undefined dependency
'__KAMREAL3'
[21895] info: rules: meta test KAM_BLANK01 has undefined dependency
'FM_NO_FROM_OR_TO'
[21895] info: rules: meta test KAM_BLANK01 has undefined dependency
'FM_NO_TO'
Any idea?
Thanks
Newbie drug spam rules. Any comments from pro's?
Posted by Burak Ueda <su...@burakueda.com>.
Ok, I am the ultimate beginner in both using regex, and writing SA rules.
I had some problems with those recent drug spams (replace * thingy).
Current ruleset didn't caught them, and I tried to write my own rules, and they seem to be working.
Here is the URL to my rules, I am most probably re-inventing the wheel here but anyway.
Oh, and please don't laugh :D
http://burakueda.com/text/drugrules.txt
I call the {0,5} part "Distance" and I am planning to give a score
according to the distance (closer the distance, higher the score).
What do you think about it? Any comments or suggestions to improve? Or anything wrong in them?
Thanks..
Re: Drug Spam
Posted by Henrik Krohns <he...@stream.hege.li>.
On Sat, Jan 27, 2007 at 07:42:19AM -0800, Bill Randle wrote:
> On Sat, 2007-01-27 at 14:35 +0000, --[ UxBoD ]-- wrote:
> > On Sat, 27 Jan 2007 12:25:12 +0000
> > Nigel Frankcom <ni...@blue-canoe.net> wrote:
> >
> > > On Sat, 27 Jan 2007 11:49:03 +0000, "--[ UxBoD ]--"
> > > <ux...@splatnix.net> wrote:
> > >
> > > >Sorry for asking as I am sure that it has already been covered. But
> > > >if there a rule for the new spate of drug SPAM where the URL has
> > > >"Remove "*" to make the link working!" in it ?
> > > >
> > > >Thanks,
> > >
> > >
> > > This was suggested to me yesterday...
> > >
> > > http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf
> > >
> > > Bayes training helps too.
> > >
> > > Kind regards
> >
> > I am already using KAM.cf but it has not caught one yet :(
>
> Just as a friednly note, the normal procedure is to check the mailing
> list archives when first joining to see if the subject of interest has
> been discussed recently before posting a query. As you suspect, it has
> been discussed at length over the last several days.
>
> Here's a suggestion from Henrik Krohns. I use this with good success.
>
> uri HK_OBFDOM /^https?:\/\/ [a-z0-9._-]*? (?: [^a-z0-9._':\@\/-]
> | :[^0-9] ) (?: .*?\/ | .*?[a-z]$ ) /ix
> describe HK_OBFDOM Domain contains illegal characters
> score HK_OBFDOM 3.5
>
> body __hk_obfdomreq1 /\b(?:remove|replace)\b/i
> body __hk_obfdomreq2 /(?:\bdomain\b|\baddress\b|"[^"]"|'[^']')/i
> #meta HK_OBFDOMREQ (HK_OBFDOM && __hk_obfdomreq1 && __hk_obfdomreq2)
> meta HK_OBFDOMREQ (HK_OBFDOM && __hk_obfdomreq1)
> describe HK_OBFDOMREQ Request to modify obfuscated domain
> score HK_OBFDOMREQ 2
I've seen the domain check can create some false positives, so I recommend
low score for it.
uri HK_OBFDOM /^https?:\/\/ [a-z0-9._-]+? (?: [^a-z0-9._':\@\/-] | :[^0-9] ) (?: .*?\/ | .*?[a-z]$ ) /ix
score HK_OBFDOM 0.5
body __hk_obfdomreq1 /\b(replace|remove)\b.{0,20}(?: (?:'|")?.(?:'|")? |with\b)/i
body __hk_obfdomreq2 /\blink working\b/i
meta HK_OBFDOMREQ (HK_OBFDOM && (__hk_obfdomreq1 || __hk_obfdomreq2))
score HK_OBFDOMREQ 2.5
In addition to that, there was already some postings for a simple "*com"
rule..
Cheers,
Henrik
Re: Drug Spam
Posted by Bill Randle <bi...@neocat.org>.
On Sat, 2007-01-27 at 14:35 +0000, --[ UxBoD ]-- wrote:
> On Sat, 27 Jan 2007 12:25:12 +0000
> Nigel Frankcom <ni...@blue-canoe.net> wrote:
>
> > On Sat, 27 Jan 2007 11:49:03 +0000, "--[ UxBoD ]--"
> > <ux...@splatnix.net> wrote:
> >
> > >Sorry for asking as I am sure that it has already been covered. But
> > >if there a rule for the new spate of drug SPAM where the URL has
> > >"Remove "*" to make the link working!" in it ?
> > >
> > >Thanks,
> >
> >
> > This was suggested to me yesterday...
> >
> > http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf
> >
> > Bayes training helps too.
> >
> > Kind regards
>
> I am already using KAM.cf but it has not caught one yet :(
Just as a friednly note, the normal procedure is to check the mailing
list archives when first joining to see if the subject of interest has
been discussed recently before posting a query. As you suspect, it has
been discussed at length over the last several days.
Here's a suggestion from Henrik Krohns. I use this with good success.
uri HK_OBFDOM /^https?:\/\/ [a-z0-9._-]*? (?: [^a-z0-9._':\@\/-]
| :[^0-9] ) (?: .*?\/ | .*?[a-z]$ ) /ix
describe HK_OBFDOM Domain contains illegal characters
score HK_OBFDOM 3.5
body __hk_obfdomreq1 /\b(?:remove|replace)\b/i
body __hk_obfdomreq2 /(?:\bdomain\b|\baddress\b|"[^"]"|'[^']')/i
#meta HK_OBFDOMREQ (HK_OBFDOM && __hk_obfdomreq1 && __hk_obfdomreq2)
meta HK_OBFDOMREQ (HK_OBFDOM && __hk_obfdomreq1)
describe HK_OBFDOMREQ Request to modify obfuscated domain
score HK_OBFDOMREQ 2
(Be sure to fix any wrapped lines.)
-Bill
Re: Drug Spam
Posted by "--[ UxBoD ]--" <ux...@splatnix.net>.
On Sat, 27 Jan 2007 12:25:12 +0000
Nigel Frankcom <ni...@blue-canoe.net> wrote:
> On Sat, 27 Jan 2007 11:49:03 +0000, "--[ UxBoD ]--"
> <ux...@splatnix.net> wrote:
>
> >Sorry for asking as I am sure that it has already been covered. But
> >if there a rule for the new spate of drug SPAM where the URL has
> >"Remove "*" to make the link working!" in it ?
> >
> >Thanks,
>
>
> This was suggested to me yesterday...
>
> http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf
>
> Bayes training helps too.
>
> Kind regards
>
> Nigel
>
I am already using KAM.cf but it has not caught one yet :(
--
This message has been scanned for viruses and dangerous content by MailScanner, and is
believed to be clean.
Re: Drug Spam
Posted by Nigel Frankcom <ni...@blue-canoe.net>.
On Sat, 27 Jan 2007 11:49:03 +0000, "--[ UxBoD ]--"
<ux...@splatnix.net> wrote:
>Sorry for asking as I am sure that it has already been covered. But if
>there a rule for the new spate of drug SPAM where the URL has "Remove
>"*" to make the link working!" in it ?
>
>Thanks,
This was suggested to me yesterday...
http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf
Bayes training helps too.
Kind regards
Nigel