You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Devon Harding <de...@gmail.com> on 2005/05/09 20:30:36 UTC

Re: Re[2]: HTML Table SPAM? RESOLVED

Many thanks to Bob on the recent SARE rules release. This caught those HTML 
Table SPAMS!!!

 0.05FORGED_RCVD_HELOReceived: contains a forged HELO 0.07
HTML_FONT_INVISIBLEHTML font color is same as background 0.00HTML_MESSAGEHTML 
included in message 0.60J_CHICKENPOX_121alpha-pock-2alpha 0.60
J_CHICKENPOX_151alpha-pock-5alpha 0.14RCVD_IN_SORBS_DULSORBS: sent directly 
from dynamic IP address 0.16SARE_HTML_FONT_INVIS2contains HTML color which 
is likely spamsign 0.12SARE_HTML_URI_2SLASHURI has additional double slash 
within it 1.46SARE_HTML_USL_OBFUMessage body has very strange HTML sequence 
2.67SARE_OBFU_PRICE1 2.22SARE_OBFU_VISIT1 -0.00SPF_HELO_PASSSPF: HELO 
matches SPF record 

On 5/5/05, Robert Menschel <Ro...@menschel.net> wrote:
> 
> Hello Devon,
> 
> Thursday, May 5, 2005, 6:02:58 PM, you wrote:
> 
> DH> Anyone?
> 
> DH> On 4/30/05, Devon Harding <de...@gmail.com> wrote:
> DH> There's got to be a way to stop this. I'm getting over 100 of these a 
> day.
> 
> Making progress...
> 
> #counts SARE_OBFU_DRUGDOL1_SPC 2496s/0h of 284851 corpus (112429s/172422h 
> RM) 05/04/05
> #counts SARE_OBFU_GPIL_TAG 890s/0h of 284851 corpus (112429s/172422h RM) 
> 05/04/05
> #counts SARE_OBFU_LEVITRA_SPC 2723s/5h of 284851 corpus (112429s/172422h 
> RM) 05/04/05
> modified regex to try to eliminate the ham
> #counts SARE_OBFU_ONLY_SPC 2750s/2h of 284851 corpus (112429s/172422h RM) 
> 05/04/05
> #counts SARE_OBFU_ONLY_TAG 897s/0h of 284851 corpus (112429s/172422h RM) 
> 05/04/05
> #counts SARE_OBFU_SPECIAL_TAG 897s/0h of 284851 corpus (112429s/172422h 
> RM) 05/04/05
> #counts SARE_OBFU_VIAGRA_SPC 4729s/5h of 284851 corpus (112429s/172422h 
> RM) 05/04/05
> modified regex to try to eliminate the ham
> 
> I hope to send the zero ham rules for full SARE mass-check in the next
> day or two, and publish them within the 70_sare_obfu0.cf rule set some
> time this weekend.
> 
> I have a few more rules that don't yet work but show promise...
> 
> Bob Menschel
> 
>

[SARE] obfu rule set update

Posted by Robert Menschel <Ro...@Menschel.net>.

RM> Monday, May 9, 2005, 11:30:36 AM, Devon wrote:
DH>> Many thanks to Bob on the recent SARE rules release.  This
DH>> caught those HTML Table SPAMS!!!
RM> But I notice there was no description on those report lines.  I'll
RM> have that fixed by the weekend.

With the help of several SARE mass-checkers, we not only have the
description lines fixed, but a number of additional rules.  Should be
even better at catching the current series of obfuscations and table
spams.

Updated 70_sare_obfu.cf, obfu0.cf, and obfu1.cf

(obfu.cf contains both obfu0.cf and obfu1.cf as one file).

Bob Menschel

Re[4]: HTML Table SPAM? RESOLVED

Posted by Robert Menschel <Ro...@Menschel.net>.

Hello Devon,

Monday, May 9, 2005, 11:30:36 AM, you wrote:

DH> Many thanks to Bob on the recent SARE rules release.  This
DH> caught those HTML Table SPAMS!!!

But I notice there was no description on those report lines.  I'll
have that fixed by the weekend.

Bob Menschel

Re: Re[2]: HTML Table SPAM? ** RESOLVED **

[SARE] obfu rule set update

Re[4]: HTML Table SPAM? ** RESOLVED **

Re: Re[2]: HTML Table SPAM? RESOLVED

Re[4]: HTML Table SPAM? RESOLVED