You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Brian Wilson <wi...@bubba.org> on 2007/09/12 17:04:40 UTC
debbie-dealz / frosty-saver / got-hyrda / aero-dog spam
I've somehow made it onto spam list that isn't being picked up by RBLs or
by bayes. All messages have a url that looks like this (where X's are
all digits):
http://aero-dog.com/1-23-28276-45381XXXXXXX.html
All messages are originating from 206.131.x.x and I have been submitting
them to spamcop. A sample message is here:
http://bubba.org/spam/newspam1.txt
Any suggestions for detecting this? My bayes has been pretty much spot on
for months, so this has me puzzled.
Thanks,
Brian
Re: debbie-dealz / frosty-saver / got-hyrda / aero-dog spam
Posted by "Benjamin E. Zeller" <ze...@ibh-wor.de>.
On Wednesday 12 September 2007 17:04:40 Brian Wilson wrote:
> I've somehow made it onto spam list that isn't being picked up by RBLs or
> by bayes. All messages have a url that looks like this (where X's are
> all digits):
>
> http://aero-dog.com/1-23-28276-45381XXXXXXX.html
>
> All messages are originating from 206.131.x.x and I have been submitting
> them to spamcop. A sample message is here:
> http://bubba.org/spam/newspam1.txt
>
> Any suggestions for detecting this? My bayes has been pretty much spot on
> for months, so this has me puzzled.
>
> Thanks,
> Brian
Result here:
1.7 SARE_RECV_IP_206131 Spam passed through possible spammer relay
0.1 FORGED_RCVD_HELO Received: contains a forged HELO
3.0 BAYES_80 BODY: Bayesian spam probability is 80 to 95%
[score: 0.9279]
3.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
[URIs: frosty-saver.com]
--
Benjamin E. Zeller
Ing.-Büro Hohmann
Bahnhofstr. 34
D-82515 Wolfratshausen
Tel.: +49 (0)8171 347 88 12
Mobil: +49 (0)160 99 11 55 23
Fax: +49 (0)8171 910 778
mailto: zeller@ibh-wor.de
www.ibh-wor.de
Re: debbie-dealz / frosty-saver / got-hyrda / aero-dog spam
Posted by "John D. Hardin" <jh...@impsec.org>.
On Wed, 12 Sep 2007, Brian Wilson wrote:
> uri FROSTY_SAVER_URI /^http\:\/\/[\S\-]+\/[\d\-]+.html/ score
Escape that period.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
It's easy to be noble with other people's money.
-- John McKay, _The Welfare State:
No Mercy for the Middle Class_
-----------------------------------------------------------------------
5 days until the 220th anniversary of the signing of the U.S. Constitution
Re: debbie-dealz / frosty-saver / got-hyrda / aero-dog spam
Posted by Brian Wilson <wi...@bubba.org>.
On Wed, 12 Sep 2007, Brian Wilson wrote:
>
> I've somehow made it onto spam list that isn't being picked up by RBLs or by
> bayes. All messages have a url that looks like this (where X's are all
> digits):
>
> http://aero-dog.com/1-23-28276-45381XXXXXXX.html
>
> All messages are originating from 206.131.x.x and I have been submitting them
> to spamcop. A sample message is here: http://bubba.org/spam/newspam1.txt
>
> Any suggestions for detecting this? My bayes has been pretty much spot on
> for months, so this has me puzzled.
>
The sample was older so that is probably why it is being picked up, but
the newer samples from here are not getting scored from RBL's. I
added this URI rule to pick these up:
uri FROSTY_SAVER_URI /^http\:\/\/[\S\-]+\/[\d\-]+.html/ score
FROSTY_SAVER_URI 10
I'm sure someone will complain that they have a better regex, but it's
working for me.
Brian
Re: debbie-dealz / frosty-saver / got-hyrda / aero-dog spam
Posted by Jari Fredriksson <ja...@iki.fi>.
> I've somehow made it onto spam list that isn't being
> picked up by RBLs or by bayes. All messages have a url
> that looks like this (where X's are all digits):
>
> http://aero-dog.com/1-23-28276-45381XXXXXXX.html
>
> All messages are originating from 206.131.x.x and I have
> been submitting them to spamcop. A sample message is
> here: http://bubba.org/spam/newspam1.txt
>
> Any suggestions for detecting this? My bayes has been
> pretty much spot on for months, so this has me puzzled.
>
> Thanks,
> Brian
Result here
Content analysis details: (12.7 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.6 SUBJ_ILLEGAL_CHARS Subject: has too many raw illegal characters
2.0 BAYES_80 BODY: Bayesian spam probability is 80 to 95%
[score: 0.9391]
1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
above 50%
[cf: 91]
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 91]
2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
1.5 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
[URIs: frosty-saver.com]
2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
[URIs: frosty-saver.com]
1.0 DIGEST_MULTIPLE Message hits more than one network digest check
0.0 SUBJECT_NEEDS_ENCODING SUBJECT_NEEDS_ENCODING