You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jake Maul <ja...@gmail.com> on 2008/08/01 06:58:32 UTC
simple drug spam not flagged
Greetings,
I've recently been getting more simple drug-related spam that has no
real obfuscation and often doesn't get flagged with anything other
than HTML_MESSAGE (0.0) and BAYES_XX (generally 50-99).
A few sample Subject lines:
Subject: Use Generik Viagra and forget about your sexual nightmares.
Subject: Discounted Super Viagra, Viagra Pro and Soft Cialis
Subject: Viagra Pro will save your from sexual hardships.
Subject: Any medication without prescription. Visa and MasterCard accepted
Subject: EZ order and fast delivery of your drugs
Subject: {SPAM?} You'll get harder erections with Soft Viagra.
(Last one tagged due to "2.9 SUSPICIOUS_RECIPS" and BAYES_99)
Most of these don't hit any DNSBLs, and are generally not in Pyzor or
Razor (incidentally... my Pyzor stopped working this morning... anyone
else? pyzor ping is failing). Some also hit the DRUGS_ERECTILE test,
but not reliably.
A large majority seem to be coming from yahoo.com webmail servers, but
this isn't a high-volume server so that might be just an anomaly.
I have attempted to compensate by increasing DRUGS_ERECTILE up to 1.5
(default is 0.3), but this seems to be a body-only rule, and I'm not
seeing a generic rule for ED-related drugs in the subject that are
*not* obfuscated. Seems pretty stupid that none of those subjects
manage to break a stock 0.3 without bayes or some 'lucky' hit...
Anyone else seeing this kind of junk? Any good ideas? I'm hesitant to
go all willy-nilly on my local.cf with stupid-simple rules with high
scores.
I run sa-update and sa-compile pretty regularly, but not using any
non-stock rulesets (where are the good ones that are actually
maintained? :) ).
Many thanks,
Jake
Re: simple drug spam not flagged
Posted by Jake Maul <ja...@gmail.com>.
Yes, I would love to have the full listing.
I've just done the ClamAV sigs from SaneSecurity/etc. Very nice!
I'm looking into the following plugins/rulesets for general use. will
probably use a few of them:
Botnet plugin
SARE rulesets
DKIM (included in SA, but never bothered to set up)
iXhash plugin
Freemail plugin
SAGrey plugin
Justin Mason's automated ruleset
If I could just get Pyzor working again now too... :)
Thanks!
Jake
On Sat, Aug 2, 2008 at 8:00 AM, Chris <cp...@embarqmail.com> wrote:
> On Friday 01 August 2008 10:47 pm, Jake Maul wrote:
>> Okay, got some samples online to look at:
>>
>> http://66.213.231.82/spam/sample1.txt
>> http://66.213.231.82/spam/sample2.txt
>> http://66.213.231.82/spam/sample3.txt
>> http://66.213.231.82/spam/sample4.txt
>> http://66.213.231.82/spam/sample5.txt
>> http://66.213.231.82/spam/sample6.txt
>> http://66.213.231.82/spam/sample7.txt
>> (that is, every file in http://66.213.231.82/spam/)
>>
>> If y'all could run 1 or 2 of them through your installs, I'd be
>> interested to know how they score and what rules they hit. TYVM, in
>> advance :)
>
>
> Sample 1 scored:
>
> Content analysis details: (16.0 points, 5.0 required)
>
> pts rule name description
> ---- ---------------------- --------------------------------------------------
> 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
> [URIs: perfectcapsulessite.com]
> 1.5 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
> [URIs: perfectcapsulessite.com]
> 1.0 FREEMAIL_FROM From-address is freemail domain
> -0.0 SPF_PASS SPF: sender matches SPF record
> 4.5 LOGINHASH BODY: iXhash says its spam
> 2.5 IXHASH BODY: iXhash says its spam
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
> [score: 0.5001]
> 2.5 LOGINHASH2 BODY: iXhash says its spam
