You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jeff Chan <je...@surbl.org> on 2005/05/24 15:05:44 UTC
Re: dissapointed
On Tuesday, May 24, 2005, 6:56:08 AM, Ronan McGlue wrote:
> I added a dummy mx record (lowest preference) as we all know its
> generally the one th spammers target first, which is getting hit with
> about 50% of our daily connections, of which i defer all of them at a
> very low overhead.
Some of the spammers will eventually notice that your bogus MXer
is not responding and fall back to trying the other MXers.
There are several alternatives, including using fake proxypots
that simulate a mailserver to varying degrees and may fool
spammers for longer. Another approach is to use something like
postgrey to delay new connections:
http://isg.ee.ethz.ch/tools/postgrey/
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: dissapointed >> dummy MX record
Posted by Jeff Chan <je...@surbl.org>.
On Wednesday, May 25, 2005, 4:13:45 PM, lists lists wrote:
>>On Tuesday, May 24, 2005, 6:56:08 AM, Ronan McGlue wrote:
>>> I added a dummy mx record (lowest preference) as we all know its
>>> generally the one th spammers target first, which is getting hit with
>>> about 50% of our daily connections, of which i defer all of them at a
>>> very low overhead.
>>
>>Some of the spammers will eventually notice that your bogus MXer
>>is not responding and fall back to trying the other MXers.
> Jeff,
> Why would they notice? In my mind, the mailserver would accept the
> connections and emails, only to silently defer them. And by defer, I
> mean delete them without any rejection or reply.
It's probably true that a fake proxy that does a better job of
pretending to be a real MXer may take longer for the bad guys
to discover.
However my original reply was referring to an MX record that did
not connect to a server of any kind, fake or real. That
arrangement some spammers seem to detect eventually.
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: dissapointed >> dummy MX record
Posted by Tim Jackson <li...@timj.co.uk>.
On Wed, 25 May 2005 16:13:45 -0700
lists@zeta.net wrote:
> Jeff wrote:
> >On Tuesday, May 24, 2005, 6:56:08 AM, Ronan McGlue wrote:
> >> I added a dummy mx record (lowest preference) as we all know its
> >> generally the one th spammers target first, which is getting hit
> >> with about 50% of our daily connections, of which i defer all of
> >> them at a very low overhead.
> >Some of the spammers will eventually notice that your bogus MXer
> >is not responding and fall back to trying the other MXers.
> Why would they notice? In my mind, the mailserver would accept the
> connections and emails, only to silently defer them. And by defer, I
> mean delete them without any rejection or reply.
I don't think you are getting the meaning of "defer" in this context,
which is to return a 4xx temporary error code at SMTP time. This won't
"delete" any e-mail; it tells the sending server to retry again later.
The point is that not all spam engines (and not all real mail servers,
unfortunately) will actually retry properly, or at all.
Tim
Re: spamassassin --lint
Posted by guenther <gu...@rudersport.de>.
> looked in every user_prefs file on my system and I could find any
> reference to those lines.
If you're running 'spamassassin --lint' as root, I guess you should look
in /root/.spamassassin/user_prefs as well.
The user_prefs ONLY are evaluated of the user running spamassassin. No
need to look in any other users files...
...guenther
> On 5/26/05, Matt Kettler <mk...@evi-inc.com> wrote:
> > Tim Macrina wrote:
> > > THis may be a dumb question but were can I find those lines? I looked
> > > in /etc/mail/spamassassin/local.cf and I can't locate those entires.
> >
> > Try ~/.spamassassin/user_prefs
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: spamassassin --lint
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Thu, 26 May 2005, Tim Macrina wrote:
> Hi Matt,
> looked in every user_prefs file on my system and I could find any
> reference to those lines.
>
> On 5/26/05, Matt Kettler <mk...@evi-inc.com> wrote:
> > Tim Macrina wrote:
> > > THis may be a dumb question but were can I find those lines? I looked
> > > in /etc/mail/spamassassin/local.cf and I can't locate those entires.
