You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Bob Proulx <bo...@proulx.com> on 2008/03/17 02:09:55 UTC

How to catch gibberish spam before URIBL lists it?

These eventually show up in the URIBL but with the start of the wave
they are not listed yet.  Outside of URIBL (which works great once
they get listed) are there good tactics to catch this type of spam
directly from the content?

  Subject: top bxtrj k cuq Girls wdi ulpq tafz.

  n srak, great qllqn Moms cg bmqet agpxa http://www.struesexfilms.cn ssj erzn zxuc wlp. h qds t bl hfqun.
  v w g vj hydl taqn ahcgn uaorm, w wfz go vthmz cdii fft.

Thanks
Bob

Re: How to catch gibberish spam before URIBL lists it?

Posted by Bob Proulx <bo...@proulx.com>.

Loren Wilton wrote:
> >>TW_AQ,TW_BM,TW_BX,TW_GP,TW_HM,TW_LP,TW_MQ,TW_PX,TW_QD,TW_QL,TW_TR,TW_WF,
> >>TW_ZX,
> >
> >What ruleset are those rules in?
> 
> Tripwire.  Available at SARE in "other rules".
> 
> Beware, these are english-biased rules and will FP on other languages.

Thanks for the pointers.  I can't think of any good ways to catch
these either.  Foreign languages do sometimes appear so I do need to
be concerned about them.  But perhaps using this ruleset with very low
scores would be okay.  Other rules are usually firing too and all it
needs is a little bit more to push these over the threshold.

Thanks
Bob

Re: How to catch gibberish spam before URIBL lists it?

Posted by Loren Wilton <lw...@earthlink.net>.

TW_AQ,TW_BM,TW_BX,TW_GP,TW_HM,TW_LP,TW_MQ,TW_PX,TW_QD,TW_QL,TW_TR,TW_WF,
>> TW_ZX,
> 
> What ruleset are those rules in?

Tripwire.  Available at SARE in "other rules".

Beware, these are english-biased rules and will FP on other languages.

        Loren

Re: How to catch gibberish spam before URIBL lists it?

Posted by Bob Proulx <bo...@proulx.com>.

Michael Hutchinson wrote:
> You may just need to modify some scoring of these rules, which hit
> the "garbage" you're talking about without a doubt:
> 
> TW_AQ,TW_BM,TW_BX,TW_GP,TW_HM,TW_LP,TW_MQ,TW_PX,TW_QD,TW_QL,TW_TR,TW_WF,
> TW_ZX,

What ruleset are those rules in?

Bob

RE: How to catch gibberish spam before URIBL lists it?

Posted by Michael Hutchinson <mh...@manux.co.nz>.

> -----Original Message-----
> From: Bob Proulx [mailto:bob@proulx.com]
> Sent: Monday, 17 March 2008 2:10 p.m.
> To: users@spamassassin.apache.org
> Subject: How to catch gibberish spam before URIBL lists it?
> 
> These eventually show up in the URIBL but with the start of the wave
> they are not listed yet.  Outside of URIBL (which works great once
> they get listed) are there good tactics to catch this type of spam
> directly from the content?
> 
>   Subject: top bxtrj k cuq Girls wdi ulpq tafz.
> 
>   n srak, great qllqn Moms cg bmqet agpxa http://www.struesexfilms.cn
ssj
> erzn zxuc wlp. h qds t bl hfqun.
>   v w g vj hydl taqn ahcgn uaorm, w wfz go vthmz cdii fft.
> 
> Thanks
> Bob

Hi Bob,

Even through the list my Spamassassin flagged your mail with 2.4 points
(which was AWL adjusted, so was probably higher than that) You may just
need to modify some scoring of these rules, which hit the "garbage"
you're talking about without a doubt:

TW_AQ,TW_BM,TW_BX,TW_GP,TW_HM,TW_LP,TW_MQ,TW_PX,TW_QD,TW_QL,TW_TR,TW_WF,
TW_ZX,

HTH,
Cheers,
Mike