> 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
> -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
> [cpollock 1113; Body=1 Fuz1=1 Fuz2=1]
> 1.0 SAGREY Adds 1.0 to spam from first-time senders
>
> Sample 2 scored:
>
> Content analysis details: (25.8 points, 5.0 required)
>
> pts rule name description
> ---- ---------------------- --------------------------------------------------
> 1.0 FREEMAIL_FROM From-address is freemail domain
> 0.0 DK_POLICY_TESTING Domain Keys: policy says domain is testing DK
> 0.0 DK_SIGNED Domain Keys: message has a signature
> 4.5 LOGINHASH BODY: iXhash says its spam
> 2.5 IXHASH BODY: iXhash says its spam
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
> [score: 0.4915]
> 2.5 LOGINHASH2 BODY: iXhash says its spam
> 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
> -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
> [cpollock 1113; Body=1 Fuz1=1 Fuz2=1]
> 10 CLAMAV Clam AntiVirus detected a virus
> 0.3 DRUGS_ERECTILE Refers to an erectile drug
> 2.5 L_UNVERIFIED_YAHOO L_UNVERIFIED_YAHOO
> 1.0 SAGREY Adds 1.0 to spam from first-time senders
>
> This is what clamav reported - X-Spam-Virus: Yes
> (Email.Spam.Gen835.Sanesecurity.07062011)
>
> Sample 3 scored:
>
> Content analysis details: (15.7 points, 5.0 required)
>
> pts rule name description
> ---- ---------------------- --------------------------------------------------
> 1.0 FREEMAIL_FROM From-address is freemail domain
> -0.0 SPF_PASS SPF: sender matches SPF record
> 0.0 ONLINE_PHARMACY BODY: Online Pharmacy
> 0.0 TVD_VISIT_PHARMA BODY: TVD_VISIT_PHARMA
> 4.5 LOGINHASH BODY: iXhash says its spam
> 2.5 IXHASH BODY: iXhash says its spam
> 2.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80%
> [score: 0.6079]
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 2.5 LOGINHASH2 BODY: iXhash says its spam
> 2.2 DCC_CHECK listed in DCC (http://rhyolite.com/anti-spam/dcc/)
> [cpollock 1113; Body=1 Fuz1=1 Fuz2=many]
> 1.0 SAGREY Adds 1.0 to spam from first-time senders
>
> Sample 4 scored Content analysis details: (20.5 points, 5.0 required)
> Sample 5 scored Content analysis details: (25.7 points, 5.0 required)
> Sample 6 scored Content analysis details: (19.7 points, 5.0 required)
> Sample 7 scored Content analysis details: (25.3 points, 5.0 required)
>
> Looking at how they were scored I see that the following plug-ins hit on every
> message, freemail, ixhash and sagrey. The clamav plugin hit on a couple using
> the sanesecurity signatures. I've saved the complete output of spamassassin
> -D -t sample*.txt to a file. If you want I can fwd it to you to look at.
>
>> More comments below...
>>
>> Is there anything I need to know about the SARE rules? I see they're
>> not being updated at the moment... I've been wondering which ones are
>> 'safe' to use, considering they all seem to be at least a year old. Do
>> the comments on the rulesemporium.com site still apply? Anything there
>> broken in SA-3.2.x I should care about?
>
> I've 'never' had any problems with the SARE rules I run, I believe the answer
> as to why they're seldom updated is that they're such rock solid rule sets
> that they pretty much cover any type of spam out there.
>
>> As far as BOTNET goes... sounds interesting... I would definitely want
>> to push it's score down lower though. A single rule being enough to
>> flag a message bothers me. Will look into it, thanks :)
>>
>> Thanks all,
>> Jake
>
> One other note, I do not run a mailserver, this is just how these score on my
> home system that I'm the only user on.
>
> --
> Chris
> KeyID 0xE372A7DA98E6705C
>
Re: simple drug spam not flagged
Posted by Chris <cp...@embarqmail.com>.