> >
> > Try ~/.spamassassin/user_prefs
Tim,
try the command:
spamassassin --lint -D
(toss on the debug option). It will print out a whole bunch of
stuff, but somewhere in there it should tell you exactly which
directories it's taking config files from. For example, the relevant
snippet of output from my system looks like:
[snip..]
debug: PATH included '/sbin', keeping.
debug: Final PATH set to: /usr/sbin:/opt/softbench/bin:/usr/bin:/usr/ccs/bin:/sbin
debug: ignore: using a test message to lint rules
debug: using "/usr/local/opt/perl-5.6.1/share/spamassassin" for default rules dir
debug: using "/etc/mail/spamassassin" for site rules dir
debug: using "/home/root/.spamassassin" for user state dir
debug: using "/home/root/.spamassassin/user_prefs" for user prefs file
debug: bayes: 25382 tie-ing to DB file R/O /etc/mail/spamassassin/bayes/bayes_toks
[snip..]
Now take each of those 'using "/bla/bla" for ha dir' lines and search in
there for your offending stuff.
for example, to find out where the rule "NO_REAL_NAME" came from, I could
do:
grep NO_REAL_NAME /usr/local/opt/perl-5.6.1/share/spamassassin/*.cf
grep NO_REAL_NAME /etc/mail/spamassassin/*.cf
grep NO_REAL_NAME /home/root/.spamassassin/*.cf
grep NO_REAL_NAME /home/root/.spamassassin/user_prefs
and in one of those places I'll be sure to find that rule.
Note that a particular rule or config command can exist in more
than one place. In that case, the last one that SA loads overrules
the earlier ones.
Dave
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: spamassassin --lint
Posted by Tim Macrina <ti...@gmail.com>.
Hi Matt,
looked in every user_prefs file on my system and I could find any
reference to those lines.
On 5/26/05, Matt Kettler <mk...@evi-inc.com> wrote:
> Tim Macrina wrote:
> > THis may be a dumb question but were can I find those lines? I looked
> > in /etc/mail/spamassassin/local.cf and I can't locate those entires.
>
> Try ~/.spamassassin/user_prefs
>
Re: spamassassin --lint
Posted by Matt Kettler <mk...@evi-inc.com>.
Tim Macrina wrote:
> THis may be a dumb question but were can I find those lines? I looked
> in /etc/mail/spamassassin/local.cf and I can't locate those entires.
Try ~/.spamassassin/user_prefs
Re: spamassassin --lint
Posted by Tim Macrina <ti...@gmail.com>.
THis may be a dumb question but were can I find those lines? I looked
in /etc/mail/spamassassin/local.cf and I can't locate those entires.
On 5/26/05, Matt Kettler <mk...@evi-inc.com> wrote:
> Tim Macrina wrote:
> > If I run spamassassin --lint I get the following messages. Can anyone tell me what they mean and how to fix them? Thank you
> >
> > config: SpamAssassin failed to parse line, skiping: detailed_phrase_score 1
> > config: SpamAssassin failed to parse line, skiping: spam_level_stars 1
> > config: SpamAssassin failed to parse line, skiping: defang_mime 1
> >
> >
>
> Delete those lines from your config file, they're all from very old versions of
> spamassassin and no longer exist.
>
> detailed_phrase_score is from the old static phrase list code that dissapeared
> when bayes was added in spamassassin 2.50. (Bayes is a dynamic trainable version
> of this concept so anything from the old phrases code instantly obsolete)
>
> defang_mime was superseded by report_safe when 2.50 was released.
>
> spam_level_stars got replaced by add_header when SA 2.60 was released.
>
>
>
>
Re: spamassassin --lint
Posted by Matt Kettler <mk...@evi-inc.com>.
Tim Macrina wrote:
> If I run spamassassin --lint I get the following messages. Can anyone tell me what they mean and how to fix them? Thank you
>
> config: SpamAssassin failed to parse line, skiping: detailed_phrase_score 1
> config: SpamAssassin failed to parse line, skiping: spam_level_stars 1
> config: SpamAssassin failed to parse line, skiping: defang_mime 1
>
>
Delete those lines from your config file, they're all from very old versions of
spamassassin and no longer exist.
detailed_phrase_score is from the old static phrase list code that dissapeared
when bayes was added in spamassassin 2.50. (Bayes is a dynamic trainable version
of this concept so anything from the old phrases code instantly obsolete)
defang_mime was superseded by report_safe when 2.50 was released.
spam_level_stars got replaced by add_header when SA 2.60 was released.
spamassassin --lint
Posted by Tim Macrina <ti...@quickmortgageloan.com>.
If I run spamassassin --lint I get the following messages. Can anyone tell me what they mean and how to fix them? Thank you
config: SpamAssassin failed to parse line, skiping: detailed_phrase_score 1
config: SpamAssassin failed to parse line, skiping: spam_level_stars 1
config: SpamAssassin failed to parse line, skiping: defang_mime 1
Re: OTC stock spam
Posted by Robert Menschel <Ro...@Menschel.net>.
