You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Andreas Davour <an...@Update.UU.SE> on 2005/04/13 22:22:56 UTC
Need for a new rule?
The following message have many characteristics in common with much spam
I've been getting lately. It's about investments, often shares, stock
options or oil. One odd thing about those messages is that they all,
like the one quoted below, have the letter 'l' substituted for the pipe
character i.e. '|'.
Are there any rule for this? Would one be hard do design? I haven't seen
anything about is in the documentation. OR, I haven't understood what
I've read...
/Andreas
-------------------------------------------------------------------
>From szpqknp@ansun.net Wed Apr 13 14:31:31 2005
Return-Path: <sz...@ansun.net>
X-Original-To: ante@update.uu.se
Delivered-To: ante@update.uu.se
Received: from localhost (localhost [127.0.0.1])
by Psilocybe.Update.UU.SE (Postfix) with ESMTP id B092238015;
Wed, 13 Apr 2005 14:31:31 +0200 (CEST)
Received: from Psilocybe.Update.UU.SE ([127.0.0.1])
by localhost (Psilocybe [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id 02475-01-2; Wed, 13 Apr 2005 14:31:29 +0200 (CEST)
Received: from 130.238.19.25 (unknown [221.127.33.157])
by Psilocybe.Update.UU.SE (Postfix) with SMTP id 0E66138014;
Wed, 13 Apr 2005 14:31:20 +0200 (CEST)
Received: from story
(IPSN-180-793.boss-it.com [207.183.238.26] (may be forged))
by armoire.boss-it.com (MOS 3.6.9-GR) with ESMTP id DUP56382 (AUTH story-00)
; Wed, 13 Apr 2005 18:25:11 +0600 (IST)
Date: Wed, 13 Apr 2005 13:28:11 +0100
From: "Arline Mckinney" <sz...@ansun.net>
Subject: Market alerts generate the investor's leading edge
To: <lt...@update.uu.se>
References: <NR...@arumc.org>
In-Reply-To: <NR...@arumc.org>
Message-ID: <64...@story.boss-it.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7Bit
Date: Wed, 13 Apr 2005 14:31:20 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on
Psilocybe.Update.UU.SE
X-Spam-Level: ****
X-Spam-Status: No, score=4.5 required=5.0 tests=RCVD_HELO_IP_MISMATCH,
RCVD_NUMERIC_HELO autolearn=no version=3.0.2
The Oil and Gas Advisory
Now that Oil and Gas has entered a long-term bul| market,
our specia|ty in pinpointing the hottest companies of the few remaining
undervalued energy plays has produced soaring returns.
Emerson Oil and Gas (EOGI) is an energy developer in the US "Oi| Be|t"
and in Canada's most highly coveted reservoirs with generating
potential of Millions per week.
Breaking NEws!!!
Emerson Oi| and Gas Identifies Lease 0pp0rtunity in South Texas
Providing 0pp0rtunity
for 22-Well Re-entry in Fie|d with Strong Producing History and Large
Recoverab|e Reserves
South Texas in a |arge existing field that was discovered and dril|ed
by major oil companies
in the 1970s.The field is established with substantial recoverab|e
reserves, estimated at over
3.9 mil|ion barre|s of oi| and about 2 bil|ion cubic ft. of gas in the
two pay zones.
Symbol - EOGI
Price - .065
The value of EOGI's shares wi|| skyrocket:
1. Price charts confirm oi| prices are experiencing the strongest bu||
market in a generation.
2. Natural Gas prices have tripled in the last two years.
3. With multip|e projects in high-gear and the expanding production on
reserves worth multi-mi|lions, EOGI is se||ing for |ess than 1/4 the
va|ue of its assets.
4. Emerson Oil and Gas specializes in using new techno|ogy to turn
unproductive oil and gas deposits into profitab|e enterprises.
Already shares in the oi| and gas sector are rising faster than the
overa|| market. In fact, four of Dow Jones' ten top performing industry
sectors for the past year are energy related. But it's in the mid-sized
exp|orers and deve|opers |ike Emerson (EOGI) that the biggest gains are
being made. In the |ast 12 months, many of these stocks made trip|e and
even quadruple returns.
Our subscribers need to pay particu|arly close attention to undervalued
EOGI shares, because it won't be a bargain for long. This small company
with a comparab|y smal| market va|ue, is sitting on a bonanza of oi|
and gas reserves - an unrecognized bonus for investors especia||y with
the dai|y jump in energy prices.
But a|| that wi|l change in a few short weeks, as these reserves move
into production, bringing an exp|osion of cash that is expected to
capture the attention of the market, and have an equal|y explosive
effect on the share price.
