Those "Re: good obfupills" spams

[Bart Schaefer <ba...@gmail.com>]

The largest number of spam messages currently getting through SA at my
site are short text-only spams with subject "Re: good " followed by an
obfuscated drug name (so badly mangled as to be unrecognizable in many
cases).  The body contains a gappy-text list of several other kinds of
equally unreadable pharmaceuticals, a single URL which changes daily
if not more often, and then several random words and a short excerpt
from a novel.

They usually hit RCVD_IN_BL_SPAMCOP_NET,URIBL_SBL but those alone
aren't scored high enough to classify as spam, and I'm reluctant to
crank them up just for this.  However, the number of spams getting
through SA has tripled in the last four days or so, from around 14 for
every thousand trapped, to around 40.

I'm testing out RdJ on the SARE_OBFU and SARE_URI rulesets but so far
they aren't having any useful effect.  Other suggestions?

Re: Those "Re: good obfupills" spams

[Stuart Johnston <st...@ebby.com>]

Bart Schaefer wrote:
> The largest number of spam messages currently getting through SA at my
> site are short text-only spams with subject "Re: good " followed by an
> obfuscated drug name (so badly mangled as to be unrecognizable in many
> cases).  The body contains a gappy-text list of several other kinds of
> equally unreadable pharmaceuticals, a single URL which changes daily
> if not more often, and then several random words and a short excerpt
> from a novel.
> 
> They usually hit RCVD_IN_BL_SPAMCOP_NET,URIBL_SBL but those alone
> aren't scored high enough to classify as spam, and I'm reluctant to
> crank them up just for this.  However, the number of spams getting
> through SA has tripled in the last four days or so, from around 14 for
> every thousand trapped, to around 40.
> 
> I'm testing out RdJ on the SARE_OBFU and SARE_URI rulesets but so far
> they aren't having any useful effect.  Other suggestions?

The ReplaceTags plugin can be very useful for creating rules to match 
these.  Let's say you get a message with text that looks like:

S b P u A z M

where the lower-case letters vary.  A traditional rule might look like:

/S [a-z] P [a-z] A [a-z] M/

Which is really not too bad.  However, ReplaceTags allows you to create 
short hand.  Something like:

replace_tag WS ( [a-z] )

And your rule becomes:

/S<WS>P<WS>A<WS>M/

For this to work, you'll also need to add your rule name to a 
replace_rules line.  Using parentheses in your regex will create wasted 
captures so you'll probably want to use a different method to mark off 
the whitespace.  You also might want to add a negative lookahead 
although in this case you probably wouldn't need it.

For more on ReplaceTags: 
http://spamassassin.apache.org/full/3.1.x/dist/doc/Mail_SpamAssassin_Plugin_ReplaceTags.html

-Stuart

Re: Those "Re: good obfupills" spams

[Bart Schaefer <ba...@gmail.com>]

On 4/28/06, qqqq <qq...@usermail.com> wrote:
>
> I would make a subject ""Re: good "" rule that scores just high enough to push it to the spam level.

They're only scoring about 3.3, and I'm reluctant to make "Re: good"
worth 2 points all by itself.  That'd be worse than increasing the
spamcop score.

A meta rule, though ...

Re: Those "Re: good obfupills" spams

[qqqq <qq...@usermail.com>]

|
| They usually hit RCVD_IN_BL_SPAMCOP_NET,URIBL_SBL but those alone
| aren't scored high enough to classify as spam, and I'm reluctant to
| crank them up just for this.  However, the number of spams getting
| through SA has tripled in the last four days or so, from around 14 for
| every thousand trapped, to around 40.
|
| I'm testing out RdJ on the SARE_OBFU and SARE_URI rulesets but so far
| they aren't having any useful effect.  Other suggestions?

I would make a subject ""Re: good "" rule that scores just high enough to push it to the spam level.

QQQQ