You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Kenneth Porter <sh...@sewingwitch.com> on 2005/10/25 21:05:36 UTC
Stupid spammer rule
Been getting a few of these:
From: "{%NAME_FROM}" <{@MAIL_FROM}>
To: "{%NAME_TO}" <{@MAIL_TO}>
Anyone have a rule to nuke them?
Re: Stupid spammer rule
Posted by Matt Kettler <mk...@evi-inc.com>.
Fred wrote:
> Hrmm something is wrong here, I updated this file on 10/14/2005 the very
> first day I seen this sign. What date are you showing on your copy of the
> random file?
>
> I also updated this file this morning to increase the score for this rule
> but I forgot to change the last modified date and also forgot to do the
> version #.. I just resent the file with updated version numbers 10 minutes
> ago, the rule has been here for 10 days, it's called:
> header SARE_RAND_NAME1 ALL =~ /%(?:NAME|MAIL)_(?:FROM|TO)/
> score SARE_RAND_NAME1 3.455
>
Sorry fred, This is two cases of "my bad".
First, I was foolish enough to trust the date on the rulesemporium
website, which claims the last update was a year and a half ago:
Created by: Fred Tarasevicius with contributions (too many to list!)
License Type: Artistic/GPL dual
Status: Active *
Last update: 2004-05-17
Version: 01.30.01
(from http://www.rulesemporium.com/rules.htm)
The file itself has been updated.
My local version hasn't been updated recently, since when I browse
rulesemporium.com it tells me there is no update to be had.
Second, even though I looked at the copy on the rulesemporium website, I failed
to notice the date mismatch, and failed to notice the new rule despite searching
for it. (I searched for NAME_, which wouldn't find the above).
Suggested action item for SARE: If you can't synch the "Last Update" for
rules.htm, with the files, remove it. It's better to say nothing than to present
blatantly wrong information.
Re: Stupid spammer rule
Posted by Fred <sp...@freddyt.com>.
Hrmm something is wrong here, I updated this file on 10/14/2005 the very
first day I seen this sign. What date are you showing on your copy of the
random file?
I also updated this file this morning to increase the score for this rule
but I forgot to change the last modified date and also forgot to do the
version #.. I just resent the file with updated version numbers 10 minutes
ago, the rule has been here for 10 days, it's called:
header SARE_RAND_NAME1 ALL =~ /%(?:NAME|MAIL)_(?:FROM|TO)/
score SARE_RAND_NAME1 3.455
Matt Kettler wrote:
> Currently 70_sare_random.cf is rather old and doesn't contain any
> rules for
> these variants.
>
> It's got %FROM_NAME, but not %NAME_FROM. It doesn't have anything
> close to %NAME_TO.
>
> Perhaps Fred Tarasevicius needs to make an update.
>
> Adding NAME_FROM is easy:
> header __RANDH_7B ALL =~ /%FROM_NAME/
> rawbody __RANDR_7B /%FROM_NAME/
>
> Would be replaced by:
> header __RANDH_7B ALL =~ /%(?:FROM_NAME|NAME_FROM)/
> rawbody __RANDR_7B /%(?:FROM_NAME|NAME_FROM)/
>
>
> M.Lewis wrote:
>> Are you using 70_sare_random.cf ?
>>
>> 70_sare_random.cf
>> Description: 70_sare_random.cf tries to detect common mis-fires
>> on bulk mail software. Many signs are found like: %RND_NUMBER, etc
>>
>> Mike
>>
>> Kenneth Porter wrote:
>>
>>> Been getting a few of these:
>>>
>>> From: "{%NAME_FROM}" <{@MAIL_FROM}>
>>> To: "{%NAME_TO}" <{@MAIL_TO}>
>>>
>>> Anyone have a rule to nuke them?
Re: Stupid spammer rule
Posted by Matt Kettler <mk...@evi-inc.com>.
Currently 70_sare_random.cf is rather old and doesn't contain any rules for
these variants.
It's got %FROM_NAME, but not %NAME_FROM. It doesn't have anything close to %NAME_TO.
Perhaps Fred Tarasevicius needs to make an update.
Adding NAME_FROM is easy:
header __RANDH_7B ALL =~ /%FROM_NAME/
rawbody __RANDR_7B /%FROM_NAME/
Would be replaced by:
header __RANDH_7B ALL =~ /%(?:FROM_NAME|NAME_FROM)/
rawbody __RANDR_7B /%(?:FROM_NAME|NAME_FROM)/
M.Lewis wrote:
> Are you using 70_sare_random.cf ?
>
> 70_sare_random.cf
> Description: 70_sare_random.cf tries to detect common mis-fires on
> bulk mail software. Many signs are found like: %RND_NUMBER, etc
>
> Mike
>
> Kenneth Porter wrote:
>
>> Been getting a few of these:
>>
>> From: "{%NAME_FROM}" <{@MAIL_FROM}>
>> To: "{%NAME_TO}" <{@MAIL_TO}>
>>
>> Anyone have a rule to nuke them?
>>
>>
>
Re: Stupid spammer rule
Posted by "M.Lewis" <_S...@cajuninc.com>.
Are you using 70_sare_random.cf ?
70_sare_random.cf
Description: 70_sare_random.cf tries to detect common mis-fires on
bulk mail software. Many signs are found like: %RND_NUMBER, etc
Mike
Kenneth Porter wrote:
> Been getting a few of these:
>
> From: "{%NAME_FROM}" <{@MAIL_FROM}>
> To: "{%NAME_TO}" <{@MAIL_TO}>
>
> Anyone have a rule to nuke them?
>
>