On Friday 01 August 2008 10:47 pm, Jake Maul wrote:
> Okay, got some samples online to look at:
>
> http://66.213.231.82/spam/sample1.txt
> http://66.213.231.82/spam/sample2.txt
> http://66.213.231.82/spam/sample3.txt
> http://66.213.231.82/spam/sample4.txt
> http://66.213.231.82/spam/sample5.txt
> http://66.213.231.82/spam/sample6.txt
> http://66.213.231.82/spam/sample7.txt
> (that is, every file in http://66.213.231.82/spam/)
>
> If y'all could run 1 or 2 of them through your installs, I'd be
> interested to know how they score and what rules they hit. TYVM, in
> advance :)
Sample 1 scored:
Content analysis details: (16.0 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
[URIs: perfectcapsulessite.com]
1.5 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
[URIs: perfectcapsulessite.com]
1.0 FREEMAIL_FROM From-address is freemail domain
-0.0 SPF_PASS SPF: sender matches SPF record
4.5 LOGINHASH BODY: iXhash says its spam
2.5 IXHASH BODY: iXhash says its spam
0.0 HTML_MESSAGE BODY: HTML included in message
1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5001]
2.5 LOGINHASH2 BODY: iXhash says its spam
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
-0.0 DCC_CHECK_NEGATIVE Not listed in DCC
[cpollock 1113; Body=1 Fuz1=1 Fuz2=1]
1.0 SAGREY Adds 1.0 to spam from first-time senders
Sample 2 scored:
Content analysis details: (25.8 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.0 FREEMAIL_FROM From-address is freemail domain
0.0 DK_POLICY_TESTING Domain Keys: policy says domain is testing DK
0.0 DK_SIGNED Domain Keys: message has a signature
4.5 LOGINHASH BODY: iXhash says its spam
2.5 IXHASH BODY: iXhash says its spam
0.0 HTML_MESSAGE BODY: HTML included in message
1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.4915]
2.5 LOGINHASH2 BODY: iXhash says its spam
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
-0.0 DCC_CHECK_NEGATIVE Not listed in DCC
[cpollock 1113; Body=1 Fuz1=1 Fuz2=1]
10 CLAMAV Clam AntiVirus detected a virus
0.3 DRUGS_ERECTILE Refers to an erectile drug
2.5 L_UNVERIFIED_YAHOO L_UNVERIFIED_YAHOO
1.0 SAGREY Adds 1.0 to spam from first-time senders
This is what clamav reported - X-Spam-Virus: Yes
(Email.Spam.Gen835.Sanesecurity.07062011)
Sample 3 scored:
Content analysis details: (15.7 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.0 FREEMAIL_FROM From-address is freemail domain
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 ONLINE_PHARMACY BODY: Online Pharmacy
0.0 TVD_VISIT_PHARMA BODY: TVD_VISIT_PHARMA
4.5 LOGINHASH BODY: iXhash says its spam
2.5 IXHASH BODY: iXhash says its spam
2.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80%
[score: 0.6079]
0.0 HTML_MESSAGE BODY: HTML included in message
2.5 LOGINHASH2 BODY: iXhash says its spam
2.2 DCC_CHECK listed in DCC (http://rhyolite.com/anti-spam/dcc/)
[cpollock 1113; Body=1 Fuz1=1 Fuz2=many]
1.0 SAGREY Adds 1.0 to spam from first-time senders
Sample 4 scored Content analysis details: (20.5 points, 5.0 required)
Sample 5 scored Content analysis details: (25.7 points, 5.0 required)
Sample 6 scored Content analysis details: (19.7 points, 5.0 required)
Sample 7 scored Content analysis details: (25.3 points, 5.0 required)
Looking at how they were scored I see that the following plug-ins hit on every
message, freemail, ixhash and sagrey. The clamav plugin hit on a couple using
the sanesecurity signatures. I've saved the complete output of spamassassin
-D -t sample*.txt to a file. If you want I can fwd it to you to look at.
> More comments below...
>
> Is there anything I need to know about the SARE rules? I see they're
> not being updated at the moment... I've been wondering which ones are
> 'safe' to use, considering they all seem to be at least a year old. Do
> the comments on the rulesemporium.com site still apply? Anything there
> broken in SA-3.2.x I should care about?
