You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Igor Chudov <ic...@Algebra.Com> on 2007/07/17 21:15:49 UTC
Post cart spams
I am receiving a huge amount of these spams:
http://igor.chudov.com/tmp/postcard-spam.txt
Just how much I got is totally incredible. I am afraid that the reason
for the sheer quantity is that I actually did check out the
website. (I assume a hacked computer)
I knew full well that it was a bad site. But I was not afraid since I
used Linux. This is some sort of a windows exploit, using metafile
holes and asking to run an .exe.
But I guess the unique id embedded in the URL noted that I reacted to
this spam, so I am getting a lot.
Anyway, it seems that a lot of these postcard spams are slipping by
SA. I wrote a procmail rule to catch them:
:0
* ^Subject: you\'ve.*(greeting|ecard|postcard).*from a.*
$MAILDIR/rejected
(that's a folder that I do review periodically)
I would prefer, however, to use spamassassin instead of homebrew
procmail rules, due to fear of false positives. Any idea if there are
any rules that I am missing that would help?
i
Re: Post cart spams
Posted by Duane Hill <d....@yournetplus.com>.
On Tue, 17 Jul 2007 at 14:15 -0500, ichudov@Algebra.Com confabulated:
> I am receiving a huge amount of these spams:
>
> http://igor.chudov.com/tmp/postcard-spam.txt
>
> Just how much I got is totally incredible. I am afraid that the reason
> for the sheer quantity is that I actually did check out the
> website. (I assume a hacked computer)
>
> I knew full well that it was a bad site. But I was not afraid since I
> used Linux. This is some sort of a windows exploit, using metafile
> holes and asking to run an .exe.
>
> But I guess the unique id embedded in the URL noted that I reacted to
> this spam, so I am getting a lot.
>
> Anyway, it seems that a lot of these postcard spams are slipping by
> SA. I wrote a procmail rule to catch them:
>
> :0
> * ^Subject: you\'ve.*(greeting|ecard|postcard).*from a.*
> $MAILDIR/rejected
>
> (that's a folder that I do review periodically)
>
> I would prefer, however, to use spamassassin instead of homebrew
> procmail rules, due to fear of false positives. Any idea if there are
> any rules that I am missing that would help?
I just ran that message through the install on our filter servers and it
scored right at 5.0. I've seen a lot being trapped as well. There are a
very few that slip by.
X-Spam-Status: Reqd:5.0 Hits:5.0 Learn:disabled Tests:DATE_IN_PAST_96_XX=2.32,
HS_INDEX_PARAM=0.001,NORMAL_HTTP_TO_IP=0.001,STOX_REPLY_TYPE=0.001,
TVD_FINGER_02=2.72
-------
_|_
(_| |
Re: Post cart spams
Posted by Ken A <ka...@pacific.net>.
Igor Chudov wrote:
> Ken, I just downloaded clamav, it seems to be a file scanning tool?
> How do you use it from procmail? Thanks a lot!
>
> i
>
sorry. I don't know how to use from procmail, but if you want to scan
for viruses, read the install docs.
--
Ken Anderson
Pacific.Net
Re: Post cart spams
Posted by Bob McClure Jr <bo...@bobcatos.com>.
On Wed, Jul 18, 2007 at 03:42:31AM +0300, Jari Fredriksson wrote:
> Bob McClure Jr wrote:
> >I installed clamassassin
>
> What a dumb name for software. Does it want to assassin ClamAV?
I think its intention was to make ClamAV as easy to use as
SpamAssassin, and it succeeds very well. I'd also say that's a
compliment to SA, and well deserved, indeed.
> lol
>
> I don't know it, may be a good one though.
Cheers,
--
Bob McClure, Jr. Bobcat Open Systems, Inc.
bob@bobcatos.com http://www.bobcatos.com
Instead of their shame my people will receive a double portion, and
instead of disgrace they will rejoice in their inheritance; and so
they will inherit a double portion in their land, and everlasting joy
will be theirs. Isaiah 61:7 (NIV)
Re: Post cart spams
Posted by Loren Wilton <lw...@earthlink.net>.
> What a dumb name for software. Does it want to assassin ClamAV?
Isn't assassinating clams against some law somewhere?
Loren
Re: Post cart spams
Posted by Jari Fredriksson <ja...@iki.fi>.
