You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by ji...@jidanni.org on 2008/12/24 23:41:55 UTC
"I have a new email address!" spam
Gentlemen, does one just keep on adding more regexps for each new language
edition of this the spammer makes? Any better way for this particular spam?
body J_NEW_ADDRESS /\xA7\xDA\xA6\xB3\xB7s\xAA\xBA\xB9q\xB6l\xA6a\xA7}\xA1I\xA7A\xB2{\xA5i\xB9q\xB6l\xB5\xB9\xA7\xDA|I have a new email address!You can now/
Re: "I have a new email address!" spam
Posted by mouss <mo...@netoyen.net>.
jidanni@jidanni.org a écrit :
> m> those I looked at triggered JM_SOUGHT_FRAUD_1. so make sure you use the
> m> sought channel in your sa-update.
>
> OK, I did all the research to find what it might be that you were
> talking about.
>
> I completed the steps (some of them exposing how sa-update fails to
> catch a bumbling user):
> $ wget http://yerp.org/rules/GPG.KEY
> $ sa-update -D --import GPG.KEY
> $ sa-update -D sought.rules.yerp.org
> $ sa-update -D --no-gpg sought.rules.yerp.org
> $ sa-update -D --channel sought.rules.yerp.org
>
> And at long last, finally, of course all was for naught:
>
> 403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't
> have permission to access /rules/stage/320729494.tar.gz on this
> server.
try again.
Re: 'sought' rules take three times longer to run
Posted by ji...@jidanni.org.
MU> maybe using spamd and spamc is hat you want...
But that would be a http://wiki.dreamhost.com/Persistent_Processes
Re: 'sought' rules take three times longer to run
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 27.12.08 08:51, jidanni@jidanni.org wrote:
> I took a look at Mail::SpamAssassin::Plugin::Shortcircuit, but what I
> really want to do is "if it is ham, run it through the expensive
> 'sought' extra tests, to see if it really is ham."
>
> I.e., if the end result is below required_score, continue on into the
> "sought" tests.
>
> Probably the only way to do that is via .procmailrc
>
> :0fw
> |spamassassin --cf 'Do not run sought-rules'
maybe using spamd and spamc is hat you want...
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels don't get sucked into jet engines.
Re: 'sought' rules take three times longer to run
Posted by ji...@jidanni.org.
I took a look at Mail::SpamAssassin::Plugin::Shortcircuit, but what I
really want to do is "if it is ham, run it through the expensive
'sought' extra tests, to see if it really is ham."
I.e., if the end result is below required_score, continue on into the
"sought" tests.
Probably the only way to do that is via .procmailrc
:0fw
|spamassassin --cf 'Do not run sought-rules'
:0
*^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
Mail/almost-certainly-spam/
:0
*^X-Spam-Status: Yes
Mail/probably-spam/
:0fw
|spamassassin
:0
*^X-Spam-Status: Yes
Mail/probably-spam/
The only problem (besides 'house of cards') is that there is no way to
do --cf 'Do not run sought-rules' on the first spamassassin run. One
must instead tamper with the files sa-update --channel
sought.rules.yerp.org gets, removing sought_rules_yerp_org.cf and
putting its contents into a --cf string on the second spamassassin
run, thus complicating future sa-update runs.
'sought' rules take three times longer to run
Posted by ji...@jidanni.org.
OK, I have just finished
$ sa-update -D --no-gpg --channel sought.rules.yerp.org
And would just like to warn other users that 'sought' rules take three
times longer:
$ time spamassassin --local -t < a_typical_spam_message > /dev/null
real 0m14.081s
user 0m13.489s
sys 0m0.588s
Up from
real 0m4.954s
user 0m4.836s
sys 0m0.112s
> you can sa-compile them, perhaps
Well, just figuring out sa-update -D --no-gpg --channel sought.rules.yerp.org
was hard enough.
Re: "I have a new email address!" spam
Posted by Ned Slider <ne...@unixmail.co.uk>.
jidanni@jidanni.org wrote:
> m> those I looked at triggered JM_SOUGHT_FRAUD_1. so make sure you use the
> m> sought channel in your sa-update.
>
> OK, I did all the research to find what it might be that you were
> talking about.
>
> I completed the steps (some of them exposing how sa-update fails to
> catch a bumbling user):
> $ wget http://yerp.org/rules/GPG.KEY
> $ sa-update -D --import GPG.KEY
> $ sa-update -D sought.rules.yerp.org
> $ sa-update -D --no-gpg sought.rules.yerp.org
> $ sa-update -D --channel sought.rules.yerp.org
>
> And at long last, finally, of course all was for naught:
>
> 403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't
> have permission to access /rules/stage/320729494.tar.gz on this
> server.
>
It does that from time to time (well, quite frequently lately) - try
again later and it should succeed :-)
Re: "I have a new email address!" spam
Posted by ji...@jidanni.org.
m> those I looked at triggered JM_SOUGHT_FRAUD_1. so make sure you use the
m> sought channel in your sa-update.
OK, I did all the research to find what it might be that you were
talking about.
I completed the steps (some of them exposing how sa-update fails to
catch a bumbling user):
$ wget http://yerp.org/rules/GPG.KEY
$ sa-update -D --import GPG.KEY
$ sa-update -D sought.rules.yerp.org
$ sa-update -D --no-gpg sought.rules.yerp.org
$ sa-update -D --channel sought.rules.yerp.org
And at long last, finally, of course all was for naught:
403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't
have permission to access /rules/stage/320729494.tar.gz on this
server.
Re: "I have a new email address!" spam
Posted by mouss <mo...@netoyen.net>.
jidanni@jidanni.org a écrit :
> Gentlemen, does one just keep on adding more regexps for each new language
> edition of this the spammer makes? Any better way for this particular spam?
>
> body J_NEW_ADDRESS /\xA7\xDA\xA6\xB3\xB7s\xAA\xBA\xB9q\xB6l\xA6a\xA7}\xA1I\xA7A\xB2{\xA5i\xB9q\xB6l\xB5\xB9\xA7\xDA|I have a new email address!You can now/
those I looked at triggered JM_SOUGHT_FRAUD_1. so make sure you use the
sought channel in your sa-update.
Re: "I have a new email address!" spam
Posted by Benny Pedersen <me...@junc.org>.
On Wed, December 24, 2008 23:41, jidanni@jidanni.org wrote:
> Gentlemen, does one just keep on adding more regexps for each new
> language edition of this the spammer makes? Any better way for this
> particular spam?
Freemail plugin hits it nicely, just add the domains in body if thay
missing a hit, spammers sends from: web/isp accounts to another non
authed ones, thats why i got a new free one to recive all your
replyes :)
--
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098