"news spam"

[Payal Rathod <pa...@scriptkitchen.com>]

Hi,
To my various email addresses I am getting lot of "Re: news" spam.
SA is not catching all of it. I have pasted a links of headers and body 
at, http://pastebin.ca/46477
Can someone advise on it please?
With warm regards,
-Payal

Re: "news spam"

[Dimitri Yioulos <dy...@firstbhph.com>]

On Tuesday March 21 2006 10:37 am, Iain Smith wrote:
> Payal Rathod wrote:
> > Hi,
> > To my various email addresses I am getting lot of "Re: news" spam.
> > SA is not catching all of it. I have pasted a links of headers and body
> > at, http://pastebin.ca/46477
> > Can someone advise on it please?
> > With warm regards,
> > -Payal
>
> Bayes has been catching these here, but in some cases the only other rule
> to fire has been HTML_MESSAGE. I've managed to largely mitigate this with a
> custom meta rule that combines BAYES_99 and a custom subject rule:
>
> header __LOCAL_NEWS_IN_SUBJ Subject =~ /re:.*news/i
> meta LOCAL_BAYES99_NEWS_SPAM (__LOCAL_NEWS_IN_SUBJ && BAYES_99)
> score LOCAL_BAYES99_NEWS_SPAM 2.0
>
> You perhaps could expand it to other BAYES_x rules, depending on how brave
> you are feeling...YMMV.  :-)
>
> Iain

As I said, and Iain confirmed Phil's rule does help with this spam.  But, I 
don't understand (and really, I'm no expert) why some obfu rule isn't being 
hit.

Dimitri

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: "news spam"

[Iain Smith <ia...@mclsoftware.co.uk>]

Tracey Gates wrote:
> I have seen a lot of postings talk about the BAYES_99 rule.  I think
> that this rule will help tremendously with catch some of this spam as I
> have already implemented the "news" rule that Phile Randall posted.  I
> have searched my server and I do not find the BAYES_99 rule already on
> there so where do I find that to download and how do I make sure that it
> is implemented?

It can be turned on via a configuration directive in local.cf:

"use_bayes ( 0 | 1 )      (default: 1)
    Whether to use the naive-Bayesian-style classifier built into
SpamAssassin. This is a master on/off switch for all Bayes-related operations."

It is on by default, so you may find you just need to better train your
bayes filter. Give the sa-learn man page a once-over for more info.

hth,
Iain

RE: "news spam"

[Tracey Gates <tg...@yoursummit.com>]

I have seen a lot of postings talk about the BAYES_99 rule.  I think
that this rule will help tremendously with catch some of this spam as I
have already implemented the "news" rule that Phile Randall posted.  I
have searched my server and I do not find the BAYES_99 rule already on
there so where do I find that to download and how do I make sure that it
is implemented?

Thanks.

 

Tracey Gates
Lead Developer
tgates@yoursummit.com 

1350 South Boulder, Third Floor / Tulsa, OK 74119-3203
Phone 918-663-0991 / Fax 918-663-0840

This communication is intended only for the recipient(s) named above;
may be confidential and/or legally privileged; and, must be treated as
such in accordance with state and federal laws. If you are not the
intended recipient, you are hereby notified that any use of this
communication, or any of its contents, is prohibited. If you have
received this communication in error, please reply to the sender and
then delete the message from your computer system immediately.



-----Original Message-----
From: Iain Smith [mailto:iain.smith@mclsoftware.co.uk] 
Sent: Tuesday, March 21, 2006 9:37 AM
To: SpamAssassin
Subject: Re: "news spam"


Payal Rathod wrote:
> Hi,
> To my various email addresses I am getting lot of "Re: news" spam. SA 
> is not catching all of it. I have pasted a links of headers and body 
> at, http://pastebin.ca/46477 Can someone advise on it please?
> With warm regards,
> -Payal

Bayes has been catching these here, but in some cases the only other
rule to fire has been HTML_MESSAGE. I've managed to largely mitigate
this with a custom meta rule that combines BAYES_99 and a custom subject
rule:

header __LOCAL_NEWS_IN_SUBJ Subject =~ /re:.*news/i
meta LOCAL_BAYES99_NEWS_SPAM (__LOCAL_NEWS_IN_SUBJ && BAYES_99) score
LOCAL_BAYES99_NEWS_SPAM 2.0

You perhaps could expand it to other BAYES_x rules, depending on how
brave you are feeling...YMMV.  :-)

Iain

Re: "news spam"

[Iain Smith <ia...@mclsoftware.co.uk>]

Payal Rathod wrote:
> Hi,
> To my various email addresses I am getting lot of "Re: news" spam.
> SA is not catching all of it. I have pasted a links of headers and body 
> at, http://pastebin.ca/46477
> Can someone advise on it please?
> With warm regards,
> -Payal

Bayes has been catching these here, but in some cases the only other rule to
fire has been HTML_MESSAGE. I've managed to largely mitigate this with a
custom meta rule that combines BAYES_99 and a custom subject rule:

header __LOCAL_NEWS_IN_SUBJ Subject =~ /re:.*news/i
meta LOCAL_BAYES99_NEWS_SPAM (__LOCAL_NEWS_IN_SUBJ && BAYES_99)
score LOCAL_BAYES99_NEWS_SPAM 2.0

You perhaps could expand it to other BAYES_x rules, depending on how brave
you are feeling...YMMV.  :-)

Iain

Re: "news spam"

[Loren Wilton <lw...@earthlink.net>]

You could use something like

header LW_NONEWS    Subject =~ /^Re:\s.*\bnews$/i
score    LW_NONEWS    2
describe LW_NONEWS    Not news to me!

The .* should be safe in that regex since a subject isn't very long and the
things on either side are anchored.

        Loren

Re: "news spam"

[Payal Rathod <pa...@scriptkitchen.com>]

On Tue, Mar 21, 2006 at 10:12:53AM -0500, Dimitri Yioulos wrote:
> My system is tagging these messages, mainly with bayes, dcc, and 
> razor.  Phile Randall posted a rule to tag "news" in the subject just 
> a few days ago, and that's also being hit.

Do you have the rule by Phile? I cannot seem to find it in archives.
With warm regards,
-Payal

Re: "news spam"

[Dimitri Yioulos <dy...@firstbhph.com>]

On Tuesday March 21 2006 9:29 am, Payal Rathod wrote:
> Hi,
> To my various email addresses I am getting lot of "Re: news" spam.
> SA is not catching all of it. I have pasted a links of headers and body
> at, http://pastebin.ca/46477
> Can someone advise on it please?
> With warm regards,
> -Payal

Payal,

My system is tagging these messages, mainly with bayes, dcc, and razor.  Phile 
Randall posted a rule to tag "news" in the subject just a few days ago, and 
that's also being hit.

Dimitri

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.