You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Brian Wilson <wi...@bubba.org> on 2007/09/12 17:04:40 UTC

debbie-dealz / frosty-saver / got-hyrda / aero-dog spam

I've somehow made it onto spam list that isn't being picked up by RBLs or 
by bayes.  All messages have a url that looks like this (where X's are 
all digits):

http://aero-dog.com/1-23-28276-45381XXXXXXX.html

All messages are originating from 206.131.x.x and I have been submitting 
them to spamcop.  A sample message is here: 
http://bubba.org/spam/newspam1.txt

Any suggestions for detecting this?  My bayes has been pretty much spot on 
for months, so this has me puzzled.

Thanks,
Brian

Re: debbie-dealz / frosty-saver / got-hyrda / aero-dog spam

Posted by "Benjamin E. Zeller" <ze...@ibh-wor.de>.

On Wednesday 12 September 2007 17:04:40 Brian Wilson wrote:
> I've somehow made it onto spam list that isn't being picked up by RBLs or
> by bayes.  All messages have a url that looks like this (where X's are
> all digits):
>
> http://aero-dog.com/1-23-28276-45381XXXXXXX.html
>
> All messages are originating from 206.131.x.x and I have been submitting
> them to spamcop.  A sample message is here:
> http://bubba.org/spam/newspam1.txt
>
> Any suggestions for detecting this?  My bayes has been pretty much spot on
> for months, so this has me puzzled.
>
> Thanks,
> Brian

Result here:

 1.7 SARE_RECV_IP_206131    Spam passed through possible spammer relay
 0.1 FORGED_RCVD_HELO       Received: contains a forged HELO
 3.0 BAYES_80               BODY: Bayesian spam probability is 80 to 95%
                            [score: 0.9279]
 3.0 URIBL_OB_SURBL         Contains an URL listed in the OB SURBL blocklist
                            [URIs: frosty-saver.com]


-- 
Benjamin E. Zeller
Ing.-Büro Hohmann
Bahnhofstr. 34
D-82515 Wolfratshausen

Tel.:  +49 (0)8171 347 88 12
Mobil: +49 (0)160 99 11 55 23
Fax:   +49 (0)8171 910 778
mailto: zeller@ibh-wor.de

www.ibh-wor.de

Re: debbie-dealz / frosty-saver / got-hyrda / aero-dog spam

Posted by "John D. Hardin" <jh...@impsec.org>.

On Wed, 12 Sep 2007, Brian Wilson wrote:

> uri FROSTY_SAVER_URI /^http\:\/\/[\S\-]+\/[\d\-]+.html/ score 

Escape that period.

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  It's easy to be noble with other people's money.
                                   -- John McKay, _The Welfare State:
                                      No Mercy for the Middle Class_
-----------------------------------------------------------------------
 5 days until the 220th anniversary of the signing of the U.S. Constitution

Re: debbie-dealz / frosty-saver / got-hyrda / aero-dog spam

Posted by Brian Wilson <wi...@bubba.org>.

On Wed, 12 Sep 2007, Brian Wilson wrote:

>
> I've somehow made it onto spam list that isn't being picked up by RBLs or by 
> bayes.  All messages have a url that looks like this (where X's are all 
> digits):
>
> http://aero-dog.com/1-23-28276-45381XXXXXXX.html
>
> All messages are originating from 206.131.x.x and I have been submitting them 
> to spamcop.  A sample message is here: http://bubba.org/spam/newspam1.txt
>
> Any suggestions for detecting this?  My bayes has been pretty much spot on 
> for months, so this has me puzzled.
>

The sample was older so that is probably why it is being picked up, but 
the newer samples from here are not getting scored from RBL's.  I 
added this URI rule to pick these up:

uri FROSTY_SAVER_URI /^http\:\/\/[\S\-]+\/[\d\-]+.html/ score 
FROSTY_SAVER_URI 10

I'm sure someone will complain that they have a better regex, but it's 
working for me.

Brian

Re: debbie-dealz / frosty-saver / got-hyrda / aero-dog spam

Posted by Jari Fredriksson <ja...@iki.fi>.

> I've somehow made it onto spam list that isn't being
> picked up by RBLs or by bayes.  All messages have a url
> that looks like this (where X's are all digits):
> 
> http://aero-dog.com/1-23-28276-45381XXXXXXX.html
> 
> All messages are originating from 206.131.x.x and I have
> been submitting them to spamcop.  A sample message is
> here: http://bubba.org/spam/newspam1.txt
> 
> Any suggestions for detecting this?  My bayes has been
> pretty much spot on for months, so this has me puzzled.
> 
> Thanks,
> Brian

Result here

Content analysis details:   (12.7 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 1.6 SUBJ_ILLEGAL_CHARS     Subject: has too many raw illegal characters
 2.0 BAYES_80               BODY: Bayesian spam probability is 80 to 95%
                            [score: 0.9391]
 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
                            above 50%
                            [cf:  91]
 0.5 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                            [cf:  91]
 2.2 DCC_CHECK              Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
 1.5 URIBL_OB_SURBL         Contains an URL listed in the OB SURBL blocklist
                            [URIs: frosty-saver.com]
 2.0 URIBL_BLACK            Contains an URL listed in the URIBL blacklist
                            [URIs: frosty-saver.com]
 1.0 DIGEST_MULTIPLE        Message hits more than one network digest check
 0.0 SUBJECT_NEEDS_ENCODING SUBJECT_NEEDS_ENCODING