You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Kenneth Porter <sh...@sewingwitch.com> on 2007/11/24 06:08:25 UTC
space dot space com messages
I'm seeing a lot of these spammed to my Mailman mailing lists. They
generally consist of a single line with an obfuscated URL and a couple of
blank lines. The URL looks like "abcde . com" (ie. a space on either side
of the dot).
Does anyone have a rule to score these? I don't have Bayes at the MTA
level, just at the delivery level, and since this is a list, there's no
local recipient to score for.
Re: space dot space com messages
Posted by Michelle Konzack <li...@freenet.de>.
Am 2007-11-23 21:57:13, schrieb Loren Wilton:
> >I'm seeing a lot of these spammed to my Mailman mailing lists. They
> >generally consist of a single line with an obfuscated URL and a couple of
> >blank lines. The URL looks like "abcde . com" (ie. a space on either side
> >of the dot).
>
> If you post one or two somewhere I can write you a simple rule. I could
> write something from just what you described, but I'd be real concerned
> about the FP rate. If I see a couple messages I can probably do a little
> better.
Since I use "spamc" from my "procmailrc" I have used a procmail rule to
catch them... Without any FP in the first 1000 messages fom over 23.000.
:0
* B ?? \/www .*[ a-zA-Z0-9] (cn|com)$
.ATTENTION.FLT_dot_space/
:0
* > 250000
.ATTENTION.FLT_oversized/
:0fw
* < 250000
|spamc
Thanks, Greetings and nice Day
Michelle Konzack
Tamay Dogan Network
Open Hardware Developer
Debian GNU/Linux Consultant
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack Apt. 917 ICQ #328449886
50, rue de Soultz MSN LinuxMichi
0033/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)
Re: space dot space com messages
Posted by Kenneth Porter <sh...@sewingwitch.com>.
--On Friday, November 23, 2007 10:27 PM -0800 Loren Wilton
<lw...@earthlink.net> wrote:
> header __THE_BAT X-Mailer /^The Bat/
> body __BROKEN_LINK /^[\w\.\-]{1,25}\s\.com\s*$/
> meta SMALL_MIND __THE_BAT && __BROKEN_LINK
> score SMALL_MIND 3.5
Linting showed the header needs this:
header __THE_BAT X-Mailer =~ /^The Bat/
With that in place I installed it as /etc/mail/spamassassin/small-mind.cf.
Thanks!
Re: space dot space com messages
Posted by Loren Wilton <lw...@earthlink.net>.
Oh, you weren't exaggerating about the amount of text in those! That makes
it pretty easy in theory. Let's try this (untested):
header __THE_BAT X-Mailer /^The Bat/
body __BROKEN_LINK /^[\w\.\-]{1,25}\s\.com\s*$/
meta SMALL_MIND __THE_BAT && __BROKEN_LINK
score SMALL_MIND 3.5
I think that should be relatively safe, and should hit all these.
Loren
Re: space dot space com messages
Posted by Kenneth Porter <sh...@sewingwitch.com>.
--On Friday, November 23, 2007 9:57 PM -0800 Loren Wilton
<lw...@earthlink.net> wrote:
> If you post one or two somewhere I can write you a simple rule. I could
> write something from just what you described, but I'd be real concerned
> about the FP rate. If I see a couple messages I can probably do a little
> better.
Here's 3 in mbox format. I "forwarded to list admin" from the Mailman web
interface, so the original messages are embedded in a message/rfc822
attachment in each case.
<http://www.sewingwitch.com/ken/Stuff/DotSpaceDotExample.txt>
Re: space dot space com messages
Posted by Loren Wilton <lw...@earthlink.net>.
> I'm seeing a lot of these spammed to my Mailman mailing lists. They
> generally consist of a single line with an obfuscated URL and a couple of
> blank lines. The URL looks like "abcde . com" (ie. a space on either side
> of the dot).
If you post one or two somewhere I can write you a simple rule. I could
write something from just what you described, but I'd be real concerned
about the FP rate. If I see a couple messages I can probably do a little
better.
Loren