I've 'never' had any problems with the SARE rules I run, I believe the answer
as to why they're seldom updated is that they're such rock solid rule sets
that they pretty much cover any type of spam out there.
> As far as BOTNET goes... sounds interesting... I would definitely want
> to push it's score down lower though. A single rule being enough to
> flag a message bothers me. Will look into it, thanks :)
>
> Thanks all,
> Jake
One other note, I do not run a mailserver, this is just how these score on my
home system that I'm the only user on.
--
Chris
KeyID 0xE372A7DA98E6705C
Re: simple drug spam not flagged
Posted by Jake Maul <ja...@gmail.com>.
Okay, got some samples online to look at:
http://66.213.231.82/spam/sample1.txt
http://66.213.231.82/spam/sample2.txt
http://66.213.231.82/spam/sample3.txt
http://66.213.231.82/spam/sample4.txt
http://66.213.231.82/spam/sample5.txt
http://66.213.231.82/spam/sample6.txt
http://66.213.231.82/spam/sample7.txt
(that is, every file in http://66.213.231.82/spam/)
If y'all could run 1 or 2 of them through your installs, I'd be
interested to know how they score and what rules they hit. TYVM, in
advance :)
More comments below...
> Is the below a sample subject line you're seeing? If so my setup using network
> tests, SARE Rules, Botnet plugin and others always score these between 50 and
> 70. But this may not be what you're getting so a sample will be great.
Is there anything I need to know about the SARE rules? I see they're
not being updated at the moment... I've been wondering which ones are
'safe' to use, considering they all seem to be at least a year old. Do
the comments on the rulesemporium.com site still apply? Anything there
broken in SA-3.2.x I should care about?
As far as BOTNET goes... sounds interesting... I would definitely want
to push it's score down lower though. A single rule being enough to
flag a message bothers me. Will look into it, thanks :)
> Subject: Buy Cialis, Viagra online at lowest prices!
>
> Content analysis details: (67.9 points, 5.0 required)
>
> pts rule name description
> ---- ---------------------- --------------------------------------------------
> 5.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
> [score: 1.0000]
> 1.5 MIME_BOUND_DD_DIGITS Spam tool pattern in MIME boundary
> 1.2 INVALID_DATE Invalid Date: header (not RFC 2822)
> 2.9 DATE_SPAMWARE_Y2K Date header uses unusual Y2K formatting
> 3.2 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel letters
> 1.9 TVD_RCVD_IP TVD_RCVD_IP
> 3.2 TVD_RCVD_IP4 TVD_RCVD_IP4
> 3.1 MSGID_YAHOO_CAPS Message-ID has ALLCAPS@yahoo.com
> 4.2 MSGID_SPAM_CAPS Spam tool Message-Id: (caps variant)
> 0.0 SUBJECT_DRUG_GAP_C Subject contains a gappy version of 'cialis'
> 0.0 SUBJ_BUY Subject line starts with Buy or Buying
> 1.0 FREEMAIL_FROM From-address is freemail domain
> 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
> [Blocked - see <http://www.spamcop.net/bl.shtml?124.146.54.38>]
> 5.0 BOTNET Relay might be a spambot or virusbot
> [botnet0.8,ip=124.146.54.38,rdns=124.146.54.38,maildomain=yahoo.com,baddns,client,ipinhostname]
> 1.0 RELAYED_BY_DIALUP Sent directly from dynamic IP address
> 1.4 DATE_IN_FUTURE_96_XX Date: is 96 hours or more after Received: date
> 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines
> 2.3 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers
> 1.4 FB_CIALIS_LEO3 BODY: Uses a mis-spelled version of cialis.
