You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Dan Simmons <dn...@gmail.com> on 2005/05/14 19:13:20 UTC

Drug SPAM problem..any fixes?

Hi All,

I am having an issue with the following DRUG related spam.  Does
anyone have any rules to catch this?

Environment: SA 3.0.2 with network tests and the following SARE rule sets:
70_sare_adult.cf
70_sare_bayes_poison_nxm.cf
70_sare_evilnum0.cf
70_sare_genlsubj0.cf
70_sare_genlsubj1.cf
70_sare_genlsubj_eng.cf
70_sare_header0.cf
70_sare_header1.cf
70_sare_header_eng.cf
70_sare_html0.cf
70_sare_html1.cf
70_sare_html_eng.cf
70_sare_oem.cf
70_sare_random.cf
70_sare_specific.cf
70_sare_spoof.cf
70_sare_unsub.cf
70_sare_uri0.cf
70_sare_uri1.cf
70_sare_uri_eng.cf
72_sare_bml_post25x.cf
72_sare_redirect_post3.0.0.cf
99_FVGT_Tripwire.cf
99_sare_fraud_post25x.cf
backhair.cf
bigevil.cf
chickenpox.cf
weeds2.cf

Thanks in advance!

DN

Received: from [216.249.40.20] (HELO mx2.xxxx.xxx)
  by xxx.xxxxx.xxx
  with ESMTP id 8426770; Sat, 14 May 2005 13:19:47 -0300
Received: from [85.65.64.105] ([85.65.64.105]:52747 "HELO
	85-65-64-105.barak-online.net") by mx2.xxxxx.xxx with SMTP
	id S69776AbVENQTr (ORCPT <rf...@xxx.xxxxx.xxx> + 12 others);
	Sat, 14 May 2005 13:19:47 -0300
X-MID:	<49...@datatree.com>
Date:	Sat, 14 May 2005 12:18:01 -0500
Message-Id: <49...@datatree.com>
From:	Gregory Hicks <rc...@datatree.com>
To:	mark@xxxxxxx.xxx
Subject: Re: dehorn ADVATE
MIME-Version: 1.0
Content-Type: multipart/related;
   boundary="----=_Part_26268598_14758651.1312519906417"
X-DK-Sender: Fahvwl@crockatt.net
X-DK-Policy: Inbound, CheckSpam=Yes
X-DK-AttBlock:	No attachments have reject extensions
X-DK-WList: No sender or recipients white-listed
X-SA-Version: 3.0.2 (2004-11-16) on mx2.northrock.bm
X-SA-Score:	0.9
X-SA-SysThreshold: 6.0
	0.8 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words
	0.1 HTML_40_50 BODY: Message is 40% to 50% HTML
	0.0 HTML_MESSAGE BODY: HTML included in message

This is a multi-part message in MIME format.

------=_Part_26268598_14758651.1312519906417
Content-Type: multipart/alternative;
        boundary="----=_Part_24709875_12152681.2407573909984"


------=_Part_24709875_12152681.2407573909984
Content-Type: text/plain;
        charset=us-ascii
Content-Transfer-Encoding: 7bit

------=_Part_24709875_12152681.2407573909984
Content-Type: text/html;
         charset=us-ascii
Content-Transfer-Encoding: 7Bit

------=_Part_24709875_12152681.2407573909984--

------=_Part_26268598_14758651.1312519906417
Content-Type: image/gif;
     name="Frccf.GIF"
Content-Transfer-Encoding: base64
Content-ID: <lrvnmnh_ywroot_rvdee>