Bob McClure Jr wrote:
> I installed clamassassin
What a dumb name for software. Does it want to assassin ClamAV?
lol
I don't know it, may be a good one though.
Re: Post cart spams
Posted by Bob McClure Jr <bo...@bobcatos.com>.
On Tue, Jul 17, 2007 at 02:30:05PM -0500, Igor Chudov wrote:
> Ken, I just downloaded clamav, it seems to be a file scanning tool?
> How do you use it from procmail? Thanks a lot!
>
> i
I installed clamassassin
http://jameslick.com/clamassassin/
and run the daemonized clamd. Then I call it from the system
/etc/procmailrc this way:
============= snip 8<-------------------------
PATH=/bin:/usr/bin:/usr/local/bin
# LOGFILE=/var/log/procmail.log
LOGFILE=/dev/null
# Virus trap
:0fw
| /usr/local/bin/clamassassin
:0
* ^X-Virus-Status: Yes
/dev/null
============= snip 8<-------------------------
Of course you can divert it to some quarantine bin, instead of
/dev/null.
Be sure to set up ClamAV as daemon or stand-alone first, before you
build clamassassin. clamassassin figures out for itself whether it
needs to call clamscan or clamdscan during the build process.
Cheers,
--
Bob McClure, Jr. Bobcat Open Systems, Inc.
bob@bobcatos.com http://www.bobcatos.com
Instead of their shame my people will receive a double portion, and
instead of disgrace they will rejoice in their inheritance; and so
they will inherit a double portion in their land, and everlasting joy
will be theirs. Isaiah 61:7 (NIV)
Re: Post cart spams
Posted by Loren Wilton <lw...@earthlink.net>.
> Ken, I just downloaded clamav, it seems to be a file scanning tool?
> How do you use it from procmail? Thanks a lot!
While you can do that, I think he meant to use it from SA instead, and get
the 10 point score for these "virus" attempts.
Loren
Re: Post cart spams
Posted by Jari Fredriksson <ja...@iki.fi>.
Igor Chudov wrote:
> Ken, I just downloaded clamav, it seems to be a file scanning tool?
> How do you use it from procmail? Thanks a lot!
>
> i
You can use it via Amavis (amavisd-new), or directly via SpamAssassin with
it's clamv-plugin.
Amavis puts the messages to guarantine folder, and it shows up as virus.
SA-plugin adds spam points to the message and it shows up as spam.
Re: Post cart spams
Posted by Igor Chudov <ic...@Algebra.Com>.
Ken, I just downloaded clamav, it seems to be a file scanning tool?
How do you use it from procmail? Thanks a lot!
i
Re: Post cart spams
Posted by Ken A <ka...@pacific.net>.
Igor Chudov wrote:
> I am receiving a huge amount of these spams:
>
> http://igor.chudov.com/tmp/postcard-spam.txt
>
> Just how much I got is totally incredible. I am afraid that the reason
> for the sheer quantity is that I actually did check out the
> website. (I assume a hacked computer)
>
> I knew full well that it was a bad site. But I was not afraid since I
> used Linux. This is some sort of a windows exploit, using metafile
> holes and asking to run an .exe.
>
> But I guess the unique id embedded in the URL noted that I reacted to
> this spam, so I am getting a lot.
>
> Anyway, it seems that a lot of these postcard spams are slipping by
> SA. I wrote a procmail rule to catch them:
>
> :0
> * ^Subject: you\'ve.*(greeting|ecard|postcard).*from a.*
> $MAILDIR/rejected
>
> (that's a folder that I do review periodically)
>
> I would prefer, however, to use spamassassin instead of homebrew
> procmail rules, due to fear of false positives. Any idea if there are
> any rules that I am missing that would help?
>
> i
>
clamav is catching these, fwiw.
--
Ken Anderson
Pacific.Net
RE: Post cart spams
Posted by Daniel J McDonald <da...@austinenergy.com>.
On Tue, 2007-07-17 at 15:33 -0700, John D. Hardin wrote:
> On Tue, 17 Jul 2007, Dan Barker wrote:
>
> >> http://www.impsec.org/~jhardin/antispam/
> >
> > I don't see it in that directory. What's the filename?
