You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Randal, Phil" <pr...@herefordshire.gov.uk> on 2008/02/19 11:31:20 UTC

{Spam?} RE: "Nice girl like to chat" spam

Unfortunately she changes the .info domain as often as she changes her
knickers.  :-p

Cheers,

Phil

--
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK  

> -----Original Message-----
> From: Michael Hutchinson [mailto:mhutchinson@manux.co.nz] 
> Sent: 18 February 2008 20:10
> To: users@spamassassin.apache.org
> Subject: FW: "Nice girl like to chat" spam
> 
> > -----Original Message-----
> > From: ItsMikeE [mailto:nabble@ernstoff.net]
> > Sent: Monday, 18 February 2008 11:33 p.m.
> > To: users@spamassassin.apache.org
> > Subject: "Nice girl like to chat" spam
> > 
> > 
> > For some time now I have been getting spams that look like
> > "Hello! I am tired this evening. I am nice girl that would like to
> chat
> > with
> > you. Email me at name@domain.info only, because I am using 
> my friend's
> > email
> > to write this. To see my pics"
> > 
> > They are still not being picked up, despite me passing them to be
> learnt
> > for
> > the bayes DB.
> > 
> > Has anyone written a rule to filter these out?
> > --
> > View this message in context:
> http://www.nabble.com/%22Nice-girl-like-to-
> > chat%22-spam-tp15542352p15542352.html
> > Sent from the SpamAssassin - Users mailing list archive at 
> Nabble.com.
> 
> 
> Yes, I've got rules against that spam! They were sending us a 
> ton of it
> so I wrote some local.cf rules: 
> 
> body __NICEGIRL_SPAM_1          /Hello! I am (tired|bored) this
> afternoon/
> body __NICEGIRL_SPAM_2          /I am nice girl that would 
> like to chat
> with you/
> body __NICEGIRL_SPAM_3          /\@TheHealCare\.info/
> meta CST_NICEGRL_SPAM (((1.0* __NICEGIRL_SPAM_1) + (1.0*
> __NICEGIRL_SPAM_2) + (2 * __NICEGIRL_SPAM_3)) > 1)
> score CST_NICEGRL_SPAM          7.0
> describe CST_NICEGRL_SPAM       Want-to-chat SPAM
> 
> With this, the first two rules have to match for it to trigger, or the
> 3rd rule by itself can trigger it too (email link to 
> TheHealCare.info).
> 
> Works rather well, haven't seen any of that spam lately. Matching
> phrases works really well in SA but you have to watch out for the
> spammers that are onto changing the way words are spelt, and
> intentionally mis-spelling words to bypass rules, hence the
> (tired|bored) part may need to become (tireed|tired|bored) etc.
> 
> 
> Cheers,
> Mike
>