You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Panagiotis Christias <ch...@gmail.com> on 2007/03/28 10:40:53 UTC
"KAUF-TIPP DER WOCHE" spam getting through
Hello,
the last days we get a lot of spam like this:
---- spam body begins here ----
Words disputed interview galli provisions raise, eyebrows dead holders!
KAUF-TIPP DER WOCHE
LESEN SIE DIE NACHRICTEN
STONEBRIDGE RES EXP Frankfurt: S3C.F
Name : STONEBRIDGE RES EXP
Kurzel : S3C.F
WKN : A0HHEB
Borsenplatz : Frankfurt
Schluss-Stand 23.03.2007 : Euro 0.10
Prognose bis 02.04.2007 : Euro 0.21
Freedom hampton radical illich ivan, fontana ishiguro kazuo.
Austerlitz natural history semprun. Scrfrk tue am foudy fans.
Newsgroup msdn chappell app? Remote locations talk improving, access
ballmer gets intense. Inert numb sensuality touch. Sum timetolive gmt
indicate. Required preserve specify references interested.
Brutes granta nadezhda hope, hopehope abandoned collins, harvill.
Example unicode character exact numeric without decimal such numbers.
Cedega natively lowlevel emulators binary gaming opengl.
Investors press privacy, statement mypoints mysite, juno, photosite registered.
End, dialogues spiritual renewal thames hudson chorus stones.
Effective auditing procedures handy records kept propertys examined.
Money resources time others, worse than no so why? Setupmore botts
george ou real world wireless lan myths! Red hats expense technology,
announced last year helping.
Guzman writings, osip natasha mandelstam susan, griffin.
---- spam body ends here ----
We use rbls on our border mail servers, SA 3.1.8, sa-update and
rules_du_jour to update our rule set from spamassassin and
rulesemporium sites and various plugins like DCC, Razor, URIDNSBL,
SPF, RelayChecker etc. Still many of those spam messages get low
scores and slip through. Scores as low as -1.2 (!) like the message
above which triggered the following rules:
X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,
MSGID_FROM_MTA_HEADER,MSGID_FROM_MTA_ID autolearn=no version=3.1.8
Ideas and suggestions are welcome.
Regards,
Panagiotis
ps. I understand that a simple rule matching something /^KAUF-TIPP DER
WOCHE$/ would wipe out all of them but I am interested in a more
generic/efficient way.
ps2. both messages marked as spam or ham are available here:
http://noc.ntua.gr/~christia/tmp/KAUF-TIPP_DER_WOCHE.gz
Re: "KAUF-TIPP DER WOCHE" spam getting through
Posted by Loren Wilton <lw...@earthlink.net>.
My goodness. That are sending that new format in German too!
Could you send me a few of these AS ATTACHMENTS, WITH FULL HEADERS? I'm
going to try to get time to write up some rules for the English-language
version in the next few days, and if I have some German examples I may be
able to write some rules for them too.
Loren
----- Original Message -----
From: "Panagiotis Christias" <ch...@gmail.com>
To: <us...@spamassassin.apache.org>
Sent: Wednesday, March 28, 2007 1:40 AM
Subject: "KAUF-TIPP DER WOCHE" spam getting through
> Hello,
>
> the last days we get a lot of spam like this:
>
> ---- spam body begins here ----
> Words disputed interview galli provisions raise, eyebrows dead holders!
>
> KAUF-TIPP DER WOCHE
>
> LESEN SIE DIE NACHRICTEN
> STONEBRIDGE RES EXP Frankfurt: S3C.F
>
> Name : STONEBRIDGE RES EXP
> Kurzel : S3C.F
> WKN : A0HHEB
> Borsenplatz : Frankfurt
> Schluss-Stand 23.03.2007 : Euro 0.10
> Prognose bis 02.04.2007 : Euro 0.21
>
> Freedom hampton radical illich ivan, fontana ishiguro kazuo.
> Austerlitz natural history semprun. Scrfrk tue am foudy fans.
> Newsgroup msdn chappell app? Remote locations talk improving, access
> ballmer gets intense. Inert numb sensuality touch. Sum timetolive gmt
> indicate. Required preserve specify references interested.
> Brutes granta nadezhda hope, hopehope abandoned collins, harvill.