> 1.7 FUZZY_PHARMACY BODY: Attempt to obfuscate words in spam
> 4.5 LOGINHASH BODY: iXhash says its spam
> 2.5 IXHASH BODY: iXhash says its spam
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 2.5 LOGINHASH2 BODY: iXhash says its spam
> 1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
> 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
> above 50%
> [cf: 60]
> 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
> 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
> [cf: 60]
> 3.7 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
> 2.2 DCC_CHECK listed in DCC (http://rhyolite.com/anti-spam/dcc/)
> [cpollock 1170; Body=1 Fuz1=1 Fuz2=many]
> 0.0 DIGEST_MULTIPLE Message hits more than one network digest check
> 2.6 REPTO_QUOTE_YAHOO Yahoo! doesn't do quoting like this
> 0.3 DRUGS_ERECTILE Refers to an erectile drug
> 0.1 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
> 2.5 L_UNVERIFIED_YAHOO L_UNVERIFIED_YAHOO
> 1.0 SAGREY Adds 1.0 to spam from first-time senders
Thanks all,
Jake
Re: simple drug spam not flagged
Posted by Chris <cp...@embarqmail.com>.
On Thursday 31 July 2008 11:58 pm, Jake Maul wrote:
> Greetings,
>
> I've recently been getting more simple drug-related spam that has no
> real obfuscation and often doesn't get flagged with anything other
> than HTML_MESSAGE (0.0) and BAYES_XX (generally 50-99).
>
> A few sample Subject lines:
>
> Subject: Use Generik Viagra and forget about your sexual nightmares.
> Subject: Discounted Super Viagra, Viagra Pro and Soft Cialis
> Subject: Viagra Pro will save your from sexual hardships.
> Subject: Any medication without prescription. Visa and MasterCard accepted
> Subject: EZ order and fast delivery of your drugs
> Subject: {SPAM?} You'll get harder erections with Soft Viagra.
>
> (Last one tagged due to "2.9 SUSPICIOUS_RECIPS" and BAYES_99)
>
> Most of these don't hit any DNSBLs, and are generally not in Pyzor or
> Razor (incidentally... my Pyzor stopped working this morning... anyone
> else? pyzor ping is failing). Some also hit the DRUGS_ERECTILE test,
> but not reliably.
>
> A large majority seem to be coming from yahoo.com webmail servers, but
> this isn't a high-volume server so that might be just an anomaly.
>
Is the below a sample subject line you're seeing? If so my setup using network
tests, SARE Rules, Botnet plugin and others always score these between 50 and
70. But this may not be what you're getting so a sample will be great.
Subject: Buy Cialis, Viagra online at lowest prices!
Content analysis details: (67.9 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
5.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
1.5 MIME_BOUND_DD_DIGITS Spam tool pattern in MIME boundary
1.2 INVALID_DATE Invalid Date: header (not RFC 2822)
2.9 DATE_SPAMWARE_Y2K Date header uses unusual Y2K formatting
3.2 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel letters
1.9 TVD_RCVD_IP TVD_RCVD_IP
3.2 TVD_RCVD_IP4 TVD_RCVD_IP4
3.1 MSGID_YAHOO_CAPS Message-ID has ALLCAPS@yahoo.com
4.2 MSGID_SPAM_CAPS Spam tool Message-Id: (caps variant)
0.0 SUBJECT_DRUG_GAP_C Subject contains a gappy version of 'cialis'
0.0 SUBJ_BUY Subject line starts with Buy or Buying
1.0 FREEMAIL_FROM From-address is freemail domain
2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?124.146.54.38>]
5.0 BOTNET Relay might be a spambot or virusbot
[botnet0.8,ip=124.146.54.38,rdns=124.146.54.38,maildomain=yahoo.com,baddns,client,ipinhostname]
