You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Daniel McDonald <da...@austinenergy.com> on 2010/12/01 20:15:31 UTC
Not-so-much LOTS_OF_MONEY
Lately, I¹ve been seeing spammers trying to convince you to click on a site
to make hundreds or tens of Dollars, like:
http://pastebin.com/MfG74WGW
The mail client probably stripped out the more interesting headers before I
got it from my customer, because it originally hit RELAY_RU, and I don¹t see
a matching header in the current revision.
But, I was wondering if anyone had a good regex for finding these micro-sum
spams? Now that LOTS_OF_MONEY has been promoted and is doing a great job of
finding the 419-style scammers, they have changed tactics on us again...
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Not-so-much LOTS_OF_MONEY
Posted by Daniel McDonald <da...@austinenergy.com>.
On 12/1/10 2:14 PM, "John Hardin" <jh...@impsec.org> wrote:
> On Wed, 1 Dec 2010, Daniel McDonald wrote:
>
>>
>>
>>
>> On 12/1/10 1:28 PM, "John Hardin" <jh...@impsec.org> wrote:
>>
>>> On Wed, 1 Dec 2010, Daniel McDonald wrote:
>>>
>>>> Lately, I¹ve been seeing spammers trying to convince you to click on a site
>>>> to make hundreds or tens of Dollars, like:
>>>>
>>>> http://pastebin.com/MfG74WGW
>>>>
>>>> The mail client probably stripped out the more interesting headers before I
>>>> got it from my customer, because it originally hit RELAY_RU, and I don¹t
>>>> see
>>>> a matching header in the current revision.
>>>>
>>>> But, I was wondering if anyone had a good regex for finding these micro-sum
>>>> spams? Now that LOTS_OF_MONEY has been promoted and is doing a great job
>>>> of
>>>> finding the 419-style scammers, they have changed tactics on us again...
>>>
>>> Catching the simple variants of that is pretty straightforward:
>>>
>>> body __SOME_MONEY /\$?(?:\d+,)?\d{3}\b/
>>
>> Seems like that would hit on large sums as well, since there is no anchor on
>> the front of the pattern. I suppose I could do __SOME_MONEY &&
>> !LOTS_OF_MONEY
>
> or /\b\$?...etc/
>
> That was off the top of my head.
>
>>> ...then use that in metas (untested).
>>
>> Correct.
>>
>>> The complexity comes in from all the various obfuscations. I could work up
>>> something similar to LOTS_OF_MONEY for amounts less than $100k.
>>>
>>> Another problem is smaller amounts of money are much more FP-prone.
>>
>> Agreed. I've seen a couple of these from India and this one from Russia,
>> but it will require a number of metas to make it at all useful.
>
> Yeah, but it might be quite handy in catching work-at-home spams.
This is what I have come up with so far. I imagine there are lots more
verbs that need to be added to this to catch them all:
body __SOME_MONEY_HUNDREDS /\$\d{2,3}\b/
describe __SOME_MONEY_HUNDREDS Has a dollar amount up to $one
thousand
body __EASY_MONEY
/\bI\b.{0,10}(?:racked|pulled|scored|made|profited)/
describe __EASY_MONEY talks about making easy money
body __EASY_WORK /(?:being
online|doing\s(?:(?:simple|easy)\s)?(?:tasks|things|stuff)|working at home)/
describe __EASY_WORK talks about the work being simple
meta AE_WORKFROM_HOME __EASY_MONEY && __SOME_MONEY_HUNDREDS &&
__EASY_WORK && __DOS_HAS_ANY_URI
describe AE_WORKFROM_HOME work from home spam
score AE_WORKFROM_HOME 1.00
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Not-so-much LOTS_OF_MONEY
Posted by John Hardin <jh...@impsec.org>.
On Wed, 1 Dec 2010, Daniel McDonald wrote:
>
>
>
> On 12/1/10 1:28 PM, "John Hardin" <jh...@impsec.org> wrote:
>
>> On Wed, 1 Dec 2010, Daniel McDonald wrote:
>>
>>> Lately, I¹ve been seeing spammers trying to convince you to click on a site
>>> to make hundreds or tens of Dollars, like:
>>>
>>> http://pastebin.com/MfG74WGW
>>>
>>> The mail client probably stripped out the more interesting headers before I
>>> got it from my customer, because it originally hit RELAY_RU, and I don¹t see
>>> a matching header in the current revision.
