You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by DNI Support Department <su...@dynamicnet.net> on 2005/03/11 15:01:58 UTC
Spam Assassin pattern help for regular expression
Greetings:
While it has never been pleasant, we regularly review spam including the
HTML source code behind the spam to help us adjust our system-wide spam
tagging rules.
We've noticed a lot of sick porn spam being left untagged.
The tests that raised the score, though not high enough were as follows:
HTML_IMAGE_ONLY_12,HTML_MESSAGE,MPART_ALT_DIFF
These tests are too generic to raise the score higher through customization.
However, I did notice in the HTML source code a common theme:
<IMG
src="http://yamanekohm.com/9d70188c4e7971b6d3b1e2fa8/Nf3KZuBf0T/file_name"
alt="rundowns" border="0"><BR>
<IMG src="http://yamanekohm.com/9d70188c4e7971b6d3b1e2fa8/file_name"
border='0'><BR>
<IMG src="http://yamanekohm.com/9d70188c4e7971b6d3b1e2fa8/Y/eZ/file_namef"
alt="ouch" border="0"><BR>
<IMG src="http://tatighk.com/ae3019e288e5a5902958a62de/IWutqQ/filename"
border=0><BR>
<IMG src="http://tatighk.com/ae3019e288e5a5902958a62de/filename"
alt="Antipas" border=0><BR>
<IMG
src="http://tatighk.com/ae3019e288e5a5902958a62de/fT66kl/KK0tcw71p/filename"
alt="strengthen" border=0>
<IMG src="http://muoniofgj.net/6481ddc2353481dae6c63affa/YriLMz/filename"
border="0"><BR>
<IMG src="http://muoniofgj.net/6481ddc2353481dae6c63affa/filename"
border='0'><BR>
<IMG src="http://muoniofgj.net/6481ddc2353481dae6c63affa/txU/t1q/filename"
border=0>
Where the common theme appears to be the directory structure right after
the domain name.
For the pattern experts out there, is there a way to craft a regular
expression to catch the directory pattern used?
Specifically the directory pattern right after the domain name.
Thank you.
________________________________________________
Peter M. Abraham
Support and Customer Care Department
Dynamic Net, Inc.
Helping companies do business on the Net
420 Park Road; Suite 201
Wyomissing PA 19610
Toll Free Voice: 1-888-887-6727
International: 1-610-736-3795
FAX: 1-610-736-3798
Support Email: support@dynamicnet.net
Company Email: solutions@dynamicnet.net
Web: http://www.dynamicnet.net/
http://www.wemanageservers.com/
________________________________________________
Re: Spam Assassin pattern help for regular expression
Posted by Jeff Chan <je...@surbl.org>.
On Friday, March 11, 2005, 6:17:21 AM, DNI Department wrote:
> Greetings Jeff:
> These are live examples; but it appears the porn spam all follow the same
> hex (?) directory structure after the domain name.
> Hence, wanting a pattern for that purpose.
I'll let others comment on expressions.
How about reporting the spams to Tucows and Primus to get them to
shut down the domains like Joker did?
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: Spam Assassin pattern help for regular expression
Posted by Duncan Hill <sa...@nacnud.force9.co.uk>.
On Friday 11 March 2005 14:17, DNI Support Department typed:
> Greetings Jeff:
>
> These are live examples; but it appears the porn spam all follow the same
> hex (?) directory structure after the domain name.
>
> Hence, wanting a pattern for that purpose.
> > > <IMG src="http://yamanekohm.com/9d70188c4e7971b6d3b1e2fa8/file_name"
Hex is limited to the character classes [a-f0-9]. If the directories are all
a constant length, a pattern of
url FOO /\/[a-f0-9]{23}\//
would match on a hex string 23 characters long. Bit of a loose check though,
as it might match some other random 23 character string that's a-f0-9 only.
Re: Spam Assassin pattern help for regular expression
Posted by DNI Support Department <su...@dynamicnet.net>.
Greetings Jeff:
These are live examples; but it appears the porn spam all follow the same
hex (?) directory structure after the domain name.
Hence, wanting a pattern for that purpose.
Thank you.