Hello qqqq,
Thursday, May 26, 2005, 6:54:57 AM, you wrote:
q> Guys,
q> I just can't seem to lick this problem. Any ideas?
One idea: http://wiki.apache.org/spamassassin/DoYouWantMySpam
The way many of us would help would be to take your email, the full
email, the unadulterated uncut unmodified uncutandpasted email, and
run SA against it on our system.
We can then tell you how/why our system flags it as spam, and you can
adopt some of those methods.
Can't do that from your example.
Bob Menschel
Re: [sa-list] Re: OTC stock spam
Posted by jdow <jd...@earthlink.net>.
From: "Dan Mahoney, System Admin" <da...@prime.gushi.org>
> On Thu, 26 May 2005, Loren Wilton wrote:
>
>> I'm not going to try running that, but I've got a pile of rules that
>> catch
>> stock scams like that. SARE has a good bunch of them, the better ones of
>> course.
>>
>> Here, the most recent spam I got was a stock spam. It hit:
>>
>> 1.8 LOCAL_OBFU_GENERIC BODY: Obfuscated 'GENERIC' in body
>> 0.6 J_CHICKENPOX_48 BODY: 4alpha-pock-8alpha
>> 0.5 FB_INVEST_ADVICE BODY: /invest.{1,15}advice/i
>> 1.7 SARE_FWDLOOK BODY: Forward looking statements about stocks
>> 0.6 J_CHICKENPOX_71 BODY: 7alpha-pock-1alpha
>> 1.0 LW_LOAN BODY: /\bl.?o.?a.?n\b/i
>> 1.1 FB_SAVE_PERSC BODY: /sav(?:e|ing).{1,45}p[re][re]scription/i
>> 2.0 LW_OTCBB BODY: Reference to stock
>> 1.0 LW_1933 BODY: Reference to Securities Act
>> 0.7 SARE_MONEYTERMS BODY: Talks about money in some way.
>> 0.6 J_CHICKENPOX_53 BODY: 5alpha-pock-3alpha
>> 2.7 NOT_ADVISOR BODY: Not registered investment advisor
>> 0.3 SARE_MILLIONSOF BODY: Millions of something.
>> 0.1 HTML_MESSAGE BODY: HTML included in message
>> 5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
>> [score: 1.0000]
>> 0.9 FM_NO_STYLE FM_NO_STYLE
>
> Loren,
>
> Where can I find those LW_* rules? Or are they part of your private
> collection?
They are part of his own collection. The "loan" and some other money
terms rules tend to misfire as he and I have them. (We each have our
own mortgage rules.)
Re: [sa-list] Re: OTC stock spam
Posted by qqqq <qq...@usermail.com>.
Loren,
Will you post your LW Stox based rules? I think we would all like to see them.
QQQQ
----- Original Message -----
From: "Dan Mahoney, System Admin" <da...@prime.gushi.org>
To: "Loren Wilton" <lw...@earthlink.net>
Cc: <us...@spamassassin.apache.org>
Sent: Tuesday, September 06, 2005 2:41 PM
Subject: Re: [sa-list] Re: OTC stock spam
| On Thu, 26 May 2005, Loren Wilton wrote:
|
| > I'm not going to try running that, but I've got a pile of rules that catch
| > stock scams like that. SARE has a good bunch of them, the better ones of
| > course.
| >
| > Here, the most recent spam I got was a stock spam. It hit:
| >
| > 1.8 LOCAL_OBFU_GENERIC BODY: Obfuscated 'GENERIC' in body
| > 0.6 J_CHICKENPOX_48 BODY: 4alpha-pock-8alpha
| > 0.5 FB_INVEST_ADVICE BODY: /invest.{1,15}advice/i
| > 1.7 SARE_FWDLOOK BODY: Forward looking statements about stocks
| > 0.6 J_CHICKENPOX_71 BODY: 7alpha-pock-1alpha
| > 1.0 LW_LOAN BODY: /\bl.?o.?a.?n\b/i
| > 1.1 FB_SAVE_PERSC BODY: /sav(?:e|ing).{1,45}p[re][re]scription/i
| > 2.0 LW_OTCBB BODY: Reference to stock
| > 1.0 LW_1933 BODY: Reference to Securities Act
| > 0.7 SARE_MONEYTERMS BODY: Talks about money in some way.
