You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jared Hall <jh...@tbi.net> on 2007/08/14 17:42:02 UTC
Sample eCard Rules...
Some quick eCard rules:
header JARED_ECARD Subject =~ /You\'ve received (a|an) (greeting|postcard|
ecard|greeting ecard|greeting card) from a (admirer|class\-mate|colleague|
family member|friend|mate|neighbor|neighbour|partner|school friend|school
mate|school\-mate|worshipper|Class mate|Colleague|buddy|pal)\!?/i
score JARED_ECARD 2.5
header JARED_ECARD1 Subject =~ /^(School\-mate|Worshipper|Neighbour|
Colleague|Admirer|School mate|Mate|Class\-mate|Neighbor|Friend|Partner|Family
member|Class mate) sent you (a|an) (greeting|postcard|ecard|greeting ecard|
greeting card) from ((postcardsfrom|Greeting\-Cards|e\-cards|1LoveCards|
postcard|greetingCard|netfuncards|freewebcards|AmericanGreetings|
GreetingCards|2000Greetings|FunnyPostcard|mypostcards|egreetings|dgreetings|
VintagePostcards|123Greetings|riversongs|Hallmark|greet2k|egreetings|
all\-yours|bluemountain|Postcards)\.(com|net|org))\!?/i
score JARED_ECARD1 2.0
header JARED_ECARD2 Subject =~ /^(Animated|Funny|Greeting|Holiday|Thank you|
Musical|Love|Birthday|Movie\-quality)[\s](ecard|card|postcard)[\s]$/i
score JARED_ECARD2 2.0
$0.02,
Jared Hall
General Telecom, LLC.
On Tuesday 14 August 2007 11:33, John Rudd wrote:
> Doc Schneider wrote:
> > Loren Wilton wrote:
> >> PDFinfo plugin from SARE helps a lot with the pdf mess.
> >
> > I found that ClamAV catches most all those greeting card spamscam
> > viruses.
> >
> > But the PDFInfo from SARE works GREAT!
>
> ClamAV does even better if you use the Sanesecurity, MSRBL, and MBL
> signatures in addition to the main ClamAV signatures. We went from
> rejecting a few thousand "viruses" a day with just the base ClamAV
> signatures, to rejecting high 10's of thousands of messages a day
> (mostly due to Sanesecurity). No complaints about false positives yet.
Re: Sample eCard Rules...
Posted by Matt Kettler <mk...@verizon.net>.
Jared Hall wrote:
> Some quick eCard rules:
>
> header JARED_ECARD Subject =~ /You\'ve received (a|an) (greeting|postcard|
> ecard|greeting ecard|greeting card) from a (admirer|class\-mate|colleague|
> family member|friend|mate|neighbor|neighbour|partner|school friend|school
> mate|school\-mate|worshipper|Class mate|Colleague|buddy|pal)\!?/i
>
A good start, but that rule could be simplified quite a lot.
For starters, don't do (a|an).. it's much faster to do an? instead.
Also, in this case the \!? at the end is pointless. Regexes match
substrings, so you could just leave that whole part off with zero change
in what will match.
In general, for regexes that are used to detect matches only (ie: SA
rules), if you end in . + * or ? you're doing something wasteful and
pointless and should re-examine the regex. Unless you add a $ at the
end, you don't have to match the whole text, so don't waste time trying
to match optional characters at the end.
Here's a variant I use..
header L_S_SUBJPOSTCARD Subject =~/\bYou've received an? (?:greeting)?(?:e|post)?card from a .{4,20}!/
describe L_S_SUBJPOSTCARD greeting card virus
Notes:
mine won't catch the "You've received a greeting from a" variant yours picks up, but I've never seen that one myself. Every one I've seen of this type as "card" in it somewhere.
Mine's also a bit less specific, as it just uses a .{4,20} where yours bothers to list out all the possible texts the virus uses. I feel it's unlikely to match anything nonspam, but greatly reduces the resource usage of the rule.
Mine requires the exclamation point at the end, where yours makes it optional (and should just leave it off as above).
Re: How to write a rule to filter this email?
Posted by Loren Wilton <lw...@earthlink.net>.
Take the :addr off.
Loren
----- Original Message -----
From: "chteh" <ch...@nav6.org>
To: <us...@SpamAssassin.apache.org>
Sent: Thursday, September 20, 2007 8:14 PM
Subject: How to write a rule to filter this email?
> Hi all,
>
> Recently I wrote a rule to filter a Viagra emails. I found that the
> pattern
> of this spam emails are the "From" is appear as "Viagra.com Inc
> <ch...@nav6.org>".