At 09:15 AM 3/11/2005, you wrote:
>On Friday, March 11, 2005, 6:01:58 AM, DNI Department wrote:
> > However, I did notice in the HTML source code a common theme:
>
>
> > <IMG
> > src="http://yamanekohm.com/9d70188c4e7971b6d3b1e2fa8/Nf3KZuBf0T/file_name"
> > alt="rundowns" border="0"><BR>
> > <IMG src="http://yamanekohm.com/9d70188c4e7971b6d3b1e2fa8/file_name"
>border='0'>><BR>
> > <IMG src="http://yamanekohm.com/9d70188c4e7971b6d3b1e2fa8/Y/eZ/file_namef"
> > alt="ouch" border="0"><BR>
>
> > <IMG src="http://tatighk.com/ae3019e288e5a5902958a62de/IWutqQ/filename"
>border=0>><BR>
> > <IMG src="http://tatighk.com/ae3019e288e5a5902958a62de/filename"
> > alt="Antipas" border=0><BR>
> > <IMG
> >
> src="http://tatighk.com/ae3019e288e5a5902958a62de/fT66kl/KK0tcw71p/filename"
> > alt="strengthen" border=0>
>
>
> > <IMG src="http://muoniofgj.net/6481ddc2353481dae6c63affa/YriLMz/filename"
>border="0">><BR>
> > <IMG src="http://muoniofgj.net/6481ddc2353481dae6c63affa/filename"
>border='0'>><BR>
> > <IMG src="http://muoniofgj.net/6481ddc2353481dae6c63affa/txU/t1q/filename"
>border=0>>
>
>These three domains appear to belong to the same spammer.
>Joker shut down tatighk.com for having an invalid address on
>the registration, but the other two remain up at Tucows and
>Primus Domain/Planetdomain.
>
>Jeff C.
>--
>Jeff Chan
>mailto:jeffc@surbl.org
>http://www.surbl.org/
________________________________________________
Peter M. Abraham
Support and Customer Care Department
Dynamic Net, Inc.
Helping companies do business on the Net
420 Park Road; Suite 201
Wyomissing PA 19610
Toll Free Voice: 1-888-887-6727
International: 1-610-736-3795
FAX: 1-610-736-3798
Support Email: support@dynamicnet.net
Company Email: solutions@dynamicnet.net
Web: http://www.dynamicnet.net/
http://www.wemanageservers.com/
________________________________________________
Re: Spam Assassin pattern help for regular expression
Posted by Jeff Chan <je...@surbl.org>.
On Friday, March 11, 2005, 6:01:58 AM, DNI Department wrote:
> However, I did notice in the HTML source code a common theme:
> <IMG
> src="http://yamanekohm.com/9d70188c4e7971b6d3b1e2fa8/Nf3KZuBf0T/file_name"
> alt="rundowns" border="0"><BR>
> <IMG src="http://yamanekohm.com/9d70188c4e7971b6d3b1e2fa8/file_name"
border='0'>><BR>
> <IMG src="http://yamanekohm.com/9d70188c4e7971b6d3b1e2fa8/Y/eZ/file_namef"
> alt="ouch" border="0"><BR>
> <IMG src="http://tatighk.com/ae3019e288e5a5902958a62de/IWutqQ/filename"
border=0>><BR>
> <IMG src="http://tatighk.com/ae3019e288e5a5902958a62de/filename"
> alt="Antipas" border=0><BR>
> <IMG
> src="http://tatighk.com/ae3019e288e5a5902958a62de/fT66kl/KK0tcw71p/filename"
> alt="strengthen" border=0>
> <IMG src="http://muoniofgj.net/6481ddc2353481dae6c63affa/YriLMz/filename"
border="0">><BR>
> <IMG src="http://muoniofgj.net/6481ddc2353481dae6c63affa/filename"
border='0'>><BR>
> <IMG src="http://muoniofgj.net/6481ddc2353481dae6c63affa/txU/t1q/filename"
border=0>>
These three domains appear to belong to the same spammer.
Joker shut down tatighk.com for having an invalid address on
the registration, but the other two remain up at Tucows and
Primus Domain/Planetdomain.
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/