You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Suhas Ingale <sp...@qualispace.com> on 2007/06/22 16:44:10 UTC
Help in writing rules to catch SREA stock spams
Can someone help me writing rules to catch below content spam?
SREA UP Another 36.36%. Read This Hit List!
Score One Inc. (SREA)
Close: $0.60 UP 36.36%
In the last two days SREA has been on the watch list of OTCPicks.com,
OTCStockExchange.com, and Boonmarket.com rocketing it over 200%. Need we say
more? Get on SREA and ride the wave.
I have written these rules. Let me know if they are wrong.
full OTCPicks /OTCPicks\.com/i
describe OTCPicks Emails containing OTCPicks
URLs.
score OTCPicks 5.0
full OTCStockExchange
/OTCStockExchange\.com/i
describe OTCStockExchange Emails containing
OTCStockExchange URLs.
score OTCStockExchange 5.0
full Boonmarket /Boonmarket\.com/i
describe Boonmarket Emails containing Boonmarket URLs.
score Boonmarket 5.0
RE: Help in writing rules to catch SREA stock spams
Posted by Suhas Ingale <sp...@qualispace.com>.
This line is common in all such stock spam. How do I catch these using
rules?
Score One Inc. (SREA)
From: Suhas Ingale [mailto:spamassassin@qualispace.com]
Sent: Friday, June 22, 2007 8:14 PM
To: users@spamassassin.apache.org
Subject: Help in writing rules to catch SREA stock spams
Can someone help me writing rules to catch below content spam?
SREA UP Another 36.36%. Read This Hit List!
Score One Inc. (SREA)
Close: $0.60 UP 36.36%
In the last two days SREA has been on the watch list of OTCPicks.com,
OTCStockExchange.com, and Boonmarket.com rocketing it over 200%. Need we say
more? Get on SREA and ride the wave.
I have written these rules. Let me know if they are wrong.
full OTCPicks /OTCPicks\.com/i
describe OTCPicks Emails containing OTCPicks
URLs.
score OTCPicks 5.0
full OTCStockExchange
/OTCStockExchange\.com/i
describe OTCStockExchange Emails containing
OTCStockExchange URLs.
score OTCStockExchange 5.0
full Boonmarket /Boonmarket\.com/i
describe Boonmarket Emails containing Boonmarket URLs.
score Boonmarket 5.0
Re: Help in writing rules to catch SREA stock spams
Posted by Nigel Frankcom <ni...@blue-canoe.net>.
On Fri, 22 Jun 2007 20:14:10 +0530, "Suhas Ingale"
<sp...@qualispace.com> wrote:
>Can someone help me writing rules to catch below content spam?
>
>
>
>SREA UP Another 36.36%. Read This Hit List!
>
>
>
>Score One Inc. (SREA)
>
>Close: $0.60 UP 36.36%
>
>
>
>In the last two days SREA has been on the watch list of OTCPicks.com,
>OTCStockExchange.com, and Boonmarket.com rocketing it over 200%. Need we say
>more? Get on SREA and ride the wave.
>
>
>
>
>
>I have written these rules. Let me know if they are wrong.
>
>
In my experience the domains used change very frequently, if they were
static for any length of time I'd block them at my MTA and save the SA
resources.
Just my 2 pence worth
KR
Nigel
Re: Help in writing rules to catch SREA stock spams
Posted by arni <ma...@arni.name>.
Marc Perkel schrieb:
>
> Actually the fastest way to get rid of stoc/botnet spam is with fake
> MX records.
>
> fake 10
> real 20
> fake 30
> fake 40
>
I dont like the idea of making life harder for ham (forcing a properly
working mailserver to make at least 2 connections) acompanied with the
same delays as greylisting.
Why make life harder for ham if you can detect the spam easily?
arni
Re: Help in writing rules to catch SREA stock spams
Posted by Marc Perkel <ma...@perkel.com>.
arni wrote:
> Marc Perkel schrieb:
>>
>> That doesn't answer his question though. He didn't ask for your
>> opinion about if he needed it. If the rules were working for him he
>> wouldn't be asking for help. When someone asks a question telling
>> them they don't need it is generally the wrong answer and a waste of
>> time.
>>
> I was more trying to show him that installing the botnet plugin alone,
> together with a decent bayes or 1 or 2 more rules already does the job
> and instead of writing a new rule for each stock spam that comes out,
> this will catch almost all of it (all of it in my case)
>
> arni
Actually the fastest way to get rid of stoc/botnet spam is with fake MX
records.
fake 10
real 20
fake 30
fake 40
Re: Help in writing rules to catch SREA stock spams
Posted by arni <ma...@arni.name>.
Matt schrieb:
> I have Spamassassin setup to whitelist all my own IP pools. Do I need
> to do anything else?
>
> Matt
make sure that anything that is an MX for x@<allyourdomains>.com is in
your internal_networks
arni
Re: Help in writing rules to catch SREA stock spams
Posted by Matt <lm...@gmail.com>.
> http://people.ucsc.edu/~jrudd/spamassassin/
>
> docs inside the archive - botnet is really one of the most effective
> plugins i use these days (make sure you set your internal nets properly
I have Spamassassin setup to whitelist all my own IP pools. Do I need
to do anything else?
Matt
> otherwise it sometimes doesnt work properly, especially SOHO detection
> for me)
>
> arni
>
Re: Help in writing rules to catch SREA stock spams
Posted by arni <ma...@arni.name>.
Matt schrieb:
>> together with a decent bayes or 1 or 2 more rules already does the
>> job and
>
> Where do I get the botnet plugin(prefer rpm) and how do I make
> Spamassassin use it?