| > 0.6 J_CHICKENPOX_53 BODY: 5alpha-pock-3alpha
| > 2.7 NOT_ADVISOR BODY: Not registered investment advisor
| > 0.3 SARE_MILLIONSOF BODY: Millions of something.
| > 0.1 HTML_MESSAGE BODY: HTML included in message
| > 5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
| > [score: 1.0000]
| > 0.9 FM_NO_STYLE FM_NO_STYLE
|
| Loren,
|
| Where can I find those LW_* rules? Or are they part of your private
| collection?
|
| -Dan
|
| --
|
| "Don't try to out-wierd me. I get stranger things than you free with my
| breakfast cereal."
|
| -Button seen at I-CON XVII (and subsequently purchased)
|
| --------Dan Mahoney--------
| Techie, Sysadmin, WebGeek
| Gushi on efnet/undernet IRC
| ICQ: 13735144 AIM: LarpGM
| Site: http://www.gushi.org
| ---------------------------
|
|
Re: [sa-list] Re: OTC stock spam
Posted by jdow <jd...@earthlink.net>.
He's more aggressive than I am. For him spam is 4.6. For me it's 5.0 and
I only score BAYES_99 at 5.0 points.
{^_-}
----- Original Message -----
From: "Dan Mahoney, System Admin" <da...@prime.gushi.org>
> On Tue, 6 Sep 2005, M.Lewis wrote:
>
>> Also what did you use to get the report?
>
> The report shows up in most setups in any spam email. Considering this
> one scored the way it did, I'm pretty sure it scored as spam.
>
> -Dan
>
>
>>
>> Dan Mahoney, System Admin wrote:
>>> On Thu, 26 May 2005, Loren Wilton wrote:
>>>
>>>> I'm not going to try running that, but I've got a pile of rules that
>>>> catch
>>>> stock scams like that. SARE has a good bunch of them, the better ones
>>>> of
>>>> course.
>>>>
>>>> Here, the most recent spam I got was a stock spam. It hit:
>>>>
>>>> 1.8 LOCAL_OBFU_GENERIC BODY: Obfuscated 'GENERIC' in body
>>>> 0.6 J_CHICKENPOX_48 BODY: 4alpha-pock-8alpha
>>>> 0.5 FB_INVEST_ADVICE BODY: /invest.{1,15}advice/i
>>>> 1.7 SARE_FWDLOOK BODY: Forward looking statements about
>>>> stocks
>>>> 0.6 J_CHICKENPOX_71 BODY: 7alpha-pock-1alpha
>>>> 1.0 LW_LOAN BODY: /\bl.?o.?a.?n\b/i
>>>> 1.1 FB_SAVE_PERSC BODY:
>>>> /sav(?:e|ing).{1,45}p[re][re]scription/i
>>>> 2.0 LW_OTCBB BODY: Reference to stock
>>>> 1.0 LW_1933 BODY: Reference to Securities Act
>>>> 0.7 SARE_MONEYTERMS BODY: Talks about money in some way.
>>>> 0.6 J_CHICKENPOX_53 BODY: 5alpha-pock-3alpha
>>>> 2.7 NOT_ADVISOR BODY: Not registered investment advisor
>>>> 0.3 SARE_MILLIONSOF BODY: Millions of something.
>>>> 0.1 HTML_MESSAGE BODY: HTML included in message
>>>> 5.4 BAYES_99 BODY: Bayesian spam probability is 99 to
>>>> 100%
>>>> [score: 1.0000]
>>>> 0.9 FM_NO_STYLE FM_NO_STYLE
>>>
>>>
>>> Loren,
>>>
>>> Where can I find those LW_* rules? Or are they part of your private
>>> collection?
>>>
>>> -Dan
Re: [sa-list] Re: OTC stock spam
Posted by "Dan Mahoney, System Admin" <da...@prime.gushi.org>.
On Tue, 6 Sep 2005, M.Lewis wrote:
> Also what did you use to get the report?
The report shows up in most setups in any spam email. Considering this
one scored the way it did, I'm pretty sure it scored as spam.
-Dan
>
> Dan Mahoney, System Admin wrote:
>> On Thu, 26 May 2005, Loren Wilton wrote:
>>
>>> I'm not going to try running that, but I've got a pile of rules that catch
>>> stock scams like that. SARE has a good bunch of them, the better ones of
>>> course.
