You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by JP Kelly <li...@jpkvideo.net> on 2008/02/28 20:36:12 UTC
China TLD links
any takers on this?
On Feb 27, 2008, at 2:31 PM, Chip M. wrote:
> The main thing that stands out (to me) is the China TLD in the URL.
> We block all those on sight (unless they're in the recipient's
> domain skip
> list - so far, none of my users have any China TLDs in theirs).
>
> Perhaps one of the regex gurus will whip you up a rule. :)
Re: China TLD links
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
We got a tie!
> I'm curious to see the reason for /dev/null'ing this mail and instead
> send out a useless and annoying note. Which one will win the race, whore
> or triple x? :)
Though the photo-finish seems to suggest the whore pipped triple x at
the post...
Filter name: "KEYWORD= profanity: whore;sexual discrimination: whore;spam: xxx "
guenther
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: China TLD links
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2008-02-29 at 08:54 -0500, Randy Ramsdell wrote:
> Karsten Bräckelmann wrote:
> Blocking is one thing, but scoring is another. Aren't single words
> defined in many rules for spamassassin? I know "fsck"
> and "v%%gra" are which are not part of a meta rule.
Exactly my point, and I believe Daryl's, too. After all, this is what
scoring is all about in SA.
> I do agree, however, anything M$ does is stupid.
That I did not say, neither imply. Regardless of the fact I don't
particularly like MS. Also it is not MS sending these brain-dead
bounces. It is the admins duty to pick the right tool for the job and
avoid tools like this that doesn't serve any purpose.
guenther
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: China TLD links
Posted by Randy Ramsdell <rr...@livedatagroup.com>.
Karsten Bräckelmann wrote:
> On Thu, 2008-02-28 at 18:04 -0500, Daryl C. W. O'Shea wrote:
>
>> Of course, now that I've used the word "whore" three times and quoted it
>> once I'm sure I'll get a deluge of bounces (not rejects) from people
>> running Microsoft's Antigen for SMTP.
>>
>> http://daryl.dostech.ca/blog/2008/02/22/microsoft-antigen-brain-dead-content-filter/
>>
>
> Yes!
>
> There's at least one user on this list, somewhere behind an MS Antigen
> for SMTP, apparently run by psp.com (thank you, Sony), which has been
> bugging me a couple times already when answering questions. The OP dared
> to munge private email addresses:
>
> Filter name: "KEYWORD= spam: xxx "
>
> I would not have expected anyone on *this* list to run such a stupid
> single-word content "filter". But hey, the subscriber is unlikely to get
> a lot of traffic from this list anyway passed beyond that wall...
>
> I'm curious to see the reason for /dev/null'ing this mail and instead
> send out a useless and annoying note. Which one will win the race, whore
> or triple x? :)
>
> guenther
>
>
Blocking is one thing, but scoring is another. Aren't single words
defined in many rules for spamassassin? I know "fsck"
and "v%%gra" are which are not part of a meta rule. I do agree, however,
anything M$ does is stupid.
Re: China TLD links
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Thu, 2008-02-28 at 18:04 -0500, Daryl C. W. O'Shea wrote:
> Of course, now that I've used the word "whore" three times and quoted it
> once I'm sure I'll get a deluge of bounces (not rejects) from people
> running Microsoft's Antigen for SMTP.
>
> http://daryl.dostech.ca/blog/2008/02/22/microsoft-antigen-brain-dead-content-filter/
Yes!
There's at least one user on this list, somewhere behind an MS Antigen
for SMTP, apparently run by psp.com (thank you, Sony), which has been
bugging me a couple times already when answering questions. The OP dared
to munge private email addresses:
Filter name: "KEYWORD= spam: xxx "
I would not have expected anyone on *this* list to run such a stupid
single-word content "filter". But hey, the subscriber is unlikely to get
a lot of traffic from this list anyway passed beyond that wall...
I'm curious to see the reason for /dev/null'ing this mail and instead
send out a useless and annoying note. Which one will win the race, whore
or triple x? :)
guenther
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: China TLD links
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
On 28/02/2008 5:04 PM, Randy Ramsdell wrote:
> * If this is a company server, I would certainly not have an issue with
> blocking or adding a high score for the word "Whore" and could do
> something with the word "Schoolgirl."
Maybe it's just my manufacturing background, but I'd block half of our
corporate mail (internal and between us and suppliers and customers) if
I were to block "whore". IMHO single word (and very short phrase)
content filters are whoreable.
Of course, now that I've used the word "whore" three times and quoted it
once I'm sure I'll get a deluge of bounces (not rejects) from people
running Microsoft's Antigen for SMTP.
http://daryl.dostech.ca/blog/2008/02/22/microsoft-antigen-brain-dead-content-filter/
Daryl
Re: China TLD links
Posted by Randy Ramsdell <rr...@livedatagroup.com>.
JP Kelly wrote:
> any takers on this?
>
>
> On Feb 27, 2008, at 2:31 PM, Chip M. wrote:
>
>> The main thing that stands out (to me) is the China TLD in the URL.
>> We block all those on sight (unless they're in the recipient's domain
>> skip
>> list - so far, none of my users have any China TLDs in theirs).
>>
>> Perhaps one of the regex gurus will whip you up a rule. :)
>
* Both should be run through a manual sa-learn. ( It would have caught
the first example )
* As Chip wrote earlier, each message has China based links in them.
Mark those.
* If this is a company server, I would certainly not have an issue with
blocking or adding a high score for the word "Whore" and could do
something with the word "Schoolgirl."
Randy Ramsdell
Re: China TLD links
Posted by Jeff Stadig <js...@co.jefferson.co.us>.
Don't know if this will help but we use the list on this site to block malicious Chinese and Korean ip addresses and network blocks via iptables - http://www.okean.com/
>>> JP Kelly <li...@jpkvideo.net> 2/28/2008 12:36:12 PM >>>
any takers on this?
On Feb 27, 2008, at 2:31 PM, Chip M. wrote:
> The main thing that stands out (to me) is the China TLD in the URL.
> We block all those on sight (unless they're in the recipient's
> domain skip
> list - so far, none of my users have any China TLDs in theirs).
>
> Perhaps one of the regex gurus will whip you up a rule. :)
Re: China TLD links
Posted by JP Kelly <li...@jpkvideo.net>.
thank you guenther!
On Feb 29, 2008, at 5:39 AM, Karsten Bräckelmann wrote:
> While I understood this comment more generally, aiming at some rules
> to
> catch the provided spample -- if you actually are after an RE to score
> on China TLDs, here you go. That much should be easy:
>
> uri TLD_CHINA m,https?://([-\w]+\.)+cn(/|$),
>
> guenther
Re: China TLD links
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Thu, 2008-02-28 at 11:36 -0800, JP Kelly wrote:
> any takers on this?
On what? The Subject or the not included original post?
> On Feb 27, 2008, at 2:31 PM, Chip M. wrote:
> > The main thing that stands out (to me) is the China TLD in the URL.
> > We block all those on sight (unless they're in the recipient's
> > domain skip
> > list - so far, none of my users have any China TLDs in theirs).
> >
> > Perhaps one of the regex gurus will whip you up a rule. :)
While I understood this comment more generally, aiming at some rules to
catch the provided spample -- if you actually are after an RE to score
on China TLDs, here you go. That much should be easy:
uri TLD_CHINA m,https?://([-\w]+\.)+cn(/|$),
guenther
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}