> Example unicode character exact numeric without decimal such numbers.
> Cedega natively lowlevel emulators binary gaming opengl.
> Investors press privacy, statement mypoints mysite, juno, photosite
> registered.
> End, dialogues spiritual renewal thames hudson chorus stones.
> Effective auditing procedures handy records kept propertys examined.
> Money resources time others, worse than no so why? Setupmore botts
> george ou real world wireless lan myths! Red hats expense technology,
> announced last year helping.
> Guzman writings, osip natasha mandelstam susan, griffin.
> ---- spam body ends here ----
>
> We use rbls on our border mail servers, SA 3.1.8, sa-update and
> rules_du_jour to update our rule set from spamassassin and
> rulesemporium sites and various plugins like DCC, Razor, URIDNSBL,
> SPF, RelayChecker etc. Still many of those spam messages get low
> scores and slip through. Scores as low as -1.2 (!) like the message
> above which triggered the following rules:
>
> X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,
> MSGID_FROM_MTA_HEADER,MSGID_FROM_MTA_ID autolearn=no version=3.1.8
>
> Ideas and suggestions are welcome.
>
> Regards,
> Panagiotis
>
> ps. I understand that a simple rule matching something /^KAUF-TIPP DER
> WOCHE$/ would wipe out all of them but I am interested in a more
> generic/efficient way.
>
> ps2. both messages marked as spam or ham are available here:
> http://noc.ntua.gr/~christia/tmp/KAUF-TIPP_DER_WOCHE.gz
Re: "KAUF-TIPP DER WOCHE" spam getting through
Posted by Panagiotis Christias <ch...@gmail.com>.
On 3/28/07, kshatriyak@gmail.com <ks...@gmail.com> wrote:
> On Wed, 28 Mar 2007, Panagiotis Christias wrote:
>
> > the last days we get a lot of spam like this:
> >
> > KAUF-TIPP DER WOCHE
>
> I wrote a few of my own rules especially to catch those stocks scams
> together with bayes. If you don't have any people who should write you in
> German you can also use the X-Languages tag to boost the score if the mail
> is written in German.
>
> Here are my current rules, which should also catch the German stocks.
> Maybe there are some false positives in a real stock environment, but for
> me they work fine:
>
> body __HILO_STOCKS1 /(High|Low|Curr[e3]nt|Cur(r|\r.|r[e3]nt|\.)\
> P(ric[e3])?|Pric[e3]|Last)[\:\ \t]+\$[\d\
> ]+?(.*)(Last|Low|Growth|Grow||High|Sale|Pric[e3]|Vol|[E3]xp)[\:\ \t]+/i
> body __HILO_STOCKS2 /curr[e3]n[t7](ly)?[\ \t\_]+?\:[\ \t\_\$]+?\d/i
> body __HILO_STOCKS2 /[e3](x|ks)p[e3]ct[e3]d?[\ \t\_]+?\:[\
> \t\_\$]+?\d/i
> body __HILO_STOCKS3 /our[\ \t\_]+?(last[\ ]+?)?pick[\:\
> \t\_\;\=\,]/i
> body __HILO_STOCKS4 /\d[\
> \t\_]+?(c[e3]nt|dollar|[e3]ur|p[e3]nc[e3])/i
> body __HILO_STOCKS5 /(c[e3]nt|dollar|[e3]ur[o]?|p[e3]nc[e3])[\
> \t\_]+?\d/ibody __HILO_STOCKS9 /(hot[\
> \t\_]+?list|r[e3]cord|publicity\ |n[e3]ws\
> |invest|incr[e3]as[e3]|[e3]xplosion|high\
> |pr[e3]mium|mark[e3]t|al[e3]rt|sym[b8]ol|the\ rush|your\ radar|g[e3]t\
> [i1]n|schluss\-?stand|prognose|kauf\-?tip)/i
>
> meta HILO_STOCKS ( ( __HILO_STOCKS1 || __HILO_STOCKS2 ||
> __HILO_STOCKS3 || __HILO_STOCKS4 || __HILO_STOCKS5 ) && __HILO_STOCKS9 )
> describe HILO_STOCKS Looks like stocks scam
> score HILO_STOCKS 3.0
>
>
>
my custom rule is just:
# KAUF_TIPP custom rule - christia Wed Mar 28 11:51:05 EEST 2007
body KAUF_TIPP /^KAUF-TIPP DER WOCHE$/
describe KAUF_TIPP German pump and dump stock spam with extremely
low scores
score KAUF_TIPP 4.0
a bit rough may be..
