You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Steve Berg <st...@gmail.com> on 2006/11/27 22:27:47 UTC
Loads of 'xxx wrote:' Spam
All,
I have started to receive a LARGE amount of spam with the subject line of
"<someone's name> wrote:". Inside the email is a stock tip with different
stocks...
Has anyone else seen this? Is there a rule I can use to block this? The
names change ALL the time, so it would have to be something dynamic.
Does anyone have something I could use?
Thanks
Steve
Re: Loads of 'xxx wrote:' Spam
Posted by Dennis Davis <D....@bath.ac.uk>.
On Mon, 27 Nov 2006, Theo Van Dinter wrote:
> From: Theo Van Dinter <fe...@apache.org>
> To: users@spamassassin.apache.org
> Date: Mon, 27 Nov 2006 16:32:50 -0500
> Subject: Re: Loads of 'xxx wrote:' Spam
...
> > Has anyone else seen this? Is there a rule I can use to block
> > this? The names change ALL the time, so it would have to be
> > something dynamic.
> >
> > Does anyone have something I could use?
>
> As has been the suggestion for the past X months, run sa-update. :)
Yup, works for me.
Note that the Botnet plugin (subject of another thread on this list)
may help with hosts that slip past any RBLs you use. Here's the
results for one of these I recently received in my spam folder:
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on merckx.bath.ac.uk
X-Spam-Level: ++++++++
X-Spam-Status: Yes, score=8.9 required=6.0 tests=BOTNET,BOTNET_CLIENT,
BOTNET_IPINHOSTNAME,RCVD_FORGED_WROTE,SARE_LWSHORTT,SARE_MLB_Stock2,
SARE_PROLOSTOCK_SYM1 autolearn=disabled version=3.1.7
X-Spam-Report:
* 2.8 RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam)
* 0.0 BOTNET_IPINHOSTNAME Hostname contains its own IP address
* 1.7 SARE_MLB_Stock2 BODY: SARE_MLB_Stock2
* 0.8 SARE_LWSHORTT BODY: SARE_LWSHORTT
* 1.7 SARE_PROLOSTOCK_SYM1 BODY: Last week's hot stock scam
* 2.0 BOTNET_CLIENT Hostname looks like a client hostname
* 0.0 BOTNET Any Botnet rule hit
Received: from 89-139-185-37.bb.netvision.net.il ([89.139.185.37] helo=mafioso)
(I've tweaked the BOTNET rules. It would score more with a standard
configuration.)
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H.Davis@bath.ac.uk Phone: +44 1225 386101
Re: Loads of 'xxx wrote:' Spam
Posted by Nix <ni...@esperi.org.uk>.
On 27 Nov 2006, Theo Van Dinter uttered the following:
> As has been the suggestion for the past X months, run sa-update. :)
It doesn't seem to work for me:
hades:/usr/local/tmp# sa-update -D
[29523] dbg: logger: adding facilities: all
[29523] dbg: logger: logging level is DBG
[29523] dbg: generic: SpamAssassin version 3.1.7
[29523] dbg: config: score set 0 chosen.
[29523] dbg: message: ---- MIME PARSER START ----
[29523] dbg: message: main message type: text/plain
[29523] dbg: message: parsing normal part
[29523] dbg: message: added part, type: text/plain
[29523] dbg: message: ---- MIME PARSER END ----
[29523] dbg: dns: is Net::DNS::Resolver available? yes
[29523] dbg: dns: Net::DNS version: 0.59
[29523] dbg: generic: sa-update version svn437498
[29523] dbg: generic: using update directory: /usr/packages.bin/perl/5.8.8/var/spamassassin/3.001007
[29523] dbg: diag: perl platform: 5.008008 linux
[29523] dbg: diag: module installed: Digest::SHA1, version 2.11
[29523] dbg: diag: module installed: HTML::Parser, version 3.55
[29523] dbg: diag: module installed: MIME::Base64, version 3.07
[29523] dbg: diag: module installed: DB_File, version 1.814
[29523] dbg: diag: module installed: Net::DNS, version 0.59
[29523] dbg: diag: module installed: Net::SMTP, version 2.29
[29523] dbg: diag: module installed: Mail::SPF::Query, version 1.999001
[29523] dbg: diag: module installed: IP::Country::Fast, version 604.001
[29523] dbg: diag: module installed: Razor2::Client::Agent, version 2.82
[29523] dbg: diag: module installed: Net::Ident, version 1.20
[29523] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed)
[29523] dbg: diag: module installed: IO::Socket::SSL, version 1.02
[29523] dbg: diag: module installed: Time::HiRes, version 1.9703
[29523] dbg: diag: module installed: DBI, version 1.53
[29523] dbg: diag: module installed: Getopt::Long, version 2.35
[29523] dbg: diag: module installed: LWP::UserAgent, version 2.033
[29523] dbg: diag: module installed: HTTP::Date, version 1.47
[29523] dbg: diag: module installed: Archive::Tar, version 1.30