>>>
>>> But, I was wondering if anyone had a good regex for finding these micro-sum
>>> spams? Now that LOTS_OF_MONEY has been promoted and is doing a great job of
>>> finding the 419-style scammers, they have changed tactics on us again...
>>
>> Catching the simple variants of that is pretty straightforward:
>>
>> body __SOME_MONEY /\$?(?:\d+,)?\d{3}\b/
>
> Seems like that would hit on large sums as well, since there is no anchor on
> the front of the pattern. I suppose I could do __SOME_MONEY &&
> !LOTS_OF_MONEY
or /\b\$?...etc/
That was off the top of my head.
>> ...then use that in metas (untested).
>
> Correct.
>
>> The complexity comes in from all the various obfuscations. I could work up
>> something similar to LOTS_OF_MONEY for amounts less than $100k.
>>
>> Another problem is smaller amounts of money are much more FP-prone.
>
> Agreed. I've seen a couple of these from India and this one from Russia,
> but it will require a number of metas to make it at all useful.
Yeah, but it might be quite handy in catching work-at-home spams.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Of the twenty-two civilizations that have appeared in history,
nineteen of them collapsed when they reached the moral state the
United States is in now. -- Arnold Toynbee
-----------------------------------------------------------------------
14 days until Bill of Rights day
Re: Not-so-much LOTS_OF_MONEY
Posted by Daniel McDonald <da...@austinenergy.com>.
On 12/1/10 1:28 PM, "John Hardin" <jh...@impsec.org> wrote:
> On Wed, 1 Dec 2010, Daniel McDonald wrote:
>
>> Lately, I¹ve been seeing spammers trying to convince you to click on a site
>> to make hundreds or tens of Dollars, like:
>>
>> http://pastebin.com/MfG74WGW
>>
>> The mail client probably stripped out the more interesting headers before I
>> got it from my customer, because it originally hit RELAY_RU, and I don¹t see
>> a matching header in the current revision.
>>
>> But, I was wondering if anyone had a good regex for finding these micro-sum
>> spams? Now that LOTS_OF_MONEY has been promoted and is doing a great job of
>> finding the 419-style scammers, they have changed tactics on us again...
>
> Catching the simple variants of that is pretty straightforward:
>
> body __SOME_MONEY /\$?(?:\d+,)?\d{3}\b/
Seems like that would hit on large sums as well, since there is no anchor on
the front of the pattern. I suppose I could do __SOME_MONEY &&
!LOTS_OF_MONEY
> ...then use that in metas (untested).
Correct.
> The complexity comes in from all the various obfuscations. I could work up
> something similar to LOTS_OF_MONEY for amounts less than $100k.
>
> Another problem is smaller amounts of money are much more FP-prone.
Agreed. I've seen a couple of these from India and this one from Russia,
but it will require a number of metas to make it at all useful.
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Not-so-much LOTS_OF_MONEY
Posted by John Hardin <jh...@impsec.org>.
On Wed, 1 Dec 2010, Daniel McDonald wrote:
> Lately, I�ve been seeing spammers trying to convince you to click on a site
> to make hundreds or tens of Dollars, like:
>
> http://pastebin.com/MfG74WGW
>
> The mail client probably stripped out the more interesting headers before I
> got it from my customer, because it originally hit RELAY_RU, and I don�t see
> a matching header in the current revision.
>
> But, I was wondering if anyone had a good regex for finding these micro-sum
> spams? Now that LOTS_OF_MONEY has been promoted and is doing a great job of
> finding the 419-style scammers, they have changed tactics on us again...
Catching the simple variants of that is pretty straightforward:
body __SOME_MONEY /\$?(?:\d+,)?\d{3}\b/
...then use that in metas (untested).
The complexity comes in from all the various obfuscations. I could work up
something similar to LOTS_OF_MONEY for amounts less than $100k.
Another problem is smaller amounts of money are much more FP-prone.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
You know things are bad when Pravda says we [the USA] have gone
too far to the left. -- Joe Huffman
-----------------------------------------------------------------------
14 days until Bill of Rights day