Spammed to death

[Nate <na...@visimark.us>]

Hello,

I'm using spamassassin 2.64 on Debian Woody.

My clients emails are getting clobbered by "Pharma" spam.  The messages seem
to be using different encoding on words like Viagra, Cialis and sa is not
picking them up.

I've tried setting up header and body tests, but the bastards at "Pharma"
keep changing the words spellings.

Here is the typical email I get from these morons.  Notice the missing
letters "Vicodin", "Viagra", "Xanax", and "Cialis".  In my email client
Microsoft Outlook displays all the letters.  However, if I copy and paste
the message into a text editor the letters disappear.

How do I kill these messages?  I've tried sa-learn spam on several messages,
but they still keep coming through with almost no spam points.  Please help
I am so sick of this!

Thanks,

Nate

"From: Esaias Billings [mailto:Oprah@fullsix.com]
Sent: Monday, February 21, 2005 11:04 PM
To: Xzavier Rivera
Subject: Re: Best Mediccations


 
Hello, Welcome to the best ONLINE ST0RE.
 
Vi  in $178(90p.)  a  a $209(100p.)  ana  al  
cod  Vi gr  X x $299(90p.) Ci is $324(90p.)  

 
With each purchase you get:
 
>Home delivery.
>Secure pay.
>Total confidentiality
>Reputable manufacturerrs.
 
Have a nice day!"

Re: Spammed to death

[Matt Kettler <mk...@evi-inc.com>]

At 10:34 AM 2/22/2005, Nate wrote:
>I'm using spamassassin 2.64 on Debian Woody.
>
>My clients emails are getting clobbered by "Pharma" spam.  The messages seem
>to be using different encoding on words like Viagra, Cialis and sa is not
>picking them up.

Looks like a job for antidrug.cf:

http://mywebpages.comcast.net/mkettler/sa/antidrug.cf

(note: these rules are now built into SA 3.0 and higher, but I created them 
as an add-on before 3.0 came out and they work well with SA 2.64 )

Just download the file (I recommend downloading, copy-paste is too prone to 
error) and put it in /etc/mail/spamassassin alongside your local.cf. SA 
automatically parses *.cf in that directory so you don't need to add any 
options to enable it.

Run spamassassin --lint to make sure SA understands the new files and 
restart spamd (if you use spamd) 

Re[2]: Spammed to death

[Robert Menschel <Ro...@Menschel.net>]

Hello David, Nate,

Tuesday, February 22, 2005, 3:07:41 PM, David wrote:

>> Here is the typical email I get from these morons.  Notice the missing
>> letters "Vicodin", "Viagra", "Xanax", and "Cialis".  In my email client
>> Microsoft Outlook displays all the letters.  However, if I copy and paste
>> the message into a text editor the letters disappear.

DBF> Finally found one of these critters in my spamtraps.
DBF> Actually the letters aren't missing, just shifted around. They're using
DBF> HTML tables to take letters from different parts of the message and
DBF> reposition them on the screen to align when viewed with a HTML table
DBF> rendering capable client. ...

If you could each send me one copy of this spam (I don't find any here
yet), I'd like to look into them to see if I can develop a rule to
catch that table fakery.

Don't know if it'd hit enough spam (yet?) to be worth submitting for
SA distribution, but it'd probably be well worth while for SARE's HTML
rule set.

Thanks.

Bob Menschel

Re: Spammed to death

[David B Funk <db...@engineering.uiowa.edu>]

On Tue, 22 Feb 2005, Nate wrote:

> Hello,
>
> I'm using spamassassin 2.64 on Debian Woody.
>
> My clients emails are getting clobbered by "Pharma" spam.  The messages seem
> to be using different encoding on words like Viagra, Cialis and sa is not
> picking them up.
[snip..]

> Here is the typical email I get from these morons.  Notice the missing
> letters "Vicodin", "Viagra", "Xanax", and "Cialis".  In my email client
> Microsoft Outlook displays all the letters.  However, if I copy and paste
> the message into a text editor the letters disappear.

Finally found one of these critters in my spamtraps.
Actually the letters aren't missing, just shifted around. They're using
HTML tables to take letters from different parts of the message and
reposition them on the screen to align when viewed with a HTML table
rendering capable client.
EG, in your example:

    Vi   in
      cod

Take the 'cod' and slide it up, then you see the 'vicodin'. View the raw
message source HTML to see how they do that.
The SA anti-drug rulesets won't do much for that as the pieces are too
broken up.


> How do I kill these messages?  I've tried sa-learn spam on several messages,
> but they still keep coming through with almost no spam points.  Please help
> I am so sick of this!
>

Here, I've found that Bayes+SURBL+DNSBL tests are the best tools
to catch this kind of junk.

If you see one arrive with out any SURBL hits, feed it to spamcop,
they should be listed in sc.surbl.org.

