You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by jdow <jd...@earthlink.net> on 2005/05/08 13:21:26 UTC

Oops - drug rules need more work

This text sailed right through all the SARE rules except one ratware
rule:

===8<---
X-Spam-Status: No, score=4.4 required=5.0 tests=BAYES_80,DATE_IN_PAST_12_24,
 RATWR10a_MESSID,URIBL_SBL autolearn=disabled version=3.0.2
Status:

You will see how great this storewide ssale is. Customers can sav a lot of
rnoney on tablets at our store.

Check our wide selections for rneds on pain, swelling, ereection
dysfunction, obesity, gynaecological care, stress, musclerelaxant and
sleeping disorder. Gget the or-der sent to you in a timely manner.

Select easy savvings on quality items. Have you checked the nevv weekly
ssale already?

http://aq.724a.missionandgoal<MUNGED>.com/4e/

For quick and professional rnedical history check, select our cyber store.
===8<---

There are too many creative ways to mangle words and still have the
original meaning get through. (But, perhaps anybody who would do any
business with these creeps who cannot spell has earned what they get....)

I'll tuck the message in a corner if anybody wants the whole thing.
But I expect the header aspect will be dealt with by the time this
reaches the list via black holes.

{^_^}   Joanne

Re: Oops - drug rules need more work

Posted by jdow <jd...@earthlink.net>.

From: "Robert Menschel" <Ro...@Menschel.net>

> Yes, please send me a copy and I'll see if it has new manglings worth
> testing for.

I sent the body again privately. It was quoted in its entirety in the
email on the 8th at about 4:30AM. (The headers don't count. It's body
rules that gave it a miss.)

{^_-}

Re: Oops - drug rules need more work

Posted by Robert Menschel <Ro...@Menschel.net>.

Hello jdow,

Sunday, May 8, 2005, 4:21:26 AM, you wrote:

j> This text sailed right through all the SARE rules except one ratware
j> rule:
j> ===8<---
j> X-Spam-Status: No, score=4.4 required=5.0
j> tests=BAYES_80,DATE_IN_PAST_12_24,
j>  RATWR10a_MESSID,URIBL_SBL autolearn=disabled version=3.0.2
j> Status:

How old are your rules files?  Ratware as a rules file and rules name
has been discontinued since last September. All Message ID rules
should now be in the 70_sare_header*.cf files, with a SARE_MSGID_*
name.

j> You will see how great this storewide ssale is. Customers can sav a
j> lot of rnoney on tablets at our store.

Some of the obfuscations in the sample you sent should already be
picked up by the new 70_sare_obfu* files, and other rules are being
tested (my mass-check is running as I type).

j> There are too many creative ways to mangle words and still have the
j> original meaning get through. (But, perhaps anybody who would do
j> any business with these creeps who cannot spell has earned what
j> they get....)

Agreed, but some manglings are popular enough to be worth writing a
rule for, even if that rule pays off for only a month before that
particular mangling is dropped.

Yes, please send me a copy and I'll see if it has new manglings worth
testing for.

I suggest you compress the email file, so it doesn't hit any filters.
:-)

Bob Menschel

Re: Oops - drug rules need more work

Posted by jdow <jd...@earthlink.net>.

From: "Matt Kettler" <mk...@comcast.net>
> At 07:21 AM 5/8/2005, jdow wrote:
> >This text sailed right through all the SARE rules except one ratware
> >rule:
> >
> >===8<---
> >X-Spam-Status: No, score=4.4 required=5.0
tests=BAYES_80,DATE_IN_PAST_12_24,
> >  RATWR10a_MESSID,URIBL_SBL autolearn=disabled version=3.0.2
> >Status:
> >
> >You will see how great this storewide ssale is. Customers can sav a lot
of
> >rnoney on tablets at our store.
> >
> >Check our wide selections for rneds on
>
>
> Suggestion:
>
> body L_MEDS             /\bmed[sz]/i
> score L_MEDS    1.0
> describe L_MEDS mentions meds
>
> Works pretty well for me.

Where does it mention "med[sz]"? {^_-}

It faked the lower case m twice as "rn". THAT is what needs the test.
body L_MEDS             /\brned[sz]\b/i
body L_FAKE_MONEY       /\brnoney\b/i

{^_-}

Re: Oops - drug rules need more work

Posted by "Richard.Hall" <Ri...@ingenta.com>.

On Mon, 9 May 2005, Matt Kettler wrote:

>
> At 07:21 AM 5/8/2005, jdow wrote:
> >This text sailed right through all the SARE rules except one ratware
> >rule:
> >
> >===8<---
> >X-Spam-Status: No, score=4.4 required=5.0 tests=BAYES_80,DATE_IN_PAST_12_24,
> >  RATWR10a_MESSID,URIBL_SBL autolearn=disabled version=3.0.2
> >Status:
> >
> >You will see how great this storewide ssale is. Customers can sav a lot of
> >rnoney on tablets at our store.
> >
> >Check our wide selections for rneds on
>
>
> Suggestion:
>
> body L_MEDS             /\bmed[sz]/i
> score L_MEDS    1.0
> describe L_MEDS mentions meds
>
> Works pretty well for me.

... but wouldn't work on the OP's sample ? Note the use of 'rn' instead of
'm' - thus ...

  rnoney  instead of   money
  rneds   instead of   meds

Seen quite a bit of this recently. Confess I haven't checked to see if
anything is picking it up.

HTH,
 Richard

Re: Oops - drug rules need more work

Posted by Matt Kettler <mk...@comcast.net>.

At 07:21 AM 5/8/2005, jdow wrote:
>This text sailed right through all the SARE rules except one ratware
>rule:
>
>===8<---
>X-Spam-Status: No, score=4.4 required=5.0 tests=BAYES_80,DATE_IN_PAST_12_24,
>  RATWR10a_MESSID,URIBL_SBL autolearn=disabled version=3.0.2
>Status:
>
>You will see how great this storewide ssale is. Customers can sav a lot of
>rnoney on tablets at our store.
>
>Check our wide selections for rneds on


Suggestion:

body L_MEDS             /\bmed[sz]/i
score L_MEDS    1.0
describe L_MEDS mentions meds

Works pretty well for me.