Re: "KAUF-TIPP DER WOCHE" spam getting through
Posted by ks...@gmail.com.
On Wed, 28 Mar 2007, Panagiotis Christias wrote:
> the last days we get a lot of spam like this:
>
> KAUF-TIPP DER WOCHE
I wrote a few of my own rules especially to catch those stocks scams
together with bayes. If you don't have any people who should write you in
German you can also use the X-Languages tag to boost the score if the mail
is written in German.
Here are my current rules, which should also catch the German stocks.
Maybe there are some false positives in a real stock environment, but for
me they work fine:
body __HILO_STOCKS1 /(High|Low|Curr[e3]nt|Cur(r|\r.|r[e3]nt|\.)\
P(ric[e3])?|Pric[e3]|Last)[\:\ \t]+\$[\d\
]+?(.*)(Last|Low|Growth|Grow||High|Sale|Pric[e3]|Vol|[E3]xp)[\:\ \t]+/i
body __HILO_STOCKS2 /curr[e3]n[t7](ly)?[\ \t\_]+?\:[\ \t\_\$]+?\d/i
body __HILO_STOCKS2 /[e3](x|ks)p[e3]ct[e3]d?[\ \t\_]+?\:[\
\t\_\$]+?\d/i
body __HILO_STOCKS3 /our[\ \t\_]+?(last[\ ]+?)?pick[\:\
\t\_\;\=\,]/i
body __HILO_STOCKS4 /\d[\
\t\_]+?(c[e3]nt|dollar|[e3]ur|p[e3]nc[e3])/i
body __HILO_STOCKS5 /(c[e3]nt|dollar|[e3]ur[o]?|p[e3]nc[e3])[\
\t\_]+?\d/ibody __HILO_STOCKS9 /(hot[\
\t\_]+?list|r[e3]cord|publicity\ |n[e3]ws\
|invest|incr[e3]as[e3]|[e3]xplosion|high\
|pr[e3]mium|mark[e3]t|al[e3]rt|sym[b8]ol|the\ rush|your\ radar|g[e3]t\
[i1]n|schluss\-?stand|prognose|kauf\-?tip)/i
meta HILO_STOCKS ( ( __HILO_STOCKS1 || __HILO_STOCKS2 ||
__HILO_STOCKS3 || __HILO_STOCKS4 || __HILO_STOCKS5 ) && __HILO_STOCKS9 )
describe HILO_STOCKS Looks like stocks scam
score HILO_STOCKS 3.0
Re: "KAUF-TIPP DER WOCHE" spam getting through
Posted by --,
,
UxBoD,
,
-- <ux...@splatnix.net>.
I ran them through our server and scored as follows :-
Content analysis details: (9.9 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.3 SARE_WEOFFER BODY: Offers Something
3.2 FUZZY_PHARMACY BODY: Attempt to obfuscate words in spam
0.8 SARE_RMML_Stock19 BODY: SARE_RMML_Stock19
0.1 SPOOF_OURI URI: URI has items in odd places
0.2 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL
0.1 SARE_URI_4_BIZ URI: Domain has a "four-you" type domain name
3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
1.7 SARE_FRAUD_X3 Matches 3+ phrases commonly used in fraud spam
0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
Content analysis details: (5.8 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 RELAY_CHECKER_IPHOSTNAME Hostname contains IP address
1.4 MSGID_FROM_MTA_ID Message-Id for external message added locally
0.0 RELAY_CHECKER_BADDNS Doesn't have full circle DNS
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.4319]
2.4 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: sender on bogons IP block
[122.111.44.35 listed in combined-HIB.dnsiplists.completewhois.com]
0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
2.0 RELAY_CHECKER Any RelayChecker rule hit
Content analysis details: (5.4 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.4 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
[SPF failed: Please see http://www.openspf.org/why.html?sender=myersonkrgg%40ajk-enterprises.com&ip=82.88.48.142&receiver=ajax.noc.ntua.gr]
0.0 RELAY_CHECKER_IPHOSTNAME Hostname contains IP address
0.0 RELAY_CHECKER_KEYWORDS Hostname matches keywords
1.4 MSGID_FROM_MTA_ID Message-Id for external message added locally
3.2 FUZZY_PHARMACY BODY: Attempt to obfuscate words in spam
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.0004]
0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
2.0 RELAY_CHECKER Any RelayChecker rule hit
Content analysis details: (6.8 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr
2)
2.2 INVALID_DATE Invalid Date: header (not RFC 2822)
0.0 RELAY_CHECKER_IPHOSTNAME Hostname contains IP address
1.4 MSGID_FROM_MTA_ID Message-Id for external message added locally