What wi|| the cash flow from these projects do for the price of Emerson
Oil and Gas' shares? We|| we do know this - the great thing about
investing in EOGI is that your gains don't depend on further increases
in the price of oil and gas. Even if energy prices stay f|at, or
dec|ine
slight|y, you wi|l still make a very healthy return. Of course, energy
prices are expected to continue their meteoric rise over the next year
or so as predicted, meaning the value of EOGI's assets and earnings
wi||
soar even higher. In that case, the reward for investors wil| be
staggering.
Overa||, we consider EOGI to be one of the |ast outstanding energy
p|ays in the oil and gas sector. Once this discovery has been realized,
EOGI shares wi|| surge sharp|y on heavy investor attention. We have
identified this discovery for immediate accumu|ation. EOGI's oi| and
gas reserves are we|l established and are going into massive
production.
Early investors wil| secure optimum gains, and any additional news in
this
area will rea||y turn up the heat, causing us to revise our targets
upward in next week's bulletin.
Oil and Gas Advisory (OGA) is not a investment expert. Certain
statements contained in this news|etter may be future-|ooking
statements within the meaning of The Private Securities Litigation
Reform Act of 1995.
Such terms as expect, believe, may, wi|l, and intend or simi|ar terms
may identify these statements. Past-performance is not an indicator of
future-resu|ts. This is not an expert to acquire or se|| securities.
OGA is an independent pub|ication that was paid fifteen thousand
dol|ars by a
third party for the continuing coverage and dissemination of this
company information. Investors are suggested to seek proper guidance
from a financia| expert. Investors should use the information provided
in this
newsletter as a starting point for gathering additiona| information on
the profi|ed company to a||ow the investor to form their own opinion
regarding investment.
If you wish to stop future mailings, or if you fee| you have been
wrongfu|ly placed in our membership, please go here or send a blank
e mail with No Thanks in the subject to st0ck62 @ yahoo.com
--
A: Because it fouls the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail?
Re: Need for a new rule?
Posted by Craig McLean <cr...@craig.dnsalias.com>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Andreas Davour wrote:
[snip]
| Are there any rule for this? Would one be hard do design? I haven't seen
| anything about is in the documentation. OR, I haven't understood what
| I've read...
I just wrote a bunch of obfu-rules with negative lookaheads and made
meta-rules out of them, nails anything like this because there is
generally no need to people to spell dollar with 2 |'s (or "will",
"overall" etc.)
Anyway, the attached might help a bit (with apologies for all the SA
installs which it may trigger)... Pointers, corrections etc. welcome as
always.
Regards,
Craig.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFCXZmkMDDagS2VwJ4RAohYAKDx631Ya2sxgwJ76vLCHFKgYwTLEQCeMkxE
IdzMVRyuNtJb+XR8x27k22Y=
=+tzz
-----END PGP SIGNATURE-----
Re: Need for a new rule?
Posted by Jeff Chan <je...@surbl.org>.
On Wednesday, April 13, 2005, 1:42:10 PM, Stuart Johnston wrote:
> body L_STOX2 /st0ck\d{2}\s{0,4}\@\s{0,4}yahoo.com/i
FWIW, the st0ckNN @ yahoo.com spammer seems to have changed
back to 4 digits:
> If you wish to stop future mailings, or if you fee| you have been
> wrongful|y p|aced in our membership, p|ease go here or send a blank
> e mail with No Thanks in the subject to st0ck1007 @yahoo.com
So it's time to adjust/modify that filter again.
(I guess he was behind on his reading. Hi spammy! ;-)
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: Need for a new rule?
Posted by Stuart Johnston <st...@ebby.com>.
Andreas Davour wrote:
>
> The following message have many characteristics in common with much spam
> I've been getting lately. It's about investments, often shares, stock
> options or oil. One odd thing about those messages is that they all,
> like the one quoted below, have the letter 'l' substituted for the pipe
> character i.e. '|'.
>
> Are there any rule for this? Would one be hard do design? I haven't seen
> anything about is in the documentation. OR, I haven't understood what
> I've read...
>
> /Andreas
There have been several threads about this specific spammer in the last
few months. Some of them with this exact question - mostly the answer
is no.
> e mail with No Thanks in the subject to st0ck62 @ yahoo.com
It is much easier to match on this email address with something like:
body L_STOX2 /st0ck\d{2}\s{0,4}\@\s{0,4}yahoo.com/i
Re: Need for a new rule?
Posted by John Hardin <jo...@aproposretail.com>.
On Wed, 2005-04-13 at 13:22, Andreas Davour wrote:
> The following message have many characteristics in common with much spam
> I've been getting lately. It's about investments, often shares, stock
> options or oil. One odd thing about those messages is that they all,
> like the one quoted below, have the letter 'l' substituted for the pipe
> character i.e. '|'.