1.0 RELAYED_BY_DIALUP Sent directly from dynamic IP address
1.4 DATE_IN_FUTURE_96_XX Date: is 96 hours or more after Received: date
0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines
2.3 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers
1.4 FB_CIALIS_LEO3 BODY: Uses a mis-spelled version of cialis.
1.7 FUZZY_PHARMACY BODY: Attempt to obfuscate words in spam
4.5 LOGINHASH BODY: iXhash says its spam
2.5 IXHASH BODY: iXhash says its spam
0.0 HTML_MESSAGE BODY: HTML included in message
2.5 LOGINHASH2 BODY: iXhash says its spam
1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
above 50%
[cf: 60]
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 60]
3.7 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
2.2 DCC_CHECK listed in DCC (http://rhyolite.com/anti-spam/dcc/)
[cpollock 1170; Body=1 Fuz1=1 Fuz2=many]
0.0 DIGEST_MULTIPLE Message hits more than one network digest check
2.6 REPTO_QUOTE_YAHOO Yahoo! doesn't do quoting like this
0.3 DRUGS_ERECTILE Refers to an erectile drug
0.1 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
2.5 L_UNVERIFIED_YAHOO L_UNVERIFIED_YAHOO
1.0 SAGREY Adds 1.0 to spam from first-time senders
--
Chris
KeyID 0xE372A7DA98E6705C
Re: simple drug spam not flagged
Posted by Jake Maul <ja...@gmail.com>.
On Fri, Aug 1, 2008 at 6:42 AM, Richard Frovarp
<ri...@sendit.nodak.edu> wrote:
> Jake Maul wrote:
>>
>> Greetings,
>>
>> I've recently been getting more simple drug-related spam that has no
>> real obfuscation and often doesn't get flagged with anything other
>> than HTML_MESSAGE (0.0) and BAYES_XX (generally 50-99).
>>
>> A few sample Subject lines:
>>
>> Subject: Use Generik Viagra and forget about your sexual nightmares.
>> Subject: Discounted Super Viagra, Viagra Pro and Soft Cialis
>> Subject: Viagra Pro will save your from sexual hardships.
>> Subject: Any medication without prescription. Visa and MasterCard accepted
>> Subject: EZ order and fast delivery of your drugs
>> Subject: {SPAM?} You'll get harder erections with Soft Viagra.
>>
>
> Are spammers finally learning that to get past spam filters they should send
> normal looking messages?
I hope it's just a phase. I mean, can't they just send spam engineered
to hit lots of SpamAssassin rules? That would be a lot easier on us
than having to continually come up with new rules, statistical
analyses, etc... :)
Re: simple drug spam not flagged
Posted by Richard Frovarp <ri...@sendit.nodak.edu>.
Jake Maul wrote:
> Greetings,
>
> I've recently been getting more simple drug-related spam that has no
> real obfuscation and often doesn't get flagged with anything other
> than HTML_MESSAGE (0.0) and BAYES_XX (generally 50-99).
>
> A few sample Subject lines:
>
> Subject: Use Generik Viagra and forget about your sexual nightmares.
> Subject: Discounted Super Viagra, Viagra Pro and Soft Cialis
> Subject: Viagra Pro will save your from sexual hardships.
> Subject: Any medication without prescription. Visa and MasterCard accepted
> Subject: EZ order and fast delivery of your drugs
> Subject: {SPAM?} You'll get harder erections with Soft Viagra.
>
Are spammers finally learning that to get past spam filters they should
send normal looking messages?
Re: simple drug spam not flagged
Posted by Jake Maul <ja...@gmail.com>.
On Fri, Aug 1, 2008 at 12:53 AM, Matus UHLAR - fantomas
<uh...@fantomas.sk> wrote:
> On 31.07.08 21:58, Jake Maul wrote:
>> I've recently been getting more simple drug-related spam that has no
>> real obfuscation and often doesn't get flagged with anything other
>> than HTML_MESSAGE (0.0) and BAYES_XX (generally 50-99).
> [...]
>> Subject: Use Generik Viagra and forget about your sexual nightmares.
>> Subject: Discounted Super Viagra, Viagra Pro and Soft Cialis
>> Subject: Viagra Pro will save your from sexual hardships.
>> Subject: Any medication without prescription. Visa and MasterCard accepted
>> Subject: EZ order and fast delivery of your drugs
>> Subject: {SPAM?} You'll get harder erections with Soft Viagra.
> [...]
>> Anyone else seeing this kind of junk? Any good ideas? I'm hesitant to
>> go all willy-nilly on my local.cf with stupid-simple rules with high
>> scores.