>>>
>>> Here, the most recent spam I got was a stock spam. It hit:
>>>
>>> 1.8 LOCAL_OBFU_GENERIC BODY: Obfuscated 'GENERIC' in body
>>> 0.6 J_CHICKENPOX_48 BODY: 4alpha-pock-8alpha
>>> 0.5 FB_INVEST_ADVICE BODY: /invest.{1,15}advice/i
>>> 1.7 SARE_FWDLOOK BODY: Forward looking statements about stocks
>>> 0.6 J_CHICKENPOX_71 BODY: 7alpha-pock-1alpha
>>> 1.0 LW_LOAN BODY: /\bl.?o.?a.?n\b/i
>>> 1.1 FB_SAVE_PERSC BODY: /sav(?:e|ing).{1,45}p[re][re]scription/i
>>> 2.0 LW_OTCBB BODY: Reference to stock
>>> 1.0 LW_1933 BODY: Reference to Securities Act
>>> 0.7 SARE_MONEYTERMS BODY: Talks about money in some way.
>>> 0.6 J_CHICKENPOX_53 BODY: 5alpha-pock-3alpha
>>> 2.7 NOT_ADVISOR BODY: Not registered investment advisor
>>> 0.3 SARE_MILLIONSOF BODY: Millions of something.
>>> 0.1 HTML_MESSAGE BODY: HTML included in message
>>> 5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
>>> [score: 1.0000]
>>> 0.9 FM_NO_STYLE FM_NO_STYLE
>>
>>
>> Loren,
>>
>> Where can I find those LW_* rules? Or are they part of your private
>> collection?
>>
>> -Dan
>>
>> --
>>
>> "Don't try to out-wierd me. I get stranger things than you free with my
>> breakfast cereal."
>>
>> -Button seen at I-CON XVII (and subsequently purchased)
>>
>> --------Dan Mahoney--------
>> Techie, Sysadmin, WebGeek
>> Gushi on efnet/undernet IRC
>> ICQ: 13735144 AIM: LarpGM
>> Site: http://www.gushi.org
>> ---------------------------
>>
>>
>>
>
--
"Little tramp sits in her room all day, sewing dolls! Children
misbehaving in the basement, and one in the walls, doing his business God
knows where! You children will be the death of me, *sniff*."
'Mommy', The People Under The Stairs
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
Re: [sa-list] Re: OTC stock spam
Posted by "M.Lewis" <_S...@cajuninc.com>.
Also what did you use to get the report?
Dan Mahoney, System Admin wrote:
> On Thu, 26 May 2005, Loren Wilton wrote:
>
>> I'm not going to try running that, but I've got a pile of rules that
>> catch
>> stock scams like that. SARE has a good bunch of them, the better ones of
>> course.
>>
>> Here, the most recent spam I got was a stock spam. It hit:
>>
>> 1.8 LOCAL_OBFU_GENERIC BODY: Obfuscated 'GENERIC' in body
>> 0.6 J_CHICKENPOX_48 BODY: 4alpha-pock-8alpha
>> 0.5 FB_INVEST_ADVICE BODY: /invest.{1,15}advice/i
>> 1.7 SARE_FWDLOOK BODY: Forward looking statements about stocks
>> 0.6 J_CHICKENPOX_71 BODY: 7alpha-pock-1alpha
>> 1.0 LW_LOAN BODY: /\bl.?o.?a.?n\b/i
>> 1.1 FB_SAVE_PERSC BODY: /sav(?:e|ing).{1,45}p[re][re]scription/i
>> 2.0 LW_OTCBB BODY: Reference to stock
>> 1.0 LW_1933 BODY: Reference to Securities Act
>> 0.7 SARE_MONEYTERMS BODY: Talks about money in some way.
>> 0.6 J_CHICKENPOX_53 BODY: 5alpha-pock-3alpha
>> 2.7 NOT_ADVISOR BODY: Not registered investment advisor
>> 0.3 SARE_MILLIONSOF BODY: Millions of something.
>> 0.1 HTML_MESSAGE BODY: HTML included in message
>> 5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
>> [score: 1.0000]
>> 0.9 FM_NO_STYLE FM_NO_STYLE
>
>
> Loren,
>
> Where can I find those LW_* rules? Or are they part of your private
> collection?
>
> -Dan
>
> --
>
> "Don't try to out-wierd me. I get stranger things than you free with my
> breakfast cereal."