>
> Are there any rule for this? Would one be hard do design?
There are several tools available to generate obfuscated-word rules for
you. Here's the one I made:
http://www.impsec.org/email-tools/obfusc.pl
It reads a wordlist file containing data like:
million 1.0
and generates SA rulesets like:
# million @ 1.0
describe OBFU_WRD_071 obfuscated "million"
body OBFU_WRD_071 /\b(?!million)(?:m|([\/\|]\\\/[\|\\])|&\#(?:77|109);)(?:[i!l1\|\/\xA1\xCC-\xCF\xEC-\xEF]|&i[a-z]+;)(?:[l1i!\|\xCC-\xCF]|(\|_)|&\#(?:76|108);)(?:[l1i!\|\xCC-\xCF]|(\|_)|&\#(?:76|108);)(?:[i!l1\|\/\xA1\xCC-\xCF\xEC-\xEF]|&i[a-z]+;)(?:[o0\xA9\xAE\xBC\xBD\xD2-\xD6\xD8\xF0\xF2-\xF6\xF8]|&o[a-z]+;|([(][)]))(?:[n\xD1\xF1]|(\|\\\|)|&\#(?:78|110);)/i
score OBFU_WRD_071 1.0
I've posted it here before, but thought it was worth a refresh given the
obfu questions that are popping up lately.
It doesn't catch obfuscations that include too many letters (e.g.
milllion) but could easily be altered to do so by adding a + after each
of the (?:gibberish) submatches. That would probably increase false
positives a bit.
--
John Hardin
Development and Technology group (Seattle)
CRS Retail Systems, Inc.
3400 188th Street SW, Suite 185
Lynnwood, WA 98037
voice: (425) 672-1304
fax: (425) 672-0192
email: jhardin@crsretail.com
web: http://www.crsretail.com
-----------------------------------------------------------------------
When freedom gives way to tyranny, it is not because tyranny comes
dressed as a wolf. Rather, it comes dressed as a shepherd,
pointing out other wolves. Go *read* the Patriot Act.
-----------------------------------------------------------------------
35 days until Revenge of the Sith
RE: Need for a new rule?
Posted by martin smith <ma...@ntlworld.com>.
M>-----Original Message-----
M>From: Andreas Davour [mailto:ante@Update.UU.SE]
M>Sent: 13 April 2005 21:23
M>Cc: users@spamassassin.apache.org
M>Subject: Need for a new rule?
M>
M>
M>The following message have many characteristics in common with much
M>spam I've been getting lately. It's about investments, often shares,
M>stock options or oil. One odd thing about those messages is that they
M>all, like the one quoted below, have the letter 'l' substituted for
M>the pipe character i.e. '|'.
M>
M>Are there any rule for this? Would one be hard do design? I haven't
M>seen anything about is in the documentation. OR, I haven't understood
M>what I've read...
M>
M>/Andreas
I have a couple of rules I have written to catch these spams, still catching
plenty right now but who knows how long for:-
body MS_Hide_Yahoo /(?: \@yahoo\.com\b|\@ yahoo.com\b)/i score MS_Hide_Yahoo
4.5 describe MS_Hide_Yahoo Attempt to hide yahoo email address
body __MS_Oil_Stock1 /\bo.l and gas\b/i
body __MS_Oil_Stock2 /(?:\b\(?EOGI|\b\(?MOGI|\b\(?TDCP|\b\(?MEGJ)/i
body __MS_Oil_Stock3 /(?:\bEmerson|\bmontana|\bAdeptrader|\bAtheletic)/i
uri __MS_Oil_Stock4 /http\:\/\/finance\.yahoo\.com/i
body __MS_Ins_Stock1
/(?:\bGRDX|\b3DIcon|\bConclusion|\binvestments?|\bmarket value)/i
body __MS_Ins_Stock2 /(?:\bPenny St.ck|\bBuy Low|\bCurrent Price)/i
body __MS_Ins_Stock3
/(?:jeff.[0-9]{1,4}\@\b|\bst(?:0|o)cks?[0-9]{0,4}\@\b|\bNo Thanks)/i
body __MS_Ins_Stock4 /(?:\bst0ck|\bprice \$|\bdollars)/i
meta MS_Stock ((__MS_Oil_Stock1 + __MS_Oil_Stock2 + __MS_Oil_Stock3 +
__MS_Oil_Stock4 + __MS_Ins_Stock1 + __MS_Ins_Stock2 + __MS_Ins_Stock3 +
__MS_Ins_Stock4) > 2)
score MS_Stock 5.0
describe MS_Stock Investment Stock Spam
Make allowance for word-wrap, not sure how legible they will be.
Martin