[29523] dbg: diag: module installed: IO::Zlib, version 1.04
[29523] dbg: gpg: Searching for 'gpg'
[29523] dbg: util: current PATH is: /usr/bin:/bin:/usr/sbin:/sbin:/usr/games
[29523] dbg: util: executable for gpg was found at /usr/bin/gpg
[29523] dbg: gpg: found /usr/bin/gpg
[29523] dbg: gpg: release trusted key id list: 5E541DC959CB8BAC7C78DFDC4056A61A5244EC45 26C900A46DD40CD5AD24F6D7DEE01987265FA05B 0C2B1D7175B852C64B3CDC716C55397824F434CE
[29523] dbg: channel: attempting channel updates.spamassassin.org
[29523] dbg: channel: update directory /usr/packages.bin/perl/5.8.8/var/spamassassin/3.001007/updates_spamassassin_org
[29523] dbg: channel: channel cf file /usr/packages.bin/perl/5.8.8/var/spamassassin/3.001007/updates_spamassassin_org.cf
[29523] dbg: channel: channel pre file /usr/packages.bin/perl/5.8.8/var/spamassassin/3.001007/updates_spamassassin_org.pre
[29523] dbg: dns: 7.1.3.updates.spamassassin.org => 477972, parsed as 477972
[29523] dbg: channel: no MIRRORED.BY file available
[29523] dbg: http: GET request, http://spamassassin.apache.org/updates/MIRRORED.BY
[29523] dbg: channel: MIRRORED.BY file retrieved
[29523] dbg: channel: reading MIRRORED.BY file
[29523] dbg: channel: found mirror http://spamassassin.kluge.net/updates/
[29523] dbg: channel: selected mirror http://spamassassin.kluge.net/updates
[29523] dbg: http: GET request, http://spamassassin.kluge.net/updates/477972.tar.gz
[29523] dbg: http: GET request, http://spamassassin.kluge.net/updates/477972.tar.gz.sha1
channel: could not find working mirror, channel failed
[29523] dbg: diag: updates complete, exiting with code 4
(bz #5247.)
--
`He accused the FSF of being "something of a hypocrit", which
shows that he neither understands hypocrisy nor can spell.'
--- jimmybgood
Re: Loads of 'xxx wrote:' Spam
Posted by Greg Skouby <gs...@sitesnow.com>.
On Mon, Nov 27, 2006 at 09:48:03PM +0000, Justin Mason wrote:
> >
> >As has been the suggestion for the past X months, run sa-update. :)
>
> we've got to make this a more prominent FAQ somehow...
>
> --j.
I don't remember if this has been discussed recently but this page also needs to be updated to reflect the use of
sa-update:
http://wiki.apache.org/spamassassin/VirusScannerTypeUpdates
--Greg
Re: Loads of 'xxx wrote:' Spam
Posted by Craig Morrison <cr...@2cah.com>.
Theo Van Dinter wrote:
> On Mon, Nov 27, 2006 at 09:48:03PM +0000, Justin Mason wrote:
>>> As has been the suggestion for the past X months, run sa-update. :)
>> we've got to make this a more prominent FAQ somehow...
>
> Yeah, I keep coming across people on IRC and such that don't know about
> sa-update, even though it's been out for months. I suggest we add a
> section to the next release announcements about it.
>
Since its right off the home page and there is a tab for it labeled
'Docs', this would be an excellent place:
http://spamassassin.apache.org/doc.html
--
Craig
Re: Loads of 'xxx wrote:' Spam
Posted by Theo Van Dinter <fe...@apache.org>.
On Mon, Nov 27, 2006 at 09:48:03PM +0000, Justin Mason wrote:
> >As has been the suggestion for the past X months, run sa-update. :)
> we've got to make this a more prominent FAQ somehow...
Yeah, I keep coming across people on IRC and such that don't know about
sa-update, even though it's been out for months. I suggest we add a
section to the next release announcements about it.
--
Randomly Selected Tagline:
Chutzpah -- Does your BBS take collect calls?
Re: Loads of 'xxx wrote:' Spam
Posted by Theo Van Dinter <fe...@apache.org>.
On Mon, Nov 27, 2006 at 01:27:47PM -0800, Steve Berg wrote:
> I have started to receive a LARGE amount of spam with the subject line of
> "<someone's name> wrote:". Inside the email is a stock tip with different
> stocks...
Yep.
> Has anyone else seen this? Is there a rule I can use to block this? The
> names change ALL the time, so it would have to be something dynamic.
>
> Does anyone have something I could use?
As has been the suggestion for the past X months, run sa-update. :)
--
Randomly Selected Tagline:
"One of my youngest employees once said `How does it feel managing someone
young enough to letch after your daughter?' I replied `How does it feel
to make insinuating remarks about the daughter of the guy who writes
your annual review?'" - Steve Simmons in <20...@lokkur.dexter.mi.us>