You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Razvan Cosma <ra...@telemach.com> on 2006/04/20 14:28:18 UTC
Re: one SPAM
Hi everyone,
I am flooded with messages html-formatted and with some strange characters in the headers, and don't know how to catch them..
Body formatting varies slightly, text remains the same.
Subject is always Re: <one word> one.
The URL changes very often (looks like automatically-created accounts on free hosts which simply redirect to the spammer site).
Thanks for any hints.
Subject: Re: dyqyu one
Date: Thu, 20 Apr 2006 15:01:41 퍽
Message-ID: <00...@khg80>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: dyqyu one
Thread-Index: AcZkckjcIzdTlijWTHᾜग़✌==
From: "Totty Bellard" <be...@agrotrade.net>
To: <mi...@telemach.com>
Reply-To: "Totty Bellard" <be...@agrotrade.net>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="MSHTML 6.00.2800.1106" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>De<FONT style="
float
:
right"> c </FONT>ar Home O<FONT style="
float
:
right"> r </FONT>wne<FONT style="
float
:
right"> l </FONT>r , <BR>
<BR>
Your c<FONT style="
float
:
right"> x </FONT>red<FONT style="
float
:
right"> i </FONT>it doesn't matter to us ! <BR>
If you O<FONT style="
float
:
right"> o </FONT>WN real e<FONT style="
float
:
right"> f </FONT>st<FONT style="
float
:
right"> o </FONT>at<FONT style="
float
:
right"> o </FONT>e and want I<FONT style="
float
:
right"> g </FONT>MMEDI<FONT style="
float
:
right"> r </FONT>AT<FONT style="
float
:
right"> k </FONT>E <BR>
cas<FONT style="
float
:
right"> c </FONT>h to sp<FONT style="
float
:
right"> w </FONT>en<FONT style="
float
:
right"> h </FONT>d ANY way you like, <BR>
or simply wish to L<FONT style="
float
:
right"> o </FONT>OWER your monthly p<FONT style="
float
:
right"> o </FONT>ayment<FONT style="
float
:
right"> q </FONT>s <BR>
by a third or more, here are the d<FONT style="
float
:
right"> w </FONT>eals <BR> we have T<FONT style="
float
:
right"> y </FONT>ODA<FONT style="
float
:
right"> l </FONT>Y : <BR>
<BR>
$ 4<FONT style="
float
:
right"> y </FONT>88 , 000 - 3<FONT style="
float
:
right"> w </FONT> , 67% f<FONT style="
float
:
right"> g </FONT>ixed - ra<FONT style="
float
:
right"> j </FONT>te <BR>
$ 37<FONT style="
float
:
right"> b </FONT>2 , 000 - 3 <FONT style="
float
:
right"> c </FONT>, 90% v<FONT style="
float
:
right"> w </FONT>ariab<FONT style="
float
:
right"> f </FONT>le - ra<FONT style="
float
:
right"> r </FONT>te <BR>
$ 49<FONT style="
float
:
right"> o </FONT>2 , 000 - 3 , <FONT style="
float
:
right"> i </FONT>21% inte<FONT style="
float
:
right"> v </FONT>re<FONT style="
float
:
right"> g </FONT>st - only <BR>
$ 24<FONT style="
float
:
right"> k </FONT>8 , 000 - 3<FONT style="
float
:
right"> h </FONT> , 36% fi<FONT style="
float
:
right"> i </FONT>xed - rat<FONT style="
float
:
right"> o </FONT>e <BR>
$ 1<FONT style="
float
:
right"> s </FONT>98 , 000 - 3 ,<FONT style="
float
:
right"> j </FONT> 55% va<FONT style="
float
:
right"> c </FONT>riable - rat<FONT style="
float
:
right"> y </FONT>e <BR>
<BR>
Hurr<FONT style="
float
:
right"> g </FONT>y, when these d<FONT style="
float
:
right"> w </FONT>eal<FONT style="
float
:
right"> i </FONT>s are gone, they are gone !<BR>
<BR>
Don't worry about a<FONT style="
float
:
right"> j </FONT>ppr<FONT style="
float
:
right"> a </FONT>ova<FONT style="
float
:
right"> l </FONT>l, <BR> your c<FONT style="
float
:
right"> b </FONT>redi<FONT style="
float
:
right"> g </FONT>t will
not di<FONT style="
float
:
right"> i </FONT>sq<FONT style="
float
:
right"> b </FONT>uali<FONT style="
float
:
right"> k </FONT>fy you ! <BR> <BR>
<A href="http://www.Ismenoneplesps.itgo.com/">co<FONT style="
float
:
right"> x </FONT>mplete e<FONT style="
float
:
right"> u </FONT>asy w<FONT style="
float
:
right"> b </FONT>eb for<FONT style="
float
:
right"> g </FONT>m</A><BR> <BR>
Sincerely, Totty Bellard <BR> <BR>
A<FONT style="
float
:
right"> q </FONT>ppr<FONT style="
float
:
right"> m </FONT>ov<FONT style="
float
:
right"> e </FONT>al Manager<BR></FONT></DIV></BODY></HTML>
new rules here (was Re: span float obfuscation)
Posted by MATSUDA Yoh-ichi <yo...@flcl.org>.
