You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Payal Rathod <pa...@scriptkitchen.com> on 2006/03/10 11:22:13 UTC
more pharmacy woes
Hi all,
I need help in decoding pharmacy spam again. I am getting 100s of them.
I have attached them at,
http://pastebin.ca/45108
Can someone tell how to block these things out?
With warm regards,
-Payal
Re: more pharmacy woes
Posted by Loren Wilton <lw...@earthlink.net>.
I assume there was an html side of that that you didn't post, or else that
site ate it.
There isn't a huge amount to go on in what you posted. The net checks are
probably the best bets, along possibly with Bayes. The target uri should
show up in SURBL, and there is a good chance the source ip would have shown
up in some of the regular RBLs.
Loren
Re: more pharmacy woes
Posted by Jeff Chan <je...@surbl.org>.
On Friday, March 10, 2006, 8:07:44 AM, Payal Rathod wrote:
> On Fri, Mar 10, 2006 at 04:07:34PM +0530, Dhawal Doshy wrote:
>> Do you use SURBL (surbl.org), URIBL (uribl.com) and collaborative
>> network tests like razor/pyzor/dcc?
> No, can you please tell in short how to use surbl exactly? I am very new
> to SA.
SURBL support is built into SpamAssassin 3.X if you enable
network tests:
http://www.surbl.org/quickstart.html
http://www.surbl.org/faq.html#nettest
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: more pharmacy woes
Posted by Payal Rathod <pa...@scriptkitchen.com>.
On Sat, Mar 11, 2006 at 06:40:35PM +0530, Dhawal Doshy wrote:
> For URIBL, see http://www.uribl.com/usage.shtml OR add this to your
> local.cf
I am getting an error which say,
2006-03-14_10:47:27.97266 2006-03-14 10:47:27 [17977] i: server killed
by SIGTERM, shutting down
2006-03-14_10:47:35.61742 Failed to run URIBL_GREY SpamAssassin test,
skipping:
2006-03-14_10:47:35.61747 (Can't locate object method
"check_uridnsbl" via package "Mail::SpamAssassin::PerMsgStatus" at
/usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line
2312.
2006-03-14_10:47:35.61748 )
2006-03-14_10:47:35.61775 Failed to run URIBL_BLACK SpamAssassin test,
skipping:
2006-03-14_10:47:35.61776 (Can't locate object method
"check_uridnsbl" via package "Mail::SpamAssassin::PerMsgStatus" at
/usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line
2312.
We are trying it on a friend's server at,
# spamassassin --version
SpamAssassin version 3.0.2
running on Perl version 5.8.5
With warm regards,
-Payal
>
> urirhssub URIBL_BLACK multi.uribl.com. A 2
> body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
> describe URIBL_BLACK Contains an URL listed in the URIBL blacklist
> tflags URIBL_BLACK net
> score URIBL_BLACK 3.0
>
> urirhssub URIBL_GREY multi.uribl.com. A 4
> body URIBL_GREY eval:check_uridnsbl('URIBL_GREY')
> describe URIBL_GREY Contains an URL listed in the URIBL greylist
> tflags URIBL_GREY net
> score URIBL_GREY 0.25
>
> >>Also the pasted spam originates from a korean IP address.. you could
> >>try scoring mails from korea a bit more.. using either
> >>countries.nerds.dk OR korea.services.net
> >
> >Which file do I put it exactly?
>
> Add something like this to your local.cf
> # This part will add +2.0 for mail from korea
> header X_KOREAN_RELAY eval:check_rbl('relay','korea.services.net.')
> describe X_KOREAN_RELAY Received via a relay in Korea
> score X_KOREAN_RELAY 2.0
>
> >>Finally, get around to training your bayesian database to 200 or more
> >>spam and ham mails each..
> >
> >We have trained 40,000+ of each.
>
> That ought to be good enough for a start..
>
> Do a lint test 'spamassassin -D --lint' before you make your changes
> production.
>
> Hope that helps,
> - dhawal
>
> >With warm regards,
> >-Payal
>
> --
> **************** CAUTION - Disclaimer *****************
> This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely
> for the use of the addressee(s). If you are not the intended recipient,
> please
> notify the sender by e-mail and delete the original message. Further, you
> are
> not to copy, disclose, or distribute this e-mail or its contents to any
> other
> person and any such actions are unlawful. This e-mail may contain viruses.
> NetMagic Solutions Pvt. Ltd. has taken every reasonable precaution to
> minimize
> this risk, but is not liable for any damage you may sustain as a result of
> any
> virus in this e-mail. You should carry out your own virus checks before
> opening the e-mail or attachment. NetMagic Solutions Pvt. Ltd. reserves the
> right to monitor and review the content of all messages sent to or from this
> e-mail address.
>
> Messages sent to or from this e-mail address may be stored on the NetMagic
> Solutions Pvt. Ltd.'s e-mail system.
> ***************** End of Disclaimer *******************
>
Re: more pharmacy woes
Posted by Dhawal Doshy <dh...@netmagicsolutions.com>.
Payal Rathod wrote:
> On Fri, Mar 10, 2006 at 04:07:34PM +0530, Dhawal Doshy wrote:
>> Do you use SURBL (surbl.org), URIBL (uribl.com) and collaborative
>> network tests like razor/pyzor/dcc?
>
> No, can you please tell in short how to use surbl exactly? I am very new
> to SA.
What is your SA version? You'll need a recent Net::DNS installed for any
network tests. You can also add 'dns_available yes' to your local.cf if
you have Net::DNS installed. If you're using spamd, make sure it's
started without the -L or --local flags.
