You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Chr. v. Stuckrad" <st...@mi.fu-berlin.de> on 2007/08/07 12:14:31 UTC

Re: Number spam (paranoid guess)

On Tue, 07 Aug 2007, John Andersen wrote:

> Ok, what is this stuff. 
> All it contains is 6 digit numbers.  What's up with that stuff?

My most paranoid guess is:

- Cause: we have summer vacation time ...

So LOTS of people are on holidays.
If you use E-Mails with totally useless content which goes
through all filters for a short time, you can trigger LOTS
of vacation-Messages!

Then (1) you will have to know, 'who answered' and if you
ar not only a a spammer, but also a 'more criminal mind',
you (2) might even find the typical vacation messages like
"I'm away to china for two weeks, try later ..."!

So you know somebody is *away* and you can safely steal
from the flat, impersonate the owner of the addresse etc...

That's paranoid, I know, but criminals are not always dumb :-)
And lazy anyway, and on the internet too :-)

Stucki  (who never has vacation [messages:-])

Re: Number spam (paranoid guess)

Posted by Yet Another Ninja <sa...@alexb.ch>.
On 8/7/2007 4:34 PM, Henrik Krohns wrote:
> On Tue, Aug 07, 2007 at 02:52:25PM +0100, UxBoD wrote:
>> This appears to work okay :-
>>
>> header          __LOCAL_PROBE1          subject =~ /[0-9]{4,6}/i
>> body            __LOCAL_PROBE2          /([a-z|0-9]{8})/i
>> describe        LOCAL_PROBE1            Daft Number Probe
>> meta            LOCAL_PROBE1            (__LOCAL_PROBE1 + __LOCAL_PROBE2 > 1)
>> score           LOCAL_PROBE1            3
> 
> Looks like nice FP generator for busy sites. PROBE2 is certain to hit almost
> anything and then just wait for a few digits in subject.. :)
> 

header          __LOCAL_PROBE1  Subject =~ /^\d{4,6}$/
body            __LOCAL_PROBE2   /^[a-f0-9]{8}$/i
meta            LOCAL_PROBE   (__LOCAL_PROBE1 && __LOCAL_PROBE2)
score           LOCAL_PROBE   3.0

should be safer



Re: Number spam (paranoid guess)

Posted by UxBoD <ux...@splatnix.net>.
Yes I know :( has been pointed out to me so has been revised :-

header          __LOCAL_DIG1            subject =~ /^\d[0-9]{4,6}$/
body            __LOCAL_DIG2            /^([a-f|0-9]{8})$/i
describe        LOCAL_DIG1              Daft Number Scam
meta            LOCAL_DIG1              __LOCAL_DIG1 && __LOCAL_DIG2
score           LOCAL_DIG1              3

Regards,

--[ UxBoD ]--
// PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: C759 8F52 1D17 B3C5 5854  36BD 1FB1 B02F 5DB5 687B
// Keyserver: www.keyserver.net Key-ID: 0x5DB5687B
// Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net

----- Original Message -----
From: "Henrik Krohns" <he...@hege.li>
To: users@spamassassin.apache.org
Sent: Tuesday, August 7, 2007 3:34:49 PM (GMT) Europe/London
Subject: Re: Number spam (paranoid guess)


On Tue, Aug 07, 2007 at 02:52:25PM +0100, UxBoD wrote:
> This appears to work okay :-
> 
> header          __LOCAL_PROBE1          subject =~ /[0-9]{4,6}/i
> body            __LOCAL_PROBE2          /([a-z|0-9]{8})/i
> describe        LOCAL_PROBE1            Daft Number Probe
> meta            LOCAL_PROBE1            (__LOCAL_PROBE1 + __LOCAL_PROBE2 > 1)
> score           LOCAL_PROBE1            3

Looks like nice FP generator for busy sites. PROBE2 is certain to hit almost
anything and then just wait for a few digits in subject.. :)


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


Re: Number spam (paranoid guess)

Posted by Henrik Krohns <he...@hege.li>.
On Tue, Aug 07, 2007 at 02:52:25PM +0100, UxBoD wrote:
> This appears to work okay :-
> 
> header          __LOCAL_PROBE1          subject =~ /[0-9]{4,6}/i
> body            __LOCAL_PROBE2          /([a-z|0-9]{8})/i
> describe        LOCAL_PROBE1            Daft Number Probe
> meta            LOCAL_PROBE1            (__LOCAL_PROBE1 + __LOCAL_PROBE2 > 1)
> score           LOCAL_PROBE1            3

Looks like nice FP generator for busy sites. PROBE2 is certain to hit almost
anything and then just wait for a few digits in subject.. :)


Re: Number spam (paranoid guess)

Posted by UxBoD <ux...@splatnix.net>.
This appears to work okay :-

header          __LOCAL_PROBE1          subject =~ /[0-9]{4,6}/i
body            __LOCAL_PROBE2          /([a-z|0-9]{8})/i
describe        LOCAL_PROBE1            Daft Number Probe
meta            LOCAL_PROBE1            (__LOCAL_PROBE1 + __LOCAL_PROBE2 > 1)
score           LOCAL_PROBE1            3

Regards,

--[ UxBoD ]--
// PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: C759 8F52 1D17 B3C5 5854  36BD 1FB1 B02F 5DB5 687B
// Keyserver: www.keyserver.net Key-ID: 0x5DB5687B
// Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net

----- Original Message -----
From: "Greg Skouby" <gs...@sitesnow.com>
To: users@spamassassin.apache.org
Sent: Tuesday, August 7, 2007 2:14:44 PM (GMT) Europe/London
Subject: Re: Number spam (paranoid guess)

On Tue, Aug 07, 2007 at 12:14:31PM +0200, Chr. v. Stuckrad wrote:
> 
> My most paranoid guess is:
> 
> - Cause: we have summer vacation time ...
> 
> So LOTS of people are on holidays.
> If you use E-Mails with totally useless content which goes
> through all filters for a short time, you can trigger LOTS
> of vacation-Messages!
> 

Wouldn't that require the "from" info not being forged? I have gotten a couple of these and they are definately of the forged sender variety.



--Greg


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


Re: Number spam (paranoid guess)

Posted by Greg Skouby <gs...@sitesnow.com>.
On Tue, Aug 07, 2007 at 12:14:31PM +0200, Chr. v. Stuckrad wrote:
> 
> My most paranoid guess is:
> 
> - Cause: we have summer vacation time ...
> 
> So LOTS of people are on holidays.
> If you use E-Mails with totally useless content which goes
> through all filters for a short time, you can trigger LOTS
> of vacation-Messages!
> 

Wouldn't that require the "from" info not being forged? I have gotten a couple of these and they are definately of the forged sender variety.



--Greg