>>
>> I run sa-update and sa-compile pretty regularly, but not using any
>> non-stock rulesets (where are the good ones that are actually
>> maintained? :) ).
>
> Justin Mason's sought rulesets should catch those.
> http://wiki.apache.org/spamassassin/SoughtRules
This looks promising... not sure how well it'll do, but I like the
idea nonetheless. Thanks!
Jake
Re: simple drug spam not flagged
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 31.07.08 21:58, Jake Maul wrote:
> I've recently been getting more simple drug-related spam that has no
> real obfuscation and often doesn't get flagged with anything other
> than HTML_MESSAGE (0.0) and BAYES_XX (generally 50-99).
[...]
> Subject: Use Generik Viagra and forget about your sexual nightmares.
> Subject: Discounted Super Viagra, Viagra Pro and Soft Cialis
> Subject: Viagra Pro will save your from sexual hardships.
> Subject: Any medication without prescription. Visa and MasterCard accepted
> Subject: EZ order and fast delivery of your drugs
> Subject: {SPAM?} You'll get harder erections with Soft Viagra.
[...]
> Anyone else seeing this kind of junk? Any good ideas? I'm hesitant to
> go all willy-nilly on my local.cf with stupid-simple rules with high
> scores.
>
> I run sa-update and sa-compile pretty regularly, but not using any
> non-stock rulesets (where are the good ones that are actually
> maintained? :) ).
Justin Mason's sought rulesets should catch those.
http://wiki.apache.org/spamassassin/SoughtRules
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.
Re: simple drug spam not flagged
Posted by Jake Maul <ja...@gmail.com>.
On Fri, Aug 1, 2008 at 6:07 AM, Karsten Bräckelmann
<gu...@rudersport.de> wrote:
> On Thu, 2008-07-31 at 21:58 -0700, Jake Maul wrote:
>> Greetings,
>>
>> I've recently been getting more simple drug-related spam that has no
>> real obfuscation and often doesn't get flagged with anything other
>> than HTML_MESSAGE (0.0) and BAYES_XX (generally 50-99).
>>
>> A few sample Subject lines:
>>
>> Subject: Use Generik Viagra and forget about your sexual nightmares.
>> Subject: Discounted Super Viagra, Viagra Pro and Soft Cialis
>> Subject: Viagra Pro will save your from sexual hardships.
>> Subject: Any medication without prescription. Visa and MasterCard accepted
>> Subject: EZ order and fast delivery of your drugs
>> Subject: {SPAM?} You'll get harder erections with Soft Viagra.
> [...]
>
>> Anyone else seeing this kind of junk? Any good ideas? I'm hesitant to
>> go all willy-nilly on my local.cf with stupid-simple rules with high
>> scores.
>
> No raw mail examples, no advice. Well, unless you actually ask us to
> come up with Subject-only rules...
>
> Upload a few spamples somewhere, if need be use a pastebin.
>
> guenther
Will get some samples uploaded somewhere today hopefully.
Jake
Re: simple drug spam not flagged
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Thu, 2008-07-31 at 21:58 -0700, Jake Maul wrote:
> Greetings,
>
> I've recently been getting more simple drug-related spam that has no
> real obfuscation and often doesn't get flagged with anything other
> than HTML_MESSAGE (0.0) and BAYES_XX (generally 50-99).
>
> A few sample Subject lines:
>
> Subject: Use Generik Viagra and forget about your sexual nightmares.
> Subject: Discounted Super Viagra, Viagra Pro and Soft Cialis
> Subject: Viagra Pro will save your from sexual hardships.
> Subject: Any medication without prescription. Visa and MasterCard accepted
> Subject: EZ order and fast delivery of your drugs
> Subject: {SPAM?} You'll get harder erections with Soft Viagra.
[...]
> Anyone else seeing this kind of junk? Any good ideas? I'm hesitant to
> go all willy-nilly on my local.cf with stupid-simple rules with high
> scores.
No raw mail examples, no advice. Well, unless you actually ask us to
come up with Subject-only rules...
Upload a few spamples somewhere, if need be use a pastebin.
guenther
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}