If you don't have SURBL added to your 2.64 kit, run, don't walk to:
http://sourceforge.net/projects/spamcopuri
Install SpamCopURI, you'll be amazed at what you suddenly start
missing. ;)

> "From: Esaias Billings [mailto:Oprah@fullsix.com]
> Sent: Monday, February 21, 2005 11:04 PM
> To: Xzavier Rivera
> Subject: Re: Best Mediccations
>
>
>
> Hello, Welcome to the best ONLINE ST0RE.
>
> Vi  in $178(90p.)  a  a $209(100p.)  ana  al
> cod  Vi gr  X x $299(90p.) Ci is $324(90p.)
>
[snip..]
>

-- 
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

Re: Spammed to death

[Jeff Chan <je...@surbl.org>]

On Tuesday, February 22, 2005, 8:42:17 AM, Matt Kettler wrote:
> At 10:58 AM 2/22/2005, Marc Perkel wrote:
>>First I would recomment you upgrade to Spam Assassin 3.x - It's much better.

> Good point Marc, that's a better solution in general. I do recommend that 
> over my previous advice of just adding antidrug.cf.

> However, if they are stuck on 2.64 due to perl versions or some such thing, 
> adding antidrug.cf and Mail::SpamCopURI covers a lot of the problem cases 
> for 2.64.

Yes, both Mail::SpamCopURI and SA 3.X use SURBLs.

If the spams Nate is seeing contain URIs (web site links), then
SURBL use will probably catch them.

Jeff C.
-- 
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/

Re: Spammed to death

[Matt Kettler <mk...@evi-inc.com>]

At 10:58 AM 2/22/2005, Marc Perkel wrote:
>First I would recomment you upgrade to Spam Assassin 3.x - It's much better.

Good point Marc, that's a better solution in general. I do recommend that 
over my previous advice of just adding antidrug.cf.

However, if they are stuck on 2.64 due to perl versions or some such thing, 
adding antidrug.cf and Mail::SpamCopURI covers a lot of the problem cases 
for 2.64.

Disclaimer: I'm the author of antidrug.cf, bias for the tools I made is 
obvious (I forgot to add that to my first message)

Re: Spammed to death

[Marc Perkel <ma...@perkel.com>]

First I would recomment you upgrade to Spam Assassin 3.x - It's much better.

Nate wrote:

>Hello,
>
>I'm using spamassassin 2.64 on Debian Woody.
>
>My clients emails are getting clobbered by "Pharma" spam.  The messages seem
>to be using different encoding on words like Viagra, Cialis and sa is not
>picking them up.
>
>I've tried setting up header and body tests, but the bastards at "Pharma"
>keep changing the words spellings.
>
>Here is the typical email I get from these morons.  Notice the missing
>letters "Vicodin", "Viagra", "Xanax", and "Cialis".  In my email client
>Microsoft Outlook displays all the letters.  However, if I copy and paste
>the message into a text editor the letters disappear.
>
>How do I kill these messages?  I've tried sa-learn spam on several messages,
>but they still keep coming through with almost no spam points.  Please help
>I am so sick of this!
>
>Thanks,
>
>Nate
>
>"From: Esaias Billings [mailto:Oprah@fullsix.com]
>Sent: Monday, February 21, 2005 11:04 PM
>To: Xzavier Rivera
>Subject: Re: Best Mediccations
>
>
> 
>Hello, Welcome to the best ONLINE ST0RE.
> 
>Vi  in $178(90p.)  a  a $209(100p.)  ana  al  
>cod  Vi gr  X x $299(90p.) Ci is $324(90p.)  
>
> 
>With each purchase you get:
> 
>  
>
>>Home delivery.
>>Secure pay.
>>Total confidentiality
>>Reputable manufacturerrs.
>>    
>>
> 
>Have a nice day!"
>
>
>  
>

-- 
Marc Perkel - marc@perkel.com

Spam Filter: http://www.junkemailfilter.com
    My Blog: http://marc.perkel.com
My Religion: http://www.churchofreality.org
~ "If it's real - we believe in it!" ~

Re: Spammed to death

[Andy Jezierski <aj...@stepan.com>]

"Nate" <na...@visimark.us> wrote on 02/22/2005 09:34:51 AM:

> Hello,
> 
> I'm using spamassassin 2.64 on Debian Woody.
> 
> My clients emails are getting clobbered by "Pharma" spam.  The messages 
seem
> to be using different encoding on words like Viagra, Cialis and sa is 
not
> picking them up.
> 
> I've tried setting up header and body tests, but the bastards at 
"Pharma"
> keep changing the words spellings.
> 
[snip]

Head on over to http://www.rulesemporium.com and pick up the anti-drug 
ruleset. You may also want to consider an upgrade to 3.0.2.

Andy