You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Robert Fitzpatrick <li...@webtent.net> on 2007/08/24 15:09:43 UTC
How to stop these?
Anyone seen these, first reported to us today, but a lot...can they be
stopped. Bayes even gives negative score...we are running SA 3.2.1 with
SARE rules, Botnet, KAM, chickenpox...
http://esmtp.webtent.net/mail1.txt
Content analysis details: (1.8 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 BOTNET_SERVERWORDS Hostname contains server-like substrings
[botnet_serverwords,ip=64.12.137.5,rdns=imo-m24.mx.aol.com]
0.0 HTML_MESSAGE BODY: HTML included in message
1.8 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars
--
Robert
Re: How to stop these?
Posted by Kai Schaetzl <ma...@conactive.com>.
What's the problem? "Great Chinese Proverb" is genuine enough, isn't it?
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
Re: How to stop these?
Posted by bg...@idcomm.com.
Robert Fitzpatrick wrote:
> On Fri, 2007-08-24 at 06:48 -0700, John D. Hardin wrote:
>> On Fri, 24 Aug 2007, Robert Fitzpatrick wrote:
>>
>>> Anyone seen these, first reported to us today, but a lot...can
>>> they be stopped. Bayes even gives negative score...we are running
>>> SA 3.2.1 with SARE rules, Botnet, KAM, chickenpox...
>>>
>>> http://esmtp.webtent.net/mail1.txt
>> Hrm. About the only useful thing I can see is the number of
>> recipients. You might want to add a point for more than ten or so
>> addresses in the TO: header. I posted some rules for that a few days
>> ago.
>
> Thanks for the ideas, I found your rules, but don't seem to fire on my
> message after updating to 15...
>
> (?:,[^,]{1,80}){15}
>
> I'm new to my own rules. I know regex's in Perl, SQL, etc. And actually
> it seems that yours is one off, where there were 15 recipients in my
> message, it started matching at 14, not 15. Using the above, the first
> address is not being picked up...thanks gain.
>
Since that regex is looking for ,'s there would be 14 in a list of 15
recipients.
Re: How to stop these?
Posted by Robert Fitzpatrick <li...@webtent.net>.
On Fri, 2007-08-24 at 06:48 -0700, John D. Hardin wrote:
> On Fri, 24 Aug 2007, Robert Fitzpatrick wrote:
>
> > Anyone seen these, first reported to us today, but a lot...can
> > they be stopped. Bayes even gives negative score...we are running
> > SA 3.2.1 with SARE rules, Botnet, KAM, chickenpox...
> >
> > http://esmtp.webtent.net/mail1.txt
>
> Hrm. About the only useful thing I can see is the number of
> recipients. You might want to add a point for more than ten or so
> addresses in the TO: header. I posted some rules for that a few days
> ago.
Thanks for the ideas, I found your rules, but don't seem to fire on my
message after updating to 15...
(?:,[^,]{1,80}){15}
I'm new to my own rules. I know regex's in Perl, SQL, etc. And actually
it seems that yours is one off, where there were 15 recipients in my
message, it started matching at 14, not 15. Using the above, the first
address is not being picked up...thanks gain.
--
Robert
Re: How to stop these?
Posted by "John D. Hardin" <jh...@impsec.org>.
On Fri, 24 Aug 2007, Robert Fitzpatrick wrote:
> Anyone seen these, first reported to us today, but a lot...can
> they be stopped. Bayes even gives negative score...we are running
> SA 3.2.1 with SARE rules, Botnet, KAM, chickenpox...
>
> http://esmtp.webtent.net/mail1.txt
Hrm. About the only useful thing I can see is the number of
recipients. You might want to add a point for more than ten or so
addresses in the TO: header. I posted some rules for that a few days
ago.
That X-Mailer looks really suspicious, too.
And give AOL a few points, just on principle. :)
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The one political issue that strips all politicians bare is
individual gun rights.
-----------------------------------------------------------------------
Tomorrow: The 1928th anniversary of the destruction of Pompeii