>
> In my local.cd, I have added a simple rule which like this:
> header No_Viagra_From From:addr =~ /viagra/i
> score No_Viagra_From 10.0
> describe No_Viagra_From From that contains a word viagra
>
> But unfortunately, it doesn't works. Anyone here can teach me how to write
> a
> rule to block this type of emails, please?
>
> I have attached the head of the spam mail here. Thanks in advanced!
>
> ----------------------------------------------------------------------------
>>>From chteng@pccs.net Fri Sep 21 06:55:39 2007
> Return-Path: <ch...@pccs.net>
> X-Original-To: chteh@nav6.org
> Delivered-To: chteh@nav6.org
> Received: from localhost (unknown [127.0.0.1])
> by nav6.org (Postfix) with ESMTP id 4A7F21D6010B
> for <ch...@nav6.org>; Thu, 20 Sep 2007 22:55:39 +0000 (UTC)
> X-Virus-Scanned: amavisd-new at nav6.org
> Received: from c66-235-44-65.sea2.cablespeed.com
> (c66-235-44-65.sea2.cablespeed.com [66.235.44.65])
> by nav6.org (Postfix) with SMTP id AF38F1D600CA
> for <ch...@nav6.org>; Fri, 21 Sep 2007 06:55:32 +0800 (MYT)
> Received: from Lupe Cash (10.12.13.16) by
> c66-235-44-65.sea2.cablespeed.com
> (PowerMTA(TM) v3.2r4) id hfp10o93d75j00 for <ch...@nav6.org>; Thu, 20 Sep
> 2007 02:52:29 -0800
> Message-Id: <20...@c66-235-44-65.sea2.cablespeed.com>
> To: <ch...@nav6.org>
> Subject: Lovers package at discount price!
> From: Viagra.com Inc <ch...@nav6.org>
> MIME-Version: 1.0
> Content-Type: text/html; charset="iso-8859-1"
> Content-Transfer-Encoding: 8bit
> Date: Fri, 21 Sep 2007 06:55:32 +0800 (MYT)
> X-UID: 3
> Status: RO
> X-Keywords:
> Content-Length: 2705
> ----------------------------------------------------------------------------
>
> Best Regards,
>
> Simon Teh
> Network and System Administrator
> National Advanced IPv6
> Centre of Excellence,
> School of Computer Science,
> Universiti Sains Malaysia
How to write a rule to filter this email?
Posted by chteh <ch...@nav6.org>.
Hi all,
Recently I wrote a rule to filter a Viagra emails. I found that the pattern
of this spam emails are the "From" is appear as "Viagra.com Inc
<ch...@nav6.org>".
In my local.cd, I have added a simple rule which like this:
header No_Viagra_From From:addr =~ /viagra/i
score No_Viagra_From 10.0
describe No_Viagra_From From that contains a word viagra
But unfortunately, it doesn't works. Anyone here can teach me how to write a
rule to block this type of emails, please?
I have attached the head of the spam mail here. Thanks in advanced!
----------------------------------------------------------------------------
>From chteng@pccs.net Fri Sep 21 06:55:39 2007
Return-Path: <ch...@pccs.net>
X-Original-To: chteh@nav6.org
Delivered-To: chteh@nav6.org
Received: from localhost (unknown [127.0.0.1])
by nav6.org (Postfix) with ESMTP id 4A7F21D6010B
for <ch...@nav6.org>; Thu, 20 Sep 2007 22:55:39 +0000 (UTC)
X-Virus-Scanned: amavisd-new at nav6.org
Received: from c66-235-44-65.sea2.cablespeed.com
(c66-235-44-65.sea2.cablespeed.com [66.235.44.65])
by nav6.org (Postfix) with SMTP id AF38F1D600CA
for <ch...@nav6.org>; Fri, 21 Sep 2007 06:55:32 +0800 (MYT)
Received: from Lupe Cash (10.12.13.16) by c66-235-44-65.sea2.cablespeed.com
(PowerMTA(TM) v3.2r4) id hfp10o93d75j00 for <ch...@nav6.org>; Thu, 20 Sep
2007 02:52:29 -0800
Message-Id: <20...@c66-235-44-65.sea2.cablespeed.com>
To: <ch...@nav6.org>
Subject: Lovers package at discount price!
From: Viagra.com Inc <ch...@nav6.org>
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Date: Fri, 21 Sep 2007 06:55:32 +0800 (MYT)
X-UID: 3
Status: RO
X-Keywords:
Content-Length: 2705
----------------------------------------------------------------------------
Best Regards,
Simon Teh
Network and System Administrator
National Advanced IPv6
Centre of Excellence,
School of Computer Science,
Universiti Sains Malaysia