You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Bill Randle <bi...@neocat.org> on 2005/11/11 16:33:57 UTC

new rules for stock spam?

Does anyone have any rules to squash the recent spate of stock alert
spam that I've been seeing? The messages are coming from multiple
sources, although some can be traced back to IPs belonging to
kornet.net. There are no URLs in the message body. Bayes is probably
the best bet, but on my global db it's scoring only BAYES_50.

The last batch had scores like this:

 X-Spam-Status: No, hits=1.518 tagged_above=-99 required=5
tests=BAYES_50, HTML_30_40, HTML_MESSAGE, SPF_FAIL
 X-Spam-Status: No, hits=2.042 tagged_above=-99 required=5
tests=BAYES_50, HTML_30_40, HTML_MESSAGE, SARE_FROM_BADAOL
 X-Spam-Status: No, hits=1.1 tagged_above=-99 required=5 tests=BAYES_50,
FROM_STARTS_WITH_NUMS, HTML_30_40, HTML_MESSAGE

	-Bill

Re: new rules for stock spam?

Posted by Bill Randle <bi...@neocat.org>.

> Bill Randle wrote:
>> Does anyone have any rules to squash the recent spate of stock alert
>> spam that I've been seeing? The messages are coming from multiple
>> sources, although some can be traced back to IPs belonging to
>> kornet.net. There are no URLs in the message body. Bayes is probably
>> the best bet, but on my global db it's scoring only BAYES_50.
>>
>> The last batch had scores like this:
>>
>>  X-Spam-Status: No, hits=1.518 tagged_above=-99 required=5
>> tests=BAYES_50, HTML_30_40, HTML_MESSAGE, SPF_FAIL
>>  X-Spam-Status: No, hits=2.042 tagged_above=-99 required=5
>> tests=BAYES_50, HTML_30_40, HTML_MESSAGE, SARE_FROM_BADAOL
>>  X-Spam-Status: No, hits=1.1 tagged_above=-99 required=5 tests=BAYES_50,
>> FROM_STARTS_WITH_NUMS, HTML_30_40, HTML_MESSAGE
>>
>
> The FSR_MASKED_FINANCIAL rule (from here
> http://www.wormbytes.ca/software/spamassassin/rules.cf) and a well
> trained bayes takes care of most stock spams. You could expand the rule
> to include pr*fit, auth*rity and l*w. Also see the
> 72_sare_bml_post25x.cf rule from SARE.
>
> Also since you have a lot of these spams, use them train the bayes db.

Thanks for the pointer to FSR_MASKED_FINANCIAL. I do use
72_sare_bml_post25x.cf, but it doesn't seem to hit very many of them.

    -Bill



--

Re: new rules for stock spam?

Posted by Dhawal Doshy <dh...@netmagicsolutions.com>.

Bill Randle wrote:
> Does anyone have any rules to squash the recent spate of stock alert
> spam that I've been seeing? The messages are coming from multiple
> sources, although some can be traced back to IPs belonging to
> kornet.net. There are no URLs in the message body. Bayes is probably
> the best bet, but on my global db it's scoring only BAYES_50.
> 
> The last batch had scores like this:
> 
>  X-Spam-Status: No, hits=1.518 tagged_above=-99 required=5
> tests=BAYES_50, HTML_30_40, HTML_MESSAGE, SPF_FAIL
>  X-Spam-Status: No, hits=2.042 tagged_above=-99 required=5
> tests=BAYES_50, HTML_30_40, HTML_MESSAGE, SARE_FROM_BADAOL
>  X-Spam-Status: No, hits=1.1 tagged_above=-99 required=5 tests=BAYES_50,
> FROM_STARTS_WITH_NUMS, HTML_30_40, HTML_MESSAGE
> 

The FSR_MASKED_FINANCIAL rule (from here 
http://www.wormbytes.ca/software/spamassassin/rules.cf) and a well 
trained bayes takes care of most stock spams. You could expand the rule 
to include pr*fit, auth*rity and l*w. Also see the 
72_sare_bml_post25x.cf rule from SARE.

Also since you have a lot of these spams, use them train the bayes db.

- dhawal