You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Martin Gregorie <ma...@gregorie.org> on 2008/12/07 12:56:09 UTC
Live.space and Sourceforge
I've been getting a bit of spam recently via Sourceforge mailing lists
that punts live.space websites. As this is easy to detect without
running much risk of FPs, I've written a rule.....
describe MG_LIVESF Spam via SourceForge but contains spaces.live.com URI
uri __MG_LSF1 /^http:.{1,40}\.spaces\.live\.com/i
header __MG_LSF2 List-Id =~ /lists\.sourceforge\.net/i
meta MG_LIVESF (__MG_LSF1 && __MG_LSF2)
score MG_LIVESF 2.0
Of course its useless if none of your users subscribe to Sourceforge
mailing lists, but OTOH it should adapt easily to almost any group of
mailing lists that carry the List-Id: header.
Martin
Re: Live.space and Sourceforge
Posted by John Hardin <jh...@impsec.org>.
On Mon, 8 Dec 2008, Kenneth Porter wrote:
> uri KP_LIVE_SPACES_CID /^http:\/\/cid-.{10,20}\.spaces\.live\.com\//
>
> The variant part is a string of hex digits, so this could be even tighter.
Nothing else? Here's two versions:
uri KP_LIVE_SPACES_CID /^http:\/\/cid-\w{10,20}\.spaces\.live\.com\//
uri KP_LIVE_SPACES_CID /^http:\/\/cid-[:xdigit:]{10,20}\.spaces\.live\.com\//
Also: case sensitivity?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
It is not the place of government to make right every tragedy and
woe that befalls every resident of the nation.
-----------------------------------------------------------------------
7 days until Bill of Rights day
Re: Live.space and Sourceforge
Posted by Ned Slider <ne...@unixmail.co.uk>.
Kenneth Porter wrote:
> --On Sunday, December 07, 2008 7:45 AM -0500 Michael Scheidell
> <sc...@secnap.net> wrote:
>
>> Thanks for the uri rule. It is tighter then the one I cobbled together.
>
> I'm successfully using an even tighter one posted by Daryl C. W. O'Shea
> on October 18, with a minor adjustment:
>
> <http://ruleqa.spamassassin.org/20081017-r705513-n/DOS_LIVE_SPACES_CID/detail>
>
>
> My version:
>
> uri KP_LIVE_SPACES_CID /^http:\/\/cid-.{10,20}\.spaces\.live\.com\//
>
> The variant part is a string of hex digits, so this could be even tighter.
>
I've seen plenty of variants that won't catch. A quick grep of my spam
from the last month or so shows this would catch more:
uri KP_LIVE_SPACES_CID /^http:\/\/.{6,20}\.spaces\.live\.com\//
but may also catch more potential FPs too. I guess it depends how
aggresive or caution you want to be.
Re: Live.space and Sourceforge
Posted by Kenneth Porter <sh...@sewingwitch.com>.
--On Sunday, December 07, 2008 7:45 AM -0500 Michael Scheidell
<sc...@secnap.net> wrote:
> Thanks for the uri rule. It is tighter then the one I cobbled together.
I'm successfully using an even tighter one posted by Daryl C. W. O'Shea on
October 18, with a minor adjustment:
<http://ruleqa.spamassassin.org/20081017-r705513-n/DOS_LIVE_SPACES_CID/detail>
My version:
uri KP_LIVE_SPACES_CID /^http:\/\/cid-.{10,20}\.spaces\.live\.com\//
The variant part is a string of hex digits, so this could be even tighter.
Re: Live.space and Sourceforge
Posted by Michael Scheidell <sc...@secnap.net>.
> I've been getting a bit of spam recently via Sourceforge mailing lists
> that punts live.space websites. As this is easy to detect without
> running much risk of FPs, I've written a rule.....
>
Getting so much spam, and no response from abuse@live.com. Should just give
a 2.0 to uri rule and add 10 for the meta rule.
If live.com doesn't care how much spam is using their network why should we
care?
Yes, I know, users bitch. :-) darn users.
Thanks for the uri rule. It is tighter then the one I cobbled together.
--
Michael Scheidell, CTO
>|SECNAP Network Security
Winner 2008 Network Products Guide Hot Companies
FreeBSD SpamAssassin Ports maintainer
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________