You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk> on 2009/10/27 17:46:45 UTC

Low Score - {Brazillian Host} Lottery Spam

Anyone else seeing these today? Or seen them recently?

http://pastebin.com/m4e25954f

score=0.1

Subject was real neat: 
Subject: =?ISO-8859-1?B?WW91IFdvbiCjMQ==?=,750,000.00 GBP

You Won £750,000.00 GBP {surprised this did not bite}


End of the message is missing on the five of them that I've had (not a
paste error).

Re: Low Score - {Brazillian Host} Lottery Spam

Posted by Benny Pedersen <me...@junc.org>.

On tir 27 okt 2009 18:27:24 CET, John Hardin wrote

> Contact me offlist if you want to install the sandbox rules for  
> them, I'll give you instructions.

undisclosed recipient with a freemail body hit

if i won why would i not be in the to:

:)

-- 
xpoint

Re: Low Score - {Brazillian Host} Lottery Spam

Posted by John Hardin <jh...@impsec.org>.

On Tue, 27 Oct 2009, richard@buzzhost.co.uk wrote:

> Anyone else seeing these today? Or seen them recently?
>
> http://pastebin.com/m4e25954f

I get lots like them. I'm working on updating the Advance Fee rules, but 
they won't be released until 3.3.1

In my testbed with sandbox rules, that got:

  pts rule name              description
---- ---------------------- --------------------------------------------------
  0.5 LOTTO_AGENT            BODY: Claims Agent
  1.0 FILL_THIS_FORM_LONG    BODY: Fill in a form with personal information
  1.0 LOTTO_YOU_WON          You won!
  0.0 LOTS_OF_MONEY          Huge... sums of money
  1.0 FILL_THIS_FORM         Fill in a form with personal information
  0.5 FILL_THIS_FORM_LOAN    Answer loan question(s)
  1.0 ADVANCE_FEE_2_NEW      Appears to be advance fee fraud (Nigerian 419)
  3.0 MONEY_FORM             Lots of money if you fill out a form
  1.0 ADVANCE_FEE_3_NEW      Appears to be advance fee fraud (Nigerian 419)
  1.5 MONEY_LOTTERY          Lots of money from a lottery
  0.2 MONEY_FRAUD            Lots of money and any of the fraud rules
  1.0 ADVANCE_FEE_2_NEW_MONEY Advance Fee fraud and lots of money
  1.0 ADVANCE_FEE_3_NEW_FORM Advance Fee fraud and a form
  1.0 ADVANCE_FEE_3_NEW_MONEY Advance Fee fraud and lots of money
  1.0 ADVANCE_FEE_2_NEW_FORM Advance Fee fraud and a form
  1.0 ADVANCE_FEE_2_NEW_FRM_MNY Advance Fee fraud and lots of money
  1.0 ADVANCE_FEE_3_NEW_FRM_MNY Advance Fee fraud and lots of money
  0.2 FORM_FRAUD             Fill a form and any of the fraud rules

Yes, there's some overlap; these _are_ testing rules, after all...

Contact me offlist if you want to install the sandbox rules for them, I'll 
give you instructions.

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   ...the Fates notice those who buy chainsaws...
                                               -- www.darwinawards.com
-----------------------------------------------------------------------
  4 days until Halloween

Re: Low Score - {Brazillian Host} Lottery Spam

Posted by John Hardin <jh...@impsec.org>.

On Tue, 27 Oct 2009, Adam Katz wrote:

> richard@buzzhost.co.uk wrote:
>>
>> You Won £750,000.00 GBP {surprised this did not bite}
>
> Interesting.  I'm also surprised that doesn't hit one of the many
> large-sum money checks.

The existing ones are weak w/r/t non-USD currencies. That's one reason I 
started on the lotsa_money stuff.

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   ...the Fates notice those who buy chainsaws...
                                               -- www.darwinawards.com
-----------------------------------------------------------------------
  4 days until Halloween

Re: Low Score - {Brazillian Host} Lottery Spam

Posted by Adam Katz <an...@khopis.com>.

richard@buzzhost.co.uk wrote:
> Anyone else seeing these today? Or seen them recently?
> 
> http://pastebin.com/m4e25954f
> 
> score=0.1
> 
> Subject was real neat: 
> Subject: =?ISO-8859-1?B?WW91IFdvbiCjMQ==?=,750,000.00 GBP
> 
> You Won £750,000.00 GBP {surprised this did not bite}
> 
> 
> End of the message is missing on the five of them that I've had
> (not a paste error).

Interesting.  I'm also surprised that doesn't hit one of the many
large-sum money checks.  Scored 5.2 for me (bayes_99 plus a few custom
rules of questionable utility).

Content analysis details:   (5.2 points, 5.0 required)

 pts rule name          description
---- ------------------ -------------------------------------
 3.9 BAYES_99           BODY: Bayesian spam probability is 99 to 100%
                        [score: 0.9998]
 0.6 KHOP_SC_TOP_CIDR8  Relay listed in SpamCop top 4 IP/8 CIDRs
-0.0 SPF_PASS           SPF: sender matches SPF record
 0.8 FROM_NOT_REPLY     From: and Reply-To: have different domains
 0.0 KHOP_NO_FULL_NAME  Sender does not have both First and Last names
 0.0 KHOP_NEW_TO_ME     New sender in new thread

Note that FROM_NOT_REPLY and KHOP_NEW_TO_ME are non-published rules.
The former requires a plugin.  KHOP_NO_FULL_NAME (now in khop-lists)
is zeroed and KHOP_SC_TOP_CIDR8 (from khop-sc-neighbors) is arguably
unfair given its broad range (though it certainly did its work here).