You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Mark London <mr...@psfc.mit.edu> on 2021/06/15 16:11:12 UTC
Maybe it's time to revive EvilNumbers?
My site is getting a lot of spam that is getting past spamassassin.
Because it has a hone number to call, and rather than a link to login
using username and password. Mostly fake amazon purchases. They are
getting past a lot of URL block lists because of that. FWIW. - Mark
Re: Maybe it's time to revive EvilNumbers?
Posted by RW <rw...@googlemail.com>.
On Wed, 16 Jun 2021 11:52:24 -0400
Alan wrote:
> I'm already getting FPs when someone does a copy/paste of an Amazon product page
> and sends it as mail.
>...
>The sender's signature typically has a phone number as well, so
>EvilNumbers would make things worse.
Probably not. The original EvilNumbers was a collection of regexes for
street addresses and phone numbers found in spam, but not much ham. The
addresses and some of the numbers would have been just window dressing,
but the OP is talking about actual scammer contact numbers, so the FP
rate could be very low.
Re: Maybe it's time to revive EvilNumbers?
Posted by Alan <sp...@ambitonline.com>.
On 2021-06-15 19:44, Loren Wilton wrote:
>> My site is getting a lot of spam that is getting past spamassassin.
>> Because it has a hone number to call, and rather than a link to login
>> using username and password. Mostly fake amazon purchases. They are
>> getting past a lot of URL block lists because of that. FWIW. - Mark
>
> I have a number of "purchase" rules that add about 30 points for fake
> Amazon (and other) scams. I haven't had one get thru in the last
> couple of months since I instituted them, but I only have a personal
> account and not a whole site, so YMMV. None of them look for phone
> numbers, but I do have a set of rules for a handful of stolen business
> addresses commonly used in spams I get. They add a few points when
> those show up.
>
> Loren
>
That approach might be problematic on multi-user servers. I'm already
getting FPs when someone does a copy/paste of an Amazon product page and
sends it as mail. This triggers the "not from Amazon but has images from
Amazon" rule, which is weighted quite high. The sender's signature
typically has a phone number as well, so EvilNumbers would make things
worse. I still think the rule and weight is appropriate for spam, so I'm
looking for other ways to mitigate the FPs.
--
For SpamAsassin Users List
Re: Maybe it's time to revive EvilNumbers?
Posted by Loren Wilton <lw...@earthlink.net>.
> My site is getting a lot of spam that is getting past spamassassin.
> Because it has a hone number to call, and rather than a link to login
> using username and password. Mostly fake amazon purchases. They are
> getting past a lot of URL block lists because of that. FWIW. - Mark
I have a number of "purchase" rules that add about 30 points for fake Amazon
(and other) scams. I haven't had one get thru in the last couple of months
since I instituted them, but I only have a personal account and not a whole
site, so YMMV. None of them look for phone numbers, but I do have a set of
rules for a handful of stolen business addresses commonly used in spams I
get. They add a few points when those show up.
Loren
Re: Maybe it's time to revive EvilNumbers?
Posted by Grant Taylor <gt...@tnetconsulting.net>.
On 6/16/21 6:18 PM, Loren Wilton wrote:
> Here are a handful of rules that work for me. Feel free to try them.
> If you do, please let me know how they work for you.
Thank you Loren. I'm marking your message for future use if these spam
messages turn into a problem.
> (Apologies for my mail client trashing the formatting.
> Be sure to check for possible line wrap on some of the rules!)
*nod*nod*
--
Grant. . . .
unix || die
Re: Maybe it's time to revive EvilNumbers?
Posted by Loren Wilton <lw...@earthlink.net>.
Here are a handful of rules that work for me. Feel free to try them.
If you do, please let me know how they work for you.
(Apologies for my mail client trashing the formatting.
Be sure to check for possible line wrap on some of the rules!)
Loren
body LW_PAYMENT /You\s+sent\s+a\s+Payment\s+of/i
score LW_PAYMENT 0.5
describe LW_PAYMENT You sent someone a payment
body LW_ORDER /\b(?:order|purchase)\s+(?:number|ID|date|description)\b/i
score LW_ORDER 0.5
describe LW_ORDER Contains order information
header __LW_SUB_INVOICE Subject =~ /\b(?:invoice|order)\b/
header __LW_FROM_INVOICE From =~ /\b(?:invoice|order)\b/
header __LW_ABC_LISTID List-Id =~ /\w{13}\s+\<ab/ # some <ab>, some <abc>
meta LW_BOGUS_ORDER (__LW_SUB_INVOICE || __LW_FROM_INVOICE) &&
__LW_ABC_LISTID
score LW_BOGUS_ORDER 5
describe LW_BOGUS_ORDER Fake order or invoice
meta LW_SPAM_LISTID __LW_ABC_LISTID
score LW_SPAM_LISTID 1
describe LW_SPAM_LISTID The List_Id header seems to indicate spam
meta LW_FREEMAIL_ORDER FREEMAIL_FROM && (LW_ORDER || LW_PAYMENT)
score LW_FREEMAIL_ORDER 4
describe LW_FREEMAIL_ORDER An order receipt from a free email address
header __LW_SUB_AMZ_ORDER Subject =~ /^Your Amazon\.com order
\#\d{3}-\d{7}-\d{7}\s*$/
header __LW_FROM_AMZ_ORDER From =~
/\"Amazon\.com\"\s+<auto-confirm\@amazon\.com>/
header __LW_REP_AMZ_ORDER Reply-To =~ /^no-reply\@amazon\.com\s*$/
body __LW_BODY_AMZ_ORDER /Amazon.com Order Confirmation/
meta LW_REAL_AMZ_ORDER __LW_SUB_AMZ_ORDER && __LW_FROM_AMZ_ORDER
&& __LW_REP_AMZ_ORDER && __LW_BODY_AMZ_ORDER
score LW_REAL_AMZ_ORDER -2
describe LW_REAL_AMZ_ORDER Amazon order confirmation
header __LW_FROM_AMZ From =~ /\bamazon\b/i
header __LW_SUB_ORDER Subject =~ /\border\b/i
meta LW_FAKE_AMZ_ORDER __LW_FROM_AMZ && __LW_SUB_ORDER &&
!LW_REAL_AMZ_ORDER
score LW_FAKE_AMZ_ORDER 7
describe LW_FAKE_AMZ_ORDER Amazon order phish
Re: Maybe it's time to revive EvilNumbers?
Posted by Grant Taylor <gt...@tnetconsulting.net>.
On 6/15/21 10:11 AM, Mark London wrote:
> My site is getting a lot of spam that is getting past spamassassin.
> Because it has a hone number to call, and rather than a link to login
> using username and password. Mostly fake amazon purchases. They are
> getting past a lot of URL block lists because of that. FWIW. - Mark
I had one of these come in today. Indeed a bogus apparent Amazon
purchase, though I don't think it said Amazon, save for a graphic.
Score was -0.9. :-/ I'll save it for later to compare if I get more of
them.
--
Grant. . . .
unix || die