SURBL support is built into spamassassin version 3.x onwards.. (see
Jeff's reply)
For URIBL, see http://www.uribl.com/usage.shtml OR add this to your local.cf
urirhssub URIBL_BLACK multi.uribl.com. A 2
body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
describe URIBL_BLACK Contains an URL listed in the URIBL blacklist
tflags URIBL_BLACK net
score URIBL_BLACK 3.0
urirhssub URIBL_GREY multi.uribl.com. A 4
body URIBL_GREY eval:check_uridnsbl('URIBL_GREY')
describe URIBL_GREY Contains an URL listed in the URIBL greylist
tflags URIBL_GREY net
score URIBL_GREY 0.25
>> Also the pasted spam originates from a korean IP address.. you could
>> try scoring mails from korea a bit more.. using either
>> countries.nerds.dk OR korea.services.net
>
> Which file do I put it exactly?
Add something like this to your local.cf
# This part will add +2.0 for mail from korea
header X_KOREAN_RELAY eval:check_rbl('relay','korea.services.net.')
describe X_KOREAN_RELAY Received via a relay in Korea
score X_KOREAN_RELAY 2.0
>> Finally, get around to training your bayesian database to 200 or more
>> spam and ham mails each..
>
> We have trained 40,000+ of each.
That ought to be good enough for a start..
Do a lint test 'spamassassin -D --lint' before you make your changes
production.
Hope that helps,
- dhawal
> With warm regards,
> -Payal
--
**************** CAUTION - Disclaimer *****************
This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely
for the use of the addressee(s). If you are not the intended recipient, please
notify the sender by e-mail and delete the original message. Further, you are
not to copy, disclose, or distribute this e-mail or its contents to any other
person and any such actions are unlawful. This e-mail may contain viruses.
NetMagic Solutions Pvt. Ltd. has taken every reasonable precaution to minimize
this risk, but is not liable for any damage you may sustain as a result of any
virus in this e-mail. You should carry out your own virus checks before
opening the e-mail or attachment. NetMagic Solutions Pvt. Ltd. reserves the
right to monitor and review the content of all messages sent to or from this
e-mail address.
Messages sent to or from this e-mail address may be stored on the NetMagic
Solutions Pvt. Ltd.'s e-mail system.
***************** End of Disclaimer *******************
Re: more pharmacy woes
Posted by Payal Rathod <pa...@scriptkitchen.com>.
On Fri, Mar 10, 2006 at 04:07:34PM +0530, Dhawal Doshy wrote:
> Do you use SURBL (surbl.org), URIBL (uribl.com) and collaborative
> network tests like razor/pyzor/dcc?
No, can you please tell in short how to use surbl exactly? I am very new
to SA.
> Also the pasted spam originates from a korean IP address.. you could
> try scoring mails from korea a bit more.. using either
> countries.nerds.dk OR korea.services.net
Which file do I put it exactly?
> Finally, get around to training your bayesian database to 200 or more
> spam and ham mails each..
We have trained 40,000+ of each.
With warm regards,
-Payal
Re: more pharmacy woes
Posted by Dhawal Doshy <dh...@netmagicsolutions.com>.
Payal Rathod wrote:
> Hi all,
> I need help in decoding pharmacy spam again. I am getting 100s of them.
> I have attached them at,
> http://pastebin.ca/45108
Do you use SURBL (surbl.org), URIBL (uribl.com) and collaborative
network tests like razor/pyzor/dcc?
Also the pasted spam originates from a korean IP address.. you could try
scoring mails from korea a bit more.. using either countries.nerds.dk OR
korea.services.net
Finally, get around to training your bayesian database to 200 or more
spam and ham mails each..
- dhawal
> Can someone tell how to block these things out?
> With warm regards,
> -Payal
--
**************** CAUTION - Disclaimer *****************
This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely
for the use of the addressee(s). If you are not the intended recipient, please
notify the sender by e-mail and delete the original message. Further, you are
not to copy, disclose, or distribute this e-mail or its contents to any other
person and any such actions are unlawful. This e-mail may contain viruses.
NetMagic Solutions Pvt. Ltd. has taken every reasonable precaution to minimize
this risk, but is not liable for any damage you may sustain as a result of any
virus in this e-mail. You should carry out your own virus checks before
opening the e-mail or attachment. NetMagic Solutions Pvt. Ltd. reserves the
right to monitor and review the content of all messages sent to or from this
e-mail address.
Messages sent to or from this e-mail address may be stored on the NetMagic
Solutions Pvt. Ltd.'s e-mail system.
***************** End of Disclaimer *******************
Re: more pharmacy woes
Posted by Jeremy Fairbrass <jf...@hotmail.com>.
You could also easily filter based on the subject, if it's always something
obvious like "Parhamcy news", and perhaps on obvious misspellings like
"tabIet", "abIets" etc (note the i in stead of l). And I don't think it
would be too hard to create a special rule to search for a long string of
individual characters with spaces between them followed by a dollar-sign. :)
- Jeremy
"Payal Rathod" <pa...@scriptkitchen.com> wrote in message
news:20060310102213.GA14212@tranquility.scriptkitchen.com...
> Hi all,
> I need help in decoding pharmacy spam again. I am getting 100s of them.
> I have attached them at,
> http://pastebin.ca/45108
>
> Can someone tell how to block these things out?
> With warm regards,
> -Payal
>
>
Re: more pharmacy woes
Posted by "Mark Wendt (Contractor)" <ma...@nrl.navy.mil>.
We've been seeing the same thing. It died out for a while, now the
fire hose has been opened again. The latest batch seems to be in
"Living Color" too. Different colors for different characters.
Mark
At 05:22 AM 3/10/2006, Payal Rathod wrote:
>Hi all,
>I need help in decoding pharmacy spam again. I am getting 100s of them.
>I have attached them at,
>http://pastebin.ca/45108
>
>Can someone tell how to block these things out?
>With warm regards,
>-Payal