>
> Matt
>
http://people.ucsc.edu/~jrudd/spamassassin/
docs inside the archive - botnet is really one of the most effective
plugins i use these days (make sure you set your internal nets properly
otherwise it sometimes doesnt work properly, especially SOHO detection
for me)
arni
Re: Help in writing rules to catch SREA stock spams
Posted by Matt <lm...@gmail.com>.
> together with a decent bayes or 1 or 2 more rules already does the job and
Where do I get the botnet plugin(prefer rpm) and how do I make
Spamassassin use it?
Matt
Re: Help in writing rules to catch SREA stock spams
Posted by Daniel J McDonald <da...@austinenergy.com>.
On Fri, 2007-06-22 at 17:03 +0200, arni wrote:
> Marc Perkel schrieb:
> >
> > That doesn't answer his question though. He didn't ask for your
> > opinion about if he needed it. If the rules were working for him he
> > wouldn't be asking for help. When someone asks a question telling
> > them they don't need it is generally the wrong answer and a waste of
> > time.
> >
> I was more trying to show him that installing the botnet plugin alone,
> together with a decent bayes or 1 or 2 more rules already does the job
> and instead of writing a new rule for each stock spam that comes out,
> this will catch almost all of it (all of it in my case)
Well, bayes is very hard to implement on a mid-span spamassassin
implementation (no feedback loop for missed spam or false ham). In my
case, I use spamassassin under amavisd-new as a front-end filter,
discard/quarantine the trash, then deliver to MS Exchange for end users
to read.
And I've been catching actual customers and vendors right-and-left with
the botnet plugin. Too many false positives, even combining it with
p0f, for me to feel very good about it.
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
Re: Help in writing rules to catch SREA stock spams
Posted by arni <ma...@arni.name>.
Marc Perkel schrieb:
>
> That doesn't answer his question though. He didn't ask for your
> opinion about if he needed it. If the rules were working for him he
> wouldn't be asking for help. When someone asks a question telling them
> they don't need it is generally the wrong answer and a waste of time.
>
I was more trying to show him that installing the botnet plugin alone,
together with a decent bayes or 1 or 2 more rules already does the job
and instead of writing a new rule for each stock spam that comes out,
this will catch almost all of it (all of it in my case)
arni
Re: Help in writing rules to catch SREA stock spams
Posted by Marc Perkel <ma...@perkel.com>.
arni wrote:
> Suhas Ingale schrieb:
>>
>> Can someone help me writing rules to catch below content spam?
>>
>>
>>
> * 5.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
> * [score: 1.0000]
> * 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS
> * 5.0 BOTNET Relay might be a spambot or virusbot
> * [botnet0.7,ip=87.226.203.3,nordns]
> * 0.0 DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says domain
> * signs some mails
> * 0.0 BOTNET_NORDNS Relay's IP address has no PTR record
> * [botnet_nordns,ip=87.226.203.3]
> * 1.9 RCVD_ILLEGAL_IP Received: contains illegal IP address
> * 1.9 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
> * [URIs: otcpicks.com]
> * 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
> * [Blocked - see <http://www.spamcop.net/bl.shtml?87.226.203.3>]
> * 3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
> * [87.226.203.3 listed in zen.spamhaus.org]
> * 0.5 WHOIS_DMNBYPROXY Contains URL registered to Domains by Proxy
> * [URIs: otcpicks.com]
> * 1.5 UPPERCASE_75_100 message body is 75-100% uppercase
>
>
> Another "SREA" spam easily busted with BOTNET and BAYES, i dont really see the need for a content rule.
>
> arni
>
That doesn't answer his question though. He didn't ask for your opinion
about if he needed it. If the rules were working for him he wouldn't be
asking for help. When someone asks a question telling them they don't
need it is generally the wrong answer and a waste of time.
Re: Help in writing rules to catch SREA stock spams
Posted by arni <ma...@arni.name>.
Suhas Ingale schrieb:
>
> Can someone help me writing rules to catch below content spam?
>
>
>
* 5.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
* [score: 1.0000]
* 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS
* 5.0 BOTNET Relay might be a spambot or virusbot
* [botnet0.7,ip=87.226.203.3,nordns]
* 0.0 DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says domain
* signs some mails
* 0.0 BOTNET_NORDNS Relay's IP address has no PTR record
* [botnet_nordns,ip=87.226.203.3]
* 1.9 RCVD_ILLEGAL_IP Received: contains illegal IP address
* 1.9 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
* [URIs: otcpicks.com]
* 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
* [Blocked - see <http://www.spamcop.net/bl.shtml?87.226.203.3>]
* 3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
* [87.226.203.3 listed in zen.spamhaus.org]
* 0.5 WHOIS_DMNBYPROXY Contains URL registered to Domains by Proxy
* [URIs: otcpicks.com]
* 1.5 UPPERCASE_75_100 message body is 75-100% uppercase
Another "SREA" spam easily busted with BOTNET and BAYES, i dont really see the need for a content rule.
arni
Re: Help in writing rules to catch SR_crap_EA stock spams
Posted by Igor Chudov <ic...@Algebra.Com>.
I do it fully separately from spamassassin.
I have a list of patterns in a file that are matched by saying
m/\b$pattern\b/. (\b means word boundary). If I get more than one or
two spams advertising a particular stock, I put that stock name in the
pattern list.
All messages mentioning those spammed stocks (or websites, or any
other keyword) end up in my special "blocked" spambucket. (and that's
where your post ended up also).
I review it once a few days. It's worked for me for years and is
supplementing spamassassin nicely.
These stock spammers are very obnoxious and send very numerous
instances of same spam to each recipient.
i