Physician List

["Casartello, Thomas" <tc...@wsc.ma.edu>]

Has anyone else noticed these messages as a problem? I have had a few
complaints about messages getting through my spam filter involving
"Physicians List in the USA" or something like that usually talking about
dentists too. I made this to target it (someone on the list showed me how to
do things like this which really seems to be helping to block EDU Spear
attacks)

 

body WSC_DENTISTSCAM /Dent ists|Send an email to Slater|Directory in the
United States|have won a prize money|D.entists|Reach Dentists|Physician
Mailing List|receive money|you will have your email taken off|Physicians in
the US|Pharmaceutical Company List|List of US Hospitals|Directory of US
Dentists/i

describe WSC_DENTISTSCAM Dentist scam.

score WSC_DENTISTSCAM 15

body       WSC_DENTIST_D /dentist/i

describe   WSC_DENTIST_D Email Contains dentist

score      WSC_DENTIST_D 0.1

body       WSC_DENTIST_P /physician|MD/i

describe   WSC_DENTIST_P Email contains physician

score      WSC_DENTIST_P 0.1

body       WSC_DENTIST_L /list|directory/i

describe   WSC_DENTIST_L Email contains directory/list

score      WSC_DENTIST_L 0.1

body       WSC_DENTIST_U /United States/i

describe   WSC_DENTIST_U Email contains United States

score      WSC_DENTIST_U 0.1

meta       WSC_DENTIST_1 WSC_DENTIST_D && WSC_DENTIST_P && WSC_DENTIST_L

describe   WSC_DENTIST_1 Likely dentist/physician list spam..contains
physician, dentist, and list or directory

score      WSC_DENTIST_1 7

meta       WSC_DENTIST_2 WSC_DENTIST_D && WSC_DENTIST_P && WSC_DENTIST_L &&
WSC_DENTIST_U

describe   WSC_DENTIST_2 Very Likely dentist/physician list spam

score      WSC_DENTIST_3 10

 

Has anyone else been seeing these types of messages? 

 

Thomas E. Casartello, Jr.

Staff Assistant - Wireless Technician/Linux Administrator

Information Technology

Wilson 105A

Westfield State College

(413) 572-8245

 

Red Hat Certified Technician (RHCT)

 

Re: Physician List

[Karsten Bräckelmann <gu...@rudersport.de>]

On Wed, 2009-04-29 at 06:42 -0700, Jeff Chan wrote:
> On Tuesday, April 28, 2009, 6:04:50 PM, Karsten Bräckelmann wrote:

> > I have seen quite a few myself. Unfortunately, they tend to slip by.
> > Made a first attempt at catching them, which helped -- though I do see
> > new variants going under the radar of a few of my meta's.
> 
> > I'd be interested in getting more samples (contact me off-list first!)
> > by anyone, to tighten and broaden (yes, both) my local rules and drop
> > them publicly.

> They're probably catchable by body text and/or header patterns.
> Could make a good new rule as suggested in the "Code Rot" thread.

Exactly -- that's why I asked for more samples. :)

  guenther

-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Physician List

[Jeff Chan <je...@surbl.org>]

On Tuesday, April 28, 2009, 6:04:50 PM, Karsten Bräckelmann wrote:
> On Tue, 2009-04-28 at 19:43 -0400, Casartello, Thomas wrote:
>> Has anyone else noticed these messages as a problem? I have had a few
>> complaints about messages getting through my spam filter involving
>> “Physicians List in the USA” or something like that usually talking

> I have seen quite a few myself. Unfortunately, they tend to slip by.
> Made a first attempt at catching them, which helped -- though I do see
> new variants going under the radar of a few of my meta's.

> I'd be interested in getting more samples (contact me off-list first!)
> by anyone, to tighten and broaden (yes, both) my local rules and drop
> them publicly.

> Interestingly, I seem to ever get them only on list role accounts and
> non-published OSS forwarder addresses.

They're probably catchable by body text and/or header patterns.
Could make a good new rule as suggested in the "Code Rot" thread.

Jeff C.
-- 
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/

Re: Physician List [ATT]

[Karsten Bräckelmann <gu...@rudersport.de>]

On Wed, 2009-04-29 at 03:04 +0200, Karsten Bräckelmann wrote:
> I have seen quite a few myself. Unfortunately, they tend to slip by.
> Made a first attempt at catching them, which helped -- though I do see
> new variants going under the radar of a few of my meta's.
> 
> I'd be interested in getting more samples (contact me off-list first!)

Let me re-phrase this...

Please contact me OFF-LIST FIRST, before sending any samples. In
particular, do *not* attach any samples without wrapping them in a
tarball!

> by anyone, to tighten and broaden (yes, both) my local rules and drop
> them publicly.

The more, the merrier.  From experience with my old-ish attempt at this
rule-set, there is quite some room for variations. Thus, getting as much
samples as possible will help writing better metas.

Get 'em rolling!

  guenther  -- posting for a reason ;)


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Physician List

[Karsten Bräckelmann <gu...@rudersport.de>]

On Tue, 2009-04-28 at 19:43 -0400, Casartello, Thomas wrote:
> Has anyone else noticed these messages as a problem? I have had a few
> complaints about messages getting through my spam filter involving
> “Physicians List in the USA” or something like that usually talking

I have seen quite a few myself. Unfortunately, they tend to slip by.
Made a first attempt at catching them, which helped -- though I do see
new variants going under the radar of a few of my meta's.

I'd be interested in getting more samples (contact me off-list first!)
by anyone, to tighten and broaden (yes, both) my local rules and drop
them publicly.

Interestingly, I seem to ever get them only on list role accounts and
non-published OSS forwarder addresses.

  guenther


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}