>
> -Button seen at I-CON XVII (and subsequently purchased)
>
> --------Dan Mahoney--------
> Techie, Sysadmin, WebGeek
> Gushi on efnet/undernet IRC
> ICQ: 13735144 AIM: LarpGM
> Site: http://www.gushi.org
> ---------------------------
>
>
>
Re: [sa-list] Re: OTC stock spam
Posted by "Dan Mahoney, System Admin" <da...@prime.gushi.org>.
On Thu, 26 May 2005, Loren Wilton wrote:
> I'm not going to try running that, but I've got a pile of rules that catch
> stock scams like that. SARE has a good bunch of them, the better ones of
> course.
>
> Here, the most recent spam I got was a stock spam. It hit:
>
> 1.8 LOCAL_OBFU_GENERIC BODY: Obfuscated 'GENERIC' in body
> 0.6 J_CHICKENPOX_48 BODY: 4alpha-pock-8alpha
> 0.5 FB_INVEST_ADVICE BODY: /invest.{1,15}advice/i
> 1.7 SARE_FWDLOOK BODY: Forward looking statements about stocks
> 0.6 J_CHICKENPOX_71 BODY: 7alpha-pock-1alpha
> 1.0 LW_LOAN BODY: /\bl.?o.?a.?n\b/i
> 1.1 FB_SAVE_PERSC BODY: /sav(?:e|ing).{1,45}p[re][re]scription/i
> 2.0 LW_OTCBB BODY: Reference to stock
> 1.0 LW_1933 BODY: Reference to Securities Act
> 0.7 SARE_MONEYTERMS BODY: Talks about money in some way.
> 0.6 J_CHICKENPOX_53 BODY: 5alpha-pock-3alpha
> 2.7 NOT_ADVISOR BODY: Not registered investment advisor
> 0.3 SARE_MILLIONSOF BODY: Millions of something.
> 0.1 HTML_MESSAGE BODY: HTML included in message
> 5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
> [score: 1.0000]
> 0.9 FM_NO_STYLE FM_NO_STYLE
Loren,
Where can I find those LW_* rules? Or are they part of your private
collection?
-Dan
--
"Don't try to out-wierd me. I get stranger things than you free with my
breakfast cereal."
-Button seen at I-CON XVII (and subsequently purchased)
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
Re: OTC stock spam
Posted by qqqq <qq...@usermail.com>.
Can you tell me which .cf file is triggering
LW_OTCBB?
TIA
qqqq
----- Original Message -----
From: "Loren Wilton" <lw...@earthlink.net>
To: <us...@spamassassin.apache.org>
Sent: Thursday, May 26, 2005 11:11 AM
Subject: Re: OTC stock spam
| I'm not going to try running that, but I've got a pile of rules that catch
| stock scams like that. SARE has a good bunch of them, the better ones of
| course.
|
| Here, the most recent spam I got was a stock spam. It hit:
|
| 1.8 LOCAL_OBFU_GENERIC BODY: Obfuscated 'GENERIC' in body
| 0.6 J_CHICKENPOX_48 BODY: 4alpha-pock-8alpha
| 0.5 FB_INVEST_ADVICE BODY: /invest.{1,15}advice/i
| 1.7 SARE_FWDLOOK BODY: Forward looking statements about stocks
| 0.6 J_CHICKENPOX_71 BODY: 7alpha-pock-1alpha
| 1.0 LW_LOAN BODY: /\bl.?o.?a.?n\b/i
| 1.1 FB_SAVE_PERSC BODY: /sav(?:e|ing).{1,45}p[re][re]scription/i
| 2.0 LW_OTCBB BODY: Reference to stock
| 1.0 LW_1933 BODY: Reference to Securities Act
| 0.7 SARE_MONEYTERMS BODY: Talks about money in some way.
| 0.6 J_CHICKENPOX_53 BODY: 5alpha-pock-3alpha
| 2.7 NOT_ADVISOR BODY: Not registered investment advisor
| 0.3 SARE_MILLIONSOF BODY: Millions of something.
| 0.1 HTML_MESSAGE BODY: HTML included in message
| 5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
| [score: 1.0000]
| 0.9 FM_NO_STYLE FM_NO_STYLE
|
| Loren
|
|
Re: OTC stock spam
Posted by Loren Wilton <lw...@earthlink.net>.
I'm not going to try running that, but I've got a pile of rules that catch
stock scams like that. SARE has a good bunch of them, the better ones of
course.