>
> postcards.cf
>
> It takes a short while after I send the email for the file to sync out
> to the server.
works like a champ for me:
[mcdonalddj@sa ~]$ sudo grep -o -P POSTCARD.*?= /var/log/mail/info |
sort | uniq -c
444 POSTCARD_01=
That's in just 2 hours...
Thanks!
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
RE: Post cart spams
Posted by "John D. Hardin" <jh...@impsec.org>.
On Tue, 17 Jul 2007, Dan Barker wrote:
>> http://www.impsec.org/~jhardin/antispam/
>
> I don't see it in that directory. What's the filename?
postcards.cf
It takes a short while after I send the email for the file to sync out
to the server.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Where We Want You To Go Today 07/05/07: Microsoft patents in-OS
adware architecture incorporating spyware, profiling, competitor
suppression and delivery confirmation (U.S. Patent #20070157227)
-----------------------------------------------------------------------
7 days until The 38th anniversary of Apollo 11 landing on the Moon
RE: Post cart spams
Posted by Dan Barker <db...@visioncomm.net>.
"It's probably badly mangled by line wrap, so I'm also posting it here:
http://www.impsec.org/~jhardin/antispam/"
I don't see it in that directory. What's the filename?
Dan
-----Original Message-----
From: John D. Hardin [mailto:jhardin@impsec.org]
Sent: Tuesday, July 17, 2007 3:38 PM
To: Igor Chudov
Cc: Spamassassin Mailing List
Subject: Re: Post cart spams
On Tue, 17 Jul 2007, Igor Chudov wrote:
> Anyway, it seems that a lot of these postcard spams are slipping by
> SA. I wrote a procmail rule to catch them:
>
> :0
> * ^Subject: you\'ve.*(greeting|ecard|postcard).*from a.*
> $MAILDIR/rejected
>
> (that's a folder that I do review periodically)
>
> I would prefer, however, to use spamassassin instead of homebrew
> procmail rules, due to fear of false positives. Any idea if there are
> any rules that I am missing that would help?
Here's what I am using:
describe POSTCARD_01 You got a postcard!
header POSTCARD_01 Subject =~ /You(?:'ve| have) (?:received )?an?
(?:new )?(?:greeting |anonymous )?(?:postcard|e?card) from an?
(?:admirer|colleague|family
member|friend|mate|neighbou?r|partner|(?:class|school).?(?:friend|mate)|wors
hipper|anonymous|buddy)/i
score POSTCARD_01 2.50
It's probably badly mangled by line wrap, so I'm also posting it here:
http://www.impsec.org/~jhardin/antispam/
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Where We Want You To Go Today 07/05/07: Microsoft patents in-OS
adware architecture incorporating spyware, profiling, competitor
suppression and delivery confirmation (U.S. Patent #20070157227)
-----------------------------------------------------------------------
7 days until The 38th anniversary of Apollo 11 landing on the Moon
Re: Post cart spams
Posted by "John D. Hardin" <jh...@impsec.org>.
On Tue, 17 Jul 2007, Igor Chudov wrote:
> Anyway, it seems that a lot of these postcard spams are slipping by
> SA. I wrote a procmail rule to catch them:
>
> :0
> * ^Subject: you\'ve.*(greeting|ecard|postcard).*from a.*
> $MAILDIR/rejected
>
> (that's a folder that I do review periodically)
>
> I would prefer, however, to use spamassassin instead of homebrew
> procmail rules, due to fear of false positives. Any idea if there
> are any rules that I am missing that would help?
Here's what I am using:
describe POSTCARD_01 You got a postcard!
header POSTCARD_01 Subject =~ /You(?:'ve| have) (?:received )?an?
(?:new )?(?:greeting |anonymous )?(?:postcard|e?card) from an?
(?:admirer|colleague|family member|friend|mate|neighbou?r|partner|(?:class|school).?(?:friend|mate)|worshipper|anonymous|buddy)/i
score POSTCARD_01 2.50
It's probably badly mangled by line wrap, so I'm also posting it here:
http://www.impsec.org/~jhardin/antispam/
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Where We Want You To Go Today 07/05/07: Microsoft patents in-OS
adware architecture incorporating spyware, profiling, competitor
suppression and delivery confirmation (U.S. Patent #20070157227)
-----------------------------------------------------------------------
7 days until The 38th anniversary of Apollo 11 landing on the Moon