Hello Kenneth-san.
From: Kenneth Porter <sh...@sewingwitch.com>
Subject: Re: span float obfuscation
Date: Mon, 01 May 2006 07:53:12 -0700
> On Saturday, April 29, 2006 8:28 PM +0900 MATSUDA Yoh-ichi <yo...@flcl.org>
> wrote:
>
> > BTW, I have more rules for catching various types of spams.
> > Which is better for posting new rules?
> > (1) first, posting new rules to this users ML, next, posting to Bugzilla
> > (2) directly posting new rules to Bugzilla
>
> I'd post to bugzilla, after first looking to see if someone's already
> posted either a similar rule or a methodology that eliminates the need for
> the rule.
Thank you for your advice.
So, I've posted 2 kinds of rule.
Everyone in this ML, please test them.
Below rules are for detecting some types of Japanese spams.
(1) Another way of RCVD_ILLEGAL_IP
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4459
header FORGED_RCVD_IP Received =~ /(\W(9[6-9]|1[01]\d|120|2(2[3-9]|[3-9]\d)|[3-9]\d\d)(\.\d{1,3}){3}[^\w\.-]|\d{1,3}\.(2(5[6-9]|[6-9]\d)|[3-9]\d\d)(\.\d{1,3}){2}|(\d{1,3}\.){2}(2(5[6-9]|[6-9]\d)|[3-9]\d\d)(\.\d{1,3})|(\d{1,3}\.){3}(2(5[6-9]|[6-9]\d)|[3-9]\d\d))/
describe FORGED_RCVD_IP Invalid IP number, over 255.
score FORGED_RCVD_IP 2.5
(2) detecting same HELO and BY
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4889
header HELO_BY_SAME X-Spam-Relays-Untrusted =~ /ip=(?!(127\.0\.0\.1|192\.168(\.\d{1,3}){2}|172\.(1[6-9]|2\d|3[01](\.\d{1,3}){2}|10(\.\d{1,3}){3})))\d{2,3}(\.\d{1,3}){3} rdns=[^\[]* helo=([\w\.-]+) by=\7/
describe HELO_BY_SAME HELO is same received MTA's FQDN
score HELO_BY_SAME 1.5
header HELO_BY_PARTIALSAME X-Spam-Relays-Untrusted =~ /ip=(?!(127\.0\.0\.1|192\.168(\.\d{1,3}){2}|172\.(1[6-9]|2\d|3[01](\.\d{1,3}){2}|10(\.\d{1,3}){3})))\d{2,3}(\.\d{1,3}){3} rdns=[^\[]* helo=([\w\.-]+) by=[\w\.]+\7/
describe HELO_BY_PARTIALSAME HELO is same received MTA's domain name
score HELO_BY_PARTIALSAME 1.5
--
Nothing but a peace sign.
