You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Tim Wesemann <ti...@voicenet.com> on 2005/04/14 21:17:31 UTC
0 Hits on blatant spam
I've been getting alot of leak-through with 3.02 lately and I thought
this one was interesting, particularly that there are plenty of rules that
look for a certain word that rhymes with "truck" (YKWIM), but no header
rules that look for the word with an "ing" on the end of it.
I only see one body rule in 20_porn.cf that looks for this string in message
bodies, but it scores pretty low. I have a hunch that this word might be
somewhat common in ham, but rarely in the subject or anywhere else in the
headers of ham... here's a link to the message text:
http://www.timuel.com/badmessage.txt
Also, I can't find a complete list of what rules that I used in
2.64 were obsoleted by the 3.x series. Perhaps this would be good wiki
fodder. I will post the rules that I am left with after my migration to 3.02
(below my sig) and anyone who feels up to it can correct me. =]
Thanks...
--
Tim Wesemann
== Rules that were left after upgrade to 3.02 ===
10_misc.cf
20_anti_ratware.cf
20_body_tests.cf
20_compensate.cf
20_dnsbl_tests.cf
20_drugs.cf
20_fake_helo_tests.cf
20_head_tests.cf
20_html_tests.cf
20_meta_tests.cf
20_phrases.cf
20_porn.cf
20_ratware.cf
20_uri_tests.cf
23_bayes.cf
25_body_tests_es.cf
25_hashcash.cf
25_spf.cf
25_uribl.cf
30_text_de.cf
30_text_fr.cf
30_text_nl.cf
30_text_pl.cf
50_scores.cf
60_whitelist.cf
70_sare_bayes_poison_nxm.cf
70_sare_genlsubj0.cf
70_sare_genlsubj1.cf
70_sare_header0.cf
70_sare_header1.cf
70_sare_html0.cf
70_sare_html1.cf
70_sare_oem.cf
70_sare_random.cf
70_sare_specific.cf
70_sare_spoof.cf
70_sare_unsub.cf
70_sare_uri0.cf
70_sare_uri1.cf
70_sc_top200.cf
72_sare_redirect_post3.0.0.cf
88_FVGT_Bayes_Poison.cf
88_FVGT_body.cf
88_FVGT_subject.cf
88_FVGT_uri.cf
99_FVGT_Tripwire.cf
99_FVGT_meta.cf
99_sare_adult.cf
99_sare_biz_market_learn_post25x.cf
99_sare_fraud_post25x.cf
antidrug.cf
backhair.cf
bogus-virus-warnings.cf
cheat.cf
chickenpox.cf
evilnumbers.cf
languages
mangled.cf
mime_validate.cf
mr_wiggly.cf
random.current.cf
rnd_uc_char.cf
rolex.cf
useless.cf
weeds.cf
wordword.cf
x_headers.cf
=================================
Re: 0 Hits on blatant spam
Posted by Matt Kettler <mk...@evi-inc.com>.
Tim Wesemann wrote:
> I've been getting alot of leak-through with 3.02 lately and I thought
> this one was interesting, particularly that there are plenty of rules
> that
> look for a certain word that rhymes with "truck" (YKWIM), but no header
> rules that look for the word with an "ing" on the end of it.
>
> I only see one body rule in 20_porn.cf that looks for this string in
> message
> bodies, but it scores pretty low. I have a hunch that this word might be
> somewhat common in ham, but rarely in the subject or anywhere else in the
> headers of ham... here's a link to the message text:
>
> http://www.timuel.com/badmessage.txt
It looks like you've mangled the headers a bit, making SA unable to do
DNSbl tests correctly when I test locally. However, it looks like that
message should hit SBL+XBL. 84.130.193.118 is listed.
It also should have hit several DUL tests, but that only works correctly
if your trusted_networks is working correctly.
If your MX Server is NATed, make sure you've got trusted_networks set up
right so SA applies the DNSBLs properly. If it's not, you might be OK,
but make sure it SA trusts all your servers, and nothing more or less
than all your mailservers. DUL's are applied to the most recent (ie:
first if you work backwards in time through the Received chain)
untrusted host delivering to a trusted host. If SA doesn't trust the
right hosts, then these tests will miss their mark.
>
> Also, I can't find a complete list of what rules that I used in
> 2.64 were obsoleted by the 3.x series.
I can tell you for certain that antidrug.cf is obsoleted by the standard
20_drugs.cf. Remove the old outdated file.
> == Rules that were left after upgrade to 3.02 ===
> 10_misc.cf
<snip>
> 60_whitelist.cf
Please distinguish between rules that were "left" after the upgrade, and
rules that were installed by it.. All of the above should be in
$PREFIX/share/spamassassin, and would have been installed by SA.
All of the below should be in /etc/mail/spamassassin, and would have
been untouched by the upgrade.
> 70_sare_bayes_poison_nxm.cf
>
<Snip>
> mime_validate.cf
Side note - I'd delete mime_validate.cf. It doesn't work correctly. The
author assumes that "rawbody" tests are run on the truly raw message
body, which is not true. The message has already been base64 and QP
decoded, so the rules will misfire on properly encoded mail which
contains properly encoded unicode, or binary attachments.
Every rule in that ruleset requires considerable rework. It's an
interesting experiment, but it's unfortunately written without
consideration for what SA does to normalize the content message before
feeding it to rules.
Re: 0 Hits on blatant spam
Posted by John Wilcock <jo...@tradoc.fr>.
Jeff Chan wrote:
> The spam advertises a presumptive porn site on geocities.
Yep - I've been seeing a lot of those too (and forwarding them to abuse@
geocities.com). Luckily the spammers have been consistent (at least so
far) in how they name the sites, so the rule below does the trick...
> uri local_GEOCITIES_NUM /www\.geocities\.com\/[a-z_]{4,20}_\d{2}/i
> describe local_GEOCITIES_NUM URI to geocities site ending in underscore and two digits
> score local_GEOCITIES_NUM 2.0
John.
--
-- Over 2500 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages - www.tradoc.fr
Re: 0 Hits on blatant spam
Posted by Jeff Chan <je...@surbl.org>.
On Thursday, April 14, 2005, 12:17:31 PM, Tim Wesemann wrote:
> I've been getting alot of leak-through with 3.02 lately and I thought
> this one was interesting, particularly that there are plenty of rules that
> look for a certain word that rhymes with "truck" (YKWIM), but no header
> rules that look for the word with an "ing" on the end of it.
...
The spam advertises a presumptive porn site on geocities.
Please forward the spam to yahoo so they can shut it down:
geo-abuse@ yahoo-inc.com (without the space)
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/