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.0000]
0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
2.0 RELAY_CHECKER Any RelayChecker rule hit
0.0 RCVD_DOUBLE_IP_LOOSE Received: by and from look like IP addresses
Content analysis details: (8.6 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
3.6 RATWARE_RCVD_PF Bulk email fingerprint (Received PF) found
4.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr
1)
0.0 RELAY_CHECKER_IPHOSTNAME Hostname contains IP address
1.4 MSGID_FROM_MTA_ID Message-Id for external message added locally
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.0001]
0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
2.0 RELAY_CHECKER Any RelayChecker rule hit
Content analysis details: (7.5 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
3.1 HELO_DYNAMIC_DHCP Relay HELO'd using suspicious hostname (DHCP)
3.6 RATWARE_RCVD_PF Bulk email fingerprint (Received PF) found
0.0 RELAY_CHECKER_IPHOSTNAME Hostname contains IP address
0.0 RELAY_CHECKER_KEYWORDS Hostname matches keywords
1.4 MSGID_FROM_MTA_ID Message-Id for external message added locally
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.0005]
0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
2.0 RELAY_CHECKER Any RelayChecker rule hit
Content analysis details: (8.3 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr
2)
2.2 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split
IP)
0.0 RELAY_CHECKER_IPHOSTNAME Hostname contains IP address
1.4 MSGID_FROM_MTA_ID Message-Id for external message added locally
0.0 RELAY_CHECKER_BADDNS Doesn't have full circle DNS
1.5 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.0001]
0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
2.0 RELAY_CHECKER Any RelayChecker rule hit
On Wed, 28 Mar 2007 11:40:53 +0300, "Panagiotis Christias" <ch...@gmail.com> wrote:
> Hello,
>
> the last days we get a lot of spam like this:
>
> ---- spam body begins here ----
> Words disputed interview galli provisions raise, eyebrows dead holders!
>
> KAUF-TIPP DER WOCHE
>
> LESEN SIE DIE NACHRICTEN
> STONEBRIDGE RES EXP Frankfurt: S3C.F
>
> Name : STONEBRIDGE RES EXP
> Kurzel : S3C.F
> WKN : A0HHEB
> Borsenplatz : Frankfurt
> Schluss-Stand 23.03.2007 : Euro 0.10
> Prognose bis 02.04.2007 : Euro 0.21
>
> Freedom hampton radical illich ivan, fontana ishiguro kazuo.
> Austerlitz natural history semprun. Scrfrk tue am foudy fans.
> Newsgroup msdn chappell app? Remote locations talk improving, access
> ballmer gets intense. Inert numb sensuality touch. Sum timetolive gmt
> indicate. Required preserve specify references interested.
> Brutes granta nadezhda hope, hopehope abandoned collins, harvill.
> Example unicode character exact numeric without decimal such numbers.
> Cedega natively lowlevel emulators binary gaming opengl.
> Investors press privacy, statement mypoints mysite, juno, photosite
> registered.
> End, dialogues spiritual renewal thames hudson chorus stones.
> Effective auditing procedures handy records kept propertys examined.
> Money resources time others, worse than no so why? Setupmore botts
> george ou real world wireless lan myths! Red hats expense technology,
> announced last year helping.
> Guzman writings, osip natasha mandelstam susan, griffin.
> ---- spam body ends here ----
>
> We use rbls on our border mail servers, SA 3.1.8, sa-update and
> rules_du_jour to update our rule set from spamassassin and
> rulesemporium sites and various plugins like DCC, Razor, URIDNSBL,
> SPF, RelayChecker etc. Still many of those spam messages get low
> scores and slip through. Scores as low as -1.2 (!) like the message
> above which triggered the following rules:
>
> X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,
> MSGID_FROM_MTA_HEADER,MSGID_FROM_MTA_ID autolearn=no version=3.1.8
>
> Ideas and suggestions are welcome.