MATSUDA Yoh-ichi(yoh)
mailto:yoh@flcl.org
http://www.flcl.org/~yoh/diary/ (only Japanese)
Re: span float obfuscation
Posted by Kenneth Porter <sh...@sewingwitch.com>.
On Saturday, April 29, 2006 8:28 PM +0900 MATSUDA Yoh-ichi <yo...@flcl.org>
wrote:
> BTW, I have more rules for catching various types of spams.
> Which is better for posting new rules?
> (1) first, posting new rules to this users ML, next, posting to Bugzilla
> (2) directly posting new rules to Bugzilla
I'd post to bugzilla, after first looking to see if someone's already
posted either a similar rule or a methodology that eliminates the need for
the rule.
Re: span float obfuscation
Posted by MATSUDA Yoh-ichi <yo...@flcl.org>.
Kenneth-san, thank you for your kindly advice.
I've posted new rules to Bugzilla.
But, it's a little bit difficult for me. ^^;
BTW, I have more rules for catching various types of spams.
Which is better for posting new rules?
(1) first, posting new rules to this users ML, next, posting to Bugzilla
(2) directly posting new rules to Bugzilla
From: Kenneth Porter <sh...@sewingwitch.com>
Subject: Re: span float obfuscation
Date: Fri, 28 Apr 2006 10:05:56 -0700
> On Saturday, April 29, 2006 1:48 AM +0900 MATSUDA Yoh-ichi <yo...@flcl.org>
> wrote:
>
> > May I post my rules to Bugzilla?
>
> Sounds good to me. I would have done so myself but wanted to make sure you
> get attribution. You'll probably want to subscribe to the -devel list as
> all bugzilla traffic goes through there. And as the wiki page recommends,
> attach a sample spam to illustrate what the rule is supposed to catch.
>
> Once the rule is captured in bugzilla, a dev can get it into the automated
> testing sandbox and we can see how the rule performs on their corpora.
>
>
--
Nothing but a peace sign.
MATSUDA Yoh-ichi(yoh)
mailto:yoh@flcl.org
http://www.flcl.org/~yoh/diary/ (only Japanese)
Re: span float obfuscation
Posted by Kenneth Porter <sh...@sewingwitch.com>.
On Saturday, April 29, 2006 1:48 AM +0900 MATSUDA Yoh-ichi <yo...@flcl.org>
wrote:
> May I post my rules to Bugzilla?
Sounds good to me. I would have done so myself but wanted to make sure you
get attribution. You'll probably want to subscribe to the -devel list as
all bugzilla traffic goes through there. And as the wiki page recommends,
attach a sample spam to illustrate what the rule is supposed to catch.
Once the rule is captured in bugzilla, a dev can get it into the automated
testing sandbox and we can see how the rule performs on their corpora.
Re: span float obfuscation
Posted by MATSUDA Yoh-ichi <yo...@flcl.org>.
Hello, Kenneth-san and all spamassassiners.
From: Kenneth Porter <sh...@sewingwitch.com>
Subject: span float obfuscation (was: <something> one SPAM)
Date: Fri, 28 Apr 2006 07:52:25 -0700
> On Sunday, April 23, 2006 3:36 PM +0900 MATSUDA Yoh-ichi <yo...@flcl.org>
> wrote:
>
> > describe OBFUSCATING_FLOAT <span style="border: 0px; float: right"> d
> > </span>
>
> Thanks, I was looking for a rule for this. Have you considered submitting
> it to the devs?
No, I've not yet.
> <http://wiki.apache.org/spamassassin/ContributingNewRules>
May I post my rules to Bugzilla?
--
Nothing but a peace sign.
MATSUDA Yoh-ichi(yoh)
mailto:yoh@flcl.org
http://www.flcl.org/~yoh/diary/ (only Japanese)
span float obfuscation (was: one SPAM)
Posted by Kenneth Porter <sh...@sewingwitch.com>.
On Sunday, April 23, 2006 3:36 PM +0900 MATSUDA Yoh-ichi <yo...@flcl.org>
wrote:
> describe OBFUSCATING_FLOAT <span style="border: 0px; float: right"> d
> </span>
Thanks, I was looking for a rule for this. Have you considered submitting
it to the devs?
