You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Matt Yackley <sa...@yackley.org> on 2004/02/05 04:14:20 UTC
[Ruleset Update] EvilNumbers ver. 1.12c & updated French language
packs
It's been awhile since any updates have been posted, sorry... "real" work
is getting very, very busy, so updates may be a bit slow fo awhile, but I
try to keep up a better release schedule ;)
Changes:
Harvested more numbers.
Updated several rules due to spammers making small changes to get around
the rules.
Added optional rule change for EvilNumber_A_1XX_1, based on a report of
FPs on flipsidenewsletter.com. This folks host a lot of stuff, for my
corporate setting, these are unwanted, but if you run an ISP it's possible
that your users may want these emails. Due to how many hits I get on this
address, I kept them in, but created a commented rule that they are
removed from. If you want or need these emails, edit the file and switch
the "#" from the first A_1XX_1 rule to the second A_1XX_1 rule.
Local Language Packs.
1/29/04
Updated French file with a better translation, thanks go to Pierre
Ruleset:
http://www.yackley.org/sa-rules/evilnumbers.cf
Language packs:
http://www.yackley.org/sa-rules/98_text_fr_evilnumbers.cf -Updated
Enjoy,
matt
Re: Obvious spamware programming screwup that didn't get caught
Posted by William Stearns <ws...@pobox.com>.
On Wed, 4 Feb 2004, Loren Wilton wrote:
> I just got a spam that was caught by a couple of my local and very specific
> rules, but otherwise would have made it through with flying colors. Yet it
> has some really obvious screwups that I would have expected some rule to
> catch. Notice:
>
> Subject: FWD: Got all meds 4 U. %RND_MEDS_4PILLS & %RND_MEDS_2PILLS eJTtq
>
> Aside from the suspicious FWD in uppercase, note the %RND_xxx tags.
>
> In the body:
>
> We ship the following: %RND_MEDS_LIST
> <p>
> Plus: %RND_ALL_OTHER_MEDS
> <p>
>
> Again, my favorite %RND_xxx tags.
>
> Shouldn't there already be a rule to catch this sort of thing?
http://www.stearns.org/sa-blacklist/random.current.cf
Cheers,
- Bill
---------------------------------------------------------------------------
"We don't want an election without a paper trail...all three
owners of the companies who make these machines are donors to the Bush
administration. Is this not corruption?"
-- Gore Vidal
(Courtesy of http://www.laweekly.com/ink/03/52/features-cooper.php)
--------------------------------------------------------------------------
William Stearns (wstearns@pobox.com). Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org
--------------------------------------------------------------------------
Obvious spamware programming screwup that didn't get caught
Posted by Loren Wilton <lw...@earthlink.net>.
I just got a spam that was caught by a couple of my local and very specific
rules, but otherwise would have made it through with flying colors. Yet it
has some really obvious screwups that I would have expected some rule to
catch. Notice:
Subject: FWD: Got all meds 4 U. %RND_MEDS_4PILLS & %RND_MEDS_2PILLS eJTtq
Aside from the suspicious FWD in uppercase, note the %RND_xxx tags.
In the body:
We ship the following: %RND_MEDS_LIST
<p>
Plus: %RND_ALL_OTHER_MEDS
<p>
Again, my favorite %RND_xxx tags.
Shouldn't there already be a rule to catch this sort of thing?
For that matter, I'm surprised there isn't a "suspicious html tags" checker.
It could be given increasing weight depending on the count of unlikely tags.
For instance, from the same spam:
</table>
</barstow></roseland></catalytic></falconry></avow></paradigmatic>
</i'll></fungoid></agreed></dakar></gemma></sousa>
</interruption></coast></testicular></bavaria></anew></brigade>
Loren