>
> Regards,
> Panagiotis
>
> ps. I understand that a simple rule matching something /^KAUF-TIPP DER
> WOCHE$/ would wipe out all of them but I am interested in a more
> generic/efficient way.
>
> ps2. both messages marked as spam or ham are available here:
> http://noc.ntua.gr/~christia/tmp/KAUF-TIPP_DER_WOCHE.gz
>
> --
> This message has been scanned for viruses and dangerous content by
> MailScanner, and is
> believed to be clean.
--
--[ UxBoD ]--
// PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8
// Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8
// SIP Phone: uxbod@sip.splatnix.net
--
This message has been scanned for viruses and dangerous content by MailScanner, and is
believed to be clean.
Re: "KAUF-TIPP DER WOCHE" spam getting through
Posted by Nigel Frankcom <ni...@blue-canoe.net>.
On Wed, 28 Mar 2007 11:40:53 +0300, "Panagiotis Christias"
<ch...@gmail.com> wrote:
>Hello,
>
>the last days we get a lot of spam like this:
>
>---- spam body begins here ----
>Words disputed interview galli provisions raise, eyebrows dead holders!
>
>KAUF-TIPP DER WOCHE
>
>LESEN SIE DIE NACHRICTEN
>STONEBRIDGE RES EXP Frankfurt: S3C.F
>
>Name : STONEBRIDGE RES EXP
>Kurzel : S3C.F
>WKN : A0HHEB
>Borsenplatz : Frankfurt
>Schluss-Stand 23.03.2007 : Euro 0.10
>Prognose bis 02.04.2007 : Euro 0.21
>
>Freedom hampton radical illich ivan, fontana ishiguro kazuo.
>Austerlitz natural history semprun. Scrfrk tue am foudy fans.
>Newsgroup msdn chappell app? Remote locations talk improving, access
>ballmer gets intense. Inert numb sensuality touch. Sum timetolive gmt
>indicate. Required preserve specify references interested.
>Brutes granta nadezhda hope, hopehope abandoned collins, harvill.
>Example unicode character exact numeric without decimal such numbers.
>Cedega natively lowlevel emulators binary gaming opengl.
>Investors press privacy, statement mypoints mysite, juno, photosite registered.
>End, dialogues spiritual renewal thames hudson chorus stones.
>Effective auditing procedures handy records kept propertys examined.
>Money resources time others, worse than no so why? Setupmore botts
>george ou real world wireless lan myths! Red hats expense technology,
>announced last year helping.
>Guzman writings, osip natasha mandelstam susan, griffin.
>---- spam body ends here ----
>
>We use rbls on our border mail servers, SA 3.1.8, sa-update and
>rules_du_jour to update our rule set from spamassassin and
>rulesemporium sites and various plugins like DCC, Razor, URIDNSBL,
>SPF, RelayChecker etc. Still many of those spam messages get low
>scores and slip through. Scores as low as -1.2 (!) like the message
>above which triggered the following rules:
>
>X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,
> MSGID_FROM_MTA_HEADER,MSGID_FROM_MTA_ID autolearn=no version=3.1.8
>
>Ideas and suggestions are welcome.
>
>Regards,
>Panagiotis
>
>ps. I understand that a simple rule matching something /^KAUF-TIPP DER
>WOCHE$/ would wipe out all of them but I am interested in a more
>generic/efficient way.
>
>ps2. both messages marked as spam or ham are available here:
> http://noc.ntua.gr/~christia/tmp/KAUF-TIPP_DER_WOCHE.gz
I get a few similar ones here, it may be the start of a spam run or
the fact that the stock spams morph so quickly. I haven't seen an
update from RDJ for stock spam in a while; I guess the authors have
real lives too so can't spend every waking hour fine tuning the rules
to catch each new iteration.
If I get persistent spam getting through with common features I write
my own rule and drop it in. It's often redundant within a few days so
gets morphed to catch the next ones that get through.
Perhaps you should go with your own rule and edit it as needed?
Looking at the other post on this thread you might want to check your
network tests.
KR
Nigel