Re: {SPAM} Drug SPAM problem..any fixes?

[Matt Kettler <mk...@evi-inc.com>]

Dan Simmons wrote:
> Hi All,
> 
> I am having an issue with the following DRUG related spam.  Does
> anyone have any rules to catch this?
> 
> Environment: SA 3.0.2 with network tests and the following SARE rule sets:
<snip>
> X-SA-SysThreshold: 6.0
> 	0.8 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words
> 	0.1 HTML_40_50 BODY: Message is 40% to 50% HTML
> 	0.0 HTML_MESSAGE BODY: HTML included in message
> 

For your message I got the following (SA 2.64 with Mail::SpamCopURI)

SpamAssassin (score=7.908, required 5,	AB_URI_RBL 1.00, BAYES_00 -4.90,
BLACK_URI_RBL 2.00,	HTML_MESSAGE 0.10, HTTP_ESCAPED_HOST 1.51,
INFO_GREYLIST_NOTDELAYED -0.00, JP_URI_RBL 1.00, OB_URI_RBL 2.10,
SPAMCOP_URI_RBL 3.00, WS_URI_RBL 2.10)

Most of that is URI blacklists from surbl (supported by SA 3.x by default), as
well as uribl.com (not supported in default config but I added it by hand)

I'd check to see if your URIBL's are working. SA 3.x supports them by default,
but you need a relatively recent Net::DNS for them to work.

Also, if you're using a ported package for your OS distribution instead of the
official SA packages, make sure you've got an init.pre file in your
configuration. If you don't, the URIBL plugin won't load.

Re: {SPAM} Drug SPAM problem..any fixes?

[Matt Kettler <mk...@evi-inc.com>]

martin smith wrote:

> Trouble is with the SURBL is that you can receive a lot of these spams
> before they get listed, they also seem to change domain name twice a day or
> more to keep ahead of the listing, that's why I wanted something to block
> them if they don't hit any black lists.
> 
> Martin
> 

True, which is part of why I use some greylisting.. it helps the blacklist hit
rates.


I really don't know of any good static rule that works consistently for these
that won't just nail every email with embedded images.

One thing you might look at is this part:

8l4d7o2r6u7d8h4j4q6v8w5o8f6k5g6r5v3g9a2j9d2f2s9a9k5c4m3z8q1b4w2t8y9k1a7s3z7k8h3n3q1c6t3c2v5q2i8h4f5o1f9u7t2t8k5o6v6v3i5a8l7t4d1z5t9r2t8i7m7c5m

Note that after the first 3 numbers, it's an alternating sequence random
lower-case letters and numbers. The repeating part is 140 characters long, or 70
repeats..

You could probably pick out 50 or so of these with low FP rate:

body L_STRANGE_ID	/(?:\d[a-z]){50}/
score L_STRANGE_ID	0.1


Another tool to try here, which has the same drawbacks as surbl, is razor.

Razor can pick up on the hash of the embedded image, text, or URI so this way
you're forcing them to change three things: domains, images and body text.
(Razor hashes each mime part and each URI separately, so spam can be identified
by any one of these, not just the combined whole of the message.)

While not perfect, at least this gets you 3 shots at the message based on content.

Re: {SPAM} Drug SPAM problem..any fixes?

[Jeff Chan <je...@surbl.org>]

On Saturday, May 14, 2005, 10:43:08 AM, martin smith wrote:
M>>From: Matt Kettler [mailto:mkettler@evi-inc.com]

M>>Most of that is URI blacklists from surbl (supported by SA 
M>>3.x by default), as well as uribl.com (not supported in 
M>>default config but I added it by hand)
M>>

> Trouble is with the SURBL is that you can receive a lot of these spams
> before they get listed, they also seem to change domain name twice a day or
> more to keep ahead of the listing, that's why I wanted something to block
> them if they don't hit any black lists.

We're working on reducing the latency of SURBLs.

Jeff C.
-- 
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/

Re: {SPAM} Drug SPAM problem..any fixes?

[Loren Wilton <lw...@earthlink.net>]

Let me just suggest that there are all kinds of catchable keys in the spam
you posted.  I don't really want to post rules for these, since as soon as
rules get posted here the keys disappear from the spams.

        Loren

RE: {SPAM} Drug SPAM problem..any fixes?

[martin smith <ma...@ntlworld.com>]

M>-----Original Message-----
M>From: Matt Kettler [mailto:mkettler@evi-inc.com] 
M>Sent: 14 May 2005 18:37
M>To: Dan Simmons
M>Cc: users@spamassassin.apache.org
M>Subject: Re: {SPAM} Drug SPAM problem..any fixes?
M>
M>Dan Simmons wrote:
M>> Hi All,
M>> 
M>> I am having an issue with the following DRUG related spam.  Does 
M>> anyone have any rules to catch this?
M>> 
M>> Environment: SA 3.0.2 with network tests and the following 
M>SARE rule sets:
M><snip>
M>> X-SA-SysThreshold: 6.0
M>> 	0.8 HTML_IMAGE_ONLY_20 BODY: HTML: images with 
M>1600-2000 bytes of words
M>> 	0.1 HTML_40_50 BODY: Message is 40% to 50% HTML
M>> 	0.0 HTML_MESSAGE BODY: HTML included in message
M>> 
M>
M>For your message I got the following (SA 2.64 with Mail::SpamCopURI)
M>
M>SpamAssassin (score=7.908, required 5,	AB_URI_RBL 
M>1.00, BAYES_00 -4.90,
M>BLACK_URI_RBL 2.00,	HTML_MESSAGE 0.10, HTTP_ESCAPED_HOST 1.51,
M>INFO_GREYLIST_NOTDELAYED -0.00, JP_URI_RBL 1.00, OB_URI_RBL 
M>2.10, SPAMCOP_URI_RBL 3.00, WS_URI_RBL 2.10)
M>
M>Most of that is URI blacklists from surbl (supported by SA 
M>3.x by default), as well as uribl.com (not supported in 
M>default config but I added it by hand)
M>

Trouble is with the SURBL is that you can receive a lot of these spams
before they get listed, they also seem to change domain name twice a day or
more to keep ahead of the listing, that's why I wanted something to block
them if they don't hit any black lists.

Martin