Here, the most recent spam I got was a stock spam. It hit:
1.8 LOCAL_OBFU_GENERIC BODY: Obfuscated 'GENERIC' in body
0.6 J_CHICKENPOX_48 BODY: 4alpha-pock-8alpha
0.5 FB_INVEST_ADVICE BODY: /invest.{1,15}advice/i
1.7 SARE_FWDLOOK BODY: Forward looking statements about stocks
0.6 J_CHICKENPOX_71 BODY: 7alpha-pock-1alpha
1.0 LW_LOAN BODY: /\bl.?o.?a.?n\b/i
1.1 FB_SAVE_PERSC BODY: /sav(?:e|ing).{1,45}p[re][re]scription/i
2.0 LW_OTCBB BODY: Reference to stock
1.0 LW_1933 BODY: Reference to Securities Act
0.7 SARE_MONEYTERMS BODY: Talks about money in some way.
0.6 J_CHICKENPOX_53 BODY: 5alpha-pock-3alpha
2.7 NOT_ADVISOR BODY: Not registered investment advisor
0.3 SARE_MILLIONSOF BODY: Millions of something.
0.1 HTML_MESSAGE BODY: HTML included in message
5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
0.9 FM_NO_STYLE FM_NO_STYLE
Loren
Re: OTC stock spam
Posted by Jeff Chan <je...@surbl.org>.
On Thursday, May 26, 2005, 6:54:57 AM, qqqq qqqq wrote:
> Guys,
> I just can't seem to lick this problem. Any ideas?
How about a rule to score "My Pool Leaks, Inc." in message texts?
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
OTC stock spam
Posted by qqqq <qq...@usermail.com>.
Guys,
I just can't seem to lick this problem. Any ideas?
___________________________________________
Major Breaking News Alert
My Pool Leaks, Inc..(Trading As OTC:MPLK)
Announces 'Product Available' From Pinch A Penny
Current Price: $0.03
WATCH THIS ONE ALL WEEK!
POMPANO BEACH, Fla., May 23 /PRNewswire/ -- My Pool Leaks, Inc.,
(BULLETIN BOARD: MPLK) , a leader in DIY Pool and Spa leak detection kits,
is now being shipped to Pinch A Penny locations.. Pinch A Penny is the
largestfranchised retail pool, patio and spa company in the world. They have
160 full-service retail stores offering everything needed to operate and
enjoy a swimming pool or spa. My Pool Leaks and Pinch
A Penny are a perfect fit; both cater to the do- it-yourselfer.
MPLK has the only all-inclusive kit available to find and fix leaks;
it is designed for both the novice and the seasoned do-it-yourselfer.
My Pools Leaks product is unique in the sense that it is the only all-inclusive
kit available to find and fix leaks. Nothing available in the market compares
to the comprehensive approach taken to help people solve their own leak problems.
The process is made simple from start to finish. There are three separate kits
that work for all types of pools and spas. They include clear, concise
instructions, tools to facilitate the inspection and repair materials.
There are over 15 million pools and spas in the United States. Industry statistics
show that 4% are leaking at any given time. The relationship with Pinch A Penny
will help MPLK reach more of these 600,000 potential customers, and help them to
resolve their leaks in a cost-effective and efficient manner. MPLK is expanding
their customer support and on-line troubleshooting section to help any customers
that may have questions. Water is a precious commodity. My Pool Leaks is helping
to conserve natural resources, one pool at a time.
IMPORTANT DISCLOSURE & DISCLAIMER
for "Investor Alert" which Includes: "Investor Alert" Website and Newsletters
Please consult with a certified financial advisor before making any investment decisions.
Any material or information found in any report or on the websites is for informational
purposes only. All information should be confirmed before making an investment decision.
"Investor Alert" (hereinafter referred to as Investor Alert and any affiliates and
information providers make no implied or express warranties on the information provided.
Please verify quotes with your investment manager before making investment decisions. This
is not to be construed as a solicitation to buy or sell securities. As with any stock, the
featured companies involve a high degree of risk and volatility, and all investors should
know that they may lose a portion or all of their investment if they decide to purchase
any stock.
The accuracy and completeness of the information within any report is only as reliable as
the information that is provided to "Investor Alert". in drafting the report. "Investor
Alert" does not verify the information, and makes no warranty that the information is
accurate.
"Investor Alert"., its affiliates, associates, relatives and anyone associated with
"Investor Alert" in any manner reserves the right to either BUY or SELL shares in the
profiled company's stock, either BEFORE the date of the profile, DURING the date of the
profile or at ANY time after the date of the profile. Please make special note that
"Investor Alert" reserves the right sell any or all of its position in any company
profiled at any time, be that before the date of a profile, during the date of a profile,
or at anytime after the date of a profile.