<http://wiki.apache.org/spamassassin/ContributingNewRules>
Re: one SPAM
Posted by MATSUDA Yoh-ichi <yo...@flcl.org>.
Hello, Razvan-san.
I searched in my this ML's mailbox for finding "span float" spam,
so I found your mail.
From: Razvan Cosma <ra...@telemach.com>
Subject: Re: <something> one SPAM
Date: Thu, 20 Apr 2006 15:48:20 +0300
> Hi,
>
> Michael Monnerie wrote:
> > On Donnerstag, 20. April 2006 14:28 Razvan Cosma wrote:
> >
> >> Body formatting varies slightly, text remains the same.
> >>
> >
> > Then write some body rules that catch the text.
> >
> >
> I have no idea how to do that..
> what the user reads on the screen is
> "Your credit doesn't matter to us !"
> and the text seen after the HTML is parsed is something like:
> "Your c v redi y t doew bsn't mat ter to us !"
> with variations. The idea is that random characters are placed on the
> right of the screen with <FONT style="float:right">, and this tag is
> split on several lines.
> Is there any way to define a multiline rule in spamassassin?
The only way to match multiline rule is 'full' rule.
But, 'full' is 'whole mail message' object.
The object is NOT decoded, raw mail message.
ex.
full ___OBFUSCATING_FLOAT /<span style=\"border: 0px\; float\n: right\"> \w <\/span>/
The above rule can't match Quoted-Printable encoded message.
So, I wrote below:
rawbody ___OBFUSCATING_FLOAT0 /<span style=\"border: 0px\; float/
rawbody ___OBFUSCATING_FLOAT1 /^: right\"> \w <\/span>/
meta OBFUSCATING_FLOAT ___OBFUSCATING_FLOAT0 && ___OBFUSCATING_FLOAT1
describe OBFUSCATING_FLOAT <span style="border: 0px; float: right"> d </span>
score OBFUSCATING_FLOAT 1.5
rawbody FLOATGEOCITIES /^<A href=\"http:\/\/geocities\.com\/\w+\/\">\w+<span style=\"border: 0px\; float/
describe FLOATGEOCITIES <A href="http://geocities.com/GabicRectohoate/">V<span style="border: 0px; float
score FLOATGEOCITIES 2.0
--
Nothing but a peace sign.
MATSUDA Yoh-ichi(yoh)
mailto:yoh@flcl.org
http://www.flcl.org/~yoh/diary/ (only Japanese)
Re: one SPAM
Posted by Razvan Cosma <ra...@telemach.com>.
Hi,
Michael Monnerie wrote:
> On Donnerstag, 20. April 2006 14:28 Razvan Cosma wrote:
>
>> Body formatting varies slightly, text remains the same.
>>
>
> Then write some body rules that catch the text.
>
>
I have no idea how to do that..
what the user reads on the screen is
"Your credit doesn't matter to us !"
and the text seen after the HTML is parsed is something like:
"Your c v redi y t doew bsn't mat ter to us !"
with variations. The idea is that random characters are placed on the
right of the screen with <FONT style="float:right">, and this tag is
split on several lines.
Is there any way to define a multiline rule in spamassassin?
>> The URL changes very often
>>
>
> You could put all URLs into one rule.
>
>
Sure, but as stated they change very fast - one URL is only valid for
let's say 2-3 hours.
Thanks
Re: one SPAM
Posted by "John D. Hardin" <jh...@impsec.org>.
On Thu, 20 Apr 2006, Razvan Cosma wrote:
> Date: Thu, 20 Apr 2006 15:01:41 퍽
The cruft in the Date: header may be a good spam sign.
> X-MS-Has-Attach:
> X-MS-TNEF-Correlator:
Those two headers being present and empty may be a very good spam
sign.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Senator, when you took your oath of office, you placed your hand on
the Bible and swore to uphold the Constitution. You didn't place your
hand on the Constitution and swear to uphold the Bible.
-- Jamie Raskin, Professor of Law at American
University, testifying before the Maryland Senate
-----------------------------------------------------------------------