Please note that visitors to Investor Alert, Websites and readers of the Investor Alert
Newsletter, are cautioned that small and micro-cap stocks are high-risk investments and
that SOME or ALL investment dollars CAN be LOST. We suggest you consult a professional
investment advisor before purchasing any stock. All opinions expressed on the Investor
Alert website and newsletter are the opinions of "Investor Alert". All information
concerning the companies is received directly from the companies profiled and/or outside
interviews conducted by "Investor Alert". "Investor Alert" recommends you use the
information found here as an initial starting point for conducting your own research and
conduct your own due diligence on the featured companies in order to determine your own
personal opinion of the company BEFORE investing in these or any other companies.
"Investor Alert" assumes all information to be truthful and reliable; however, we cannot
and do not warrant or guarantee the accuracy of this information. All statements contained
herein are deemed to be factual as of the date of this report and as such are subject to
change without notice. "Investor Alert" is NOT an Investment Advisor, Financial Planning
Service or a Stock Brokerage Firm and in accordance with such "Investor Alert" is not
offering investment advice or promoting any investment strategies. "Investor Alert" is not
offering securities for sale or solicitation of any offer to buy or sell securities. An
offer to buy or sell can be made only with accompanying disclosure documents and only in
the states and provinces for which they are approved.
Any reference in the newsletter to past performance(s) of companies previously profiled in
the newsletter(s) are specially selected to be referenced based on the favorable
performance of said companies and the companies referenced may not be representative of
all past profiles as not all past profiles have performed as well. Please remember that
past performance does NOT predict future results which is why it's called "past
performance".
On many occasions "Investor Alert" receives compensation from a third party in relation to
the Companies.
Re: dissapointed >> dummy MX record
Posted by Jeff Chan <je...@surbl.org>.
On Wednesday, May 25, 2005, 5:43:41 PM, evan wrote:
> Also look at honeyd.org for how honeypots are catching spammers.
> Spamhaus uses
> a similar scheme where unknown and unused domains sit on servers across the
> world. Any mail the server gets is obviously spam since no one should be
> sending an unused domain any mail.
> Honeyd.org has a live statistics page that has known spammer IPs. I
> would love
> it if they could make a DNS RBL out of this information!
Some well-known, widely-used, existing RBLs are based on such
data.
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: dissapointed >> dummy MX record
Posted by ev...@coolrunningconcepts.com.
> Do you have any links to linux based "fake proxypots" ?
> They sound cool, or maybe its just fun to say...
Look for implementations of "Teergrube" on google.
A famous one which shut down awhile back is LaBrea - which uses similar
technology for catching worms.
There is a Linux netfilter plugin based on a TCP implementation similar to
LaBrea which can do this. There is a timeout-list plugin as well, that would
allow a rule to match a list of IPs (of spammers) which would timeout after a
certain amount of time. This allows a user-space utility to add IPs to this
list making the kernel direct packets to the tarpit, and have it automatically
time-out (necessary so the list doesn't overflow with too many IPs and
take the
kernel down! which is tough to do, but I managed)
Also look at honeyd.org for how honeypots are catching spammers.
Spamhaus uses
a similar scheme where unknown and unused domains sit on servers across the
world. Any mail the server gets is obviously spam since no one should be
sending an unused domain any mail.
Honeyd.org has a live statistics page that has known spammer IPs. I
would love
it if they could make a DNS RBL out of this information!
Re: dissapointed >> dummy MX record
Posted by li...@zeta.net.
>On Tuesday, May 24, 2005, 6:56:08 AM, Ronan McGlue wrote:
>> I added a dummy mx record (lowest preference) as we all know its
>> generally the one th spammers target first, which is getting hit with
>> about 50% of our daily connections, of which i defer all of them at a
>> very low overhead.
>
>Some of the spammers will eventually notice that your bogus MXer
>is not responding and fall back to trying the other MXers.
Jeff,
Why would they notice? In my mind, the mailserver would accept the
connections and emails, only to silently defer them. And by defer, I
mean delete them without any rejection or reply.
>There are several alternatives, including using fake proxypots
>that simulate a mailserver to varying degrees and may fool
>spammers for longer.
Do you have any links to linux based "fake proxypots" ?
They sound cool, or maybe its just fun to say...
Thanks,
Devin