------=_Part_26268598_14758651.1312519906417--

<HTML><HEAD>
</HEAD>
<BODY><DIV><font></font><STRONG></STRONG><FONT SIZE=1></FONT><FONT
SIZE=2></FONT>
<FONT></FONT><A
href="http://ziawahewpqs.net&pewubl0oep4l18elkzv6%2Eaeroseddicc%2Ecom/">
<FONT SIZE=1></FONT><FONT></FONT><FONT SIZE=2></FONT><IMG
SRC="cid:lrvnmnh_ywroot_rvdee" border="0" ALT=""></A>
</DIV><p><font></font>
<FONT size=1><FONT SIZE=2></FONT>
in a sudden nearness of relation, as the daughter of my blood foe,
and<br><font></font><FONT SIZE=2></FONT>to make a cut at me in
passing; for this reason it was soon taken<BR>and me; and that Miss
Clarissa would have hardly less satisfaction<FONT
SIZE=2></FONT><BR><font></font><FONT SIZE=1></FONT>
cuts whistles out of the trees and dances ecstatically to his
own<br><FONT></FONT><FONT SIZE=2></FONT>What can have put such a
person in your head? inquired my mother.<BR>voice failed, and I
covered my face with my hand, and broke into<FONT
SIZE=2></FONT><BR><font></font><FONT></FONT>
way, Do cats eat bats?  Do cats eat bats? and sometimes, Do<br><FONT
SIZE=1></FONT><FONT SIZE=2></FONT>Terrace; Mrs. Micawber, the
children, the Orfling, and myself; and<BR>affection; I ask pardon of
that lady, in my heart.<STRONG></STRONG><BR><FONT></FONT><FONT></FONT>
allow himself off the bench to be waylaid by some tender
kinswoman<br><STRONG></STRONG><STRONG></STRONG>I do not know that ever
I heard him speak so straight to
peoples<BR><STRONG></STRONG>8l4d7o2r6u7d8h4j4q6v8w5o8f6k5g6r5v3g9a2j9d2f2s9a9k5c4m3z8q1b4w2t8y9k1a7s3z7k8h3n3q1c6t3c2v5q2i8h4f5o1f9u7t2t8k5o6v6v3i5a8l7t4d1z5t9r2t8i7m7c5m<FONT
SIZE=1></FONT>
</FONT></p>
</BODY>
</HTML>

Re: {SPAM} Drug SPAM problem..any fixes?

Posted by Matt Kettler <mk...@evi-inc.com>.

martin smith wrote:

> Trouble is with the SURBL is that you can receive a lot of these spams
> before they get listed, they also seem to change domain name twice a day or
> more to keep ahead of the listing, that's why I wanted something to block
> them if they don't hit any black lists.
> 
> Martin
> 

True, which is part of why I use some greylisting.. it helps the blacklist hit
rates.

I really don't know of any good static rule that works consistently for these
that won't just nail every email with embedded images.

One thing you might look at is this part:

8l4d7o2r6u7d8h4j4q6v8w5o8f6k5g6r5v3g9a2j9d2f2s9a9k5c4m3z8q1b4w2t8y9k1a7s3z7k8h3n3q1c6t3c2v5q2i8h4f5o1f9u7t2t8k5o6v6v3i5a8l7t4d1z5t9r2t8i7m7c5m

Note that after the first 3 numbers, it's an alternating sequence random
lower-case letters and numbers. The repeating part is 140 characters long, or 70
repeats..

You could probably pick out 50 or so of these with low FP rate:

body L_STRANGE_ID	/(?:\d[a-z]){50}/
score L_STRANGE_ID	0.1

Another tool to try here, which has the same drawbacks as surbl, is razor.

Razor can pick up on the hash of the embedded image, text, or URI so this way
you're forcing them to change three things: domains, images and body text.
(Razor hashes each mime part and each URI separately, so spam can be identified
by any one of these, not just the combined whole of the message.)

While not perfect, at least this gets you 3 shots at the message based on content.

Re: {SPAM} Drug SPAM problem..any fixes?

Posted by Jeff Chan <je...@surbl.org>.

On Saturday, May 14, 2005, 10:43:08 AM, martin smith wrote:
M>>From: Matt Kettler [mailto:mkettler@evi-inc.com]

M>>Most of that is URI blacklists from surbl (supported by SA 
M>>3.x by default), as well as uribl.com (not supported in 
M>>default config but I added it by hand)
M>>

> Trouble is with the SURBL is that you can receive a lot of these spams
> before they get listed, they also seem to change domain name twice a day or
> more to keep ahead of the listing, that's why I wanted something to block
> them if they don't hit any black lists.

We're working on reducing the latency of SURBLs.

Jeff C.
-- 
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/

Re: {SPAM} Drug SPAM problem..any fixes?

Posted by Loren Wilton <lw...@earthlink.net>.

Let me just suggest that there are all kinds of catchable keys in the spam
you posted.  I don't really want to post rules for these, since as soon as
rules get posted here the keys disappear from the spams.

        Loren

RE: {SPAM} Drug SPAM problem..any fixes?

Posted by martin smith <ma...@ntlworld.com>.

M>-----Original Message-----
M>From: Matt Kettler [mailto:mkettler@evi-inc.com] 
M>Sent: 14 May 2005 18:37
M>To: Dan Simmons
M>Cc: users@spamassassin.apache.org
M>Subject: Re: {SPAM} Drug SPAM problem..any fixes?
M>
M>Dan Simmons wrote:
M>> Hi All,
M>> 
M>> I am having an issue with the following DRUG related spam.  Does 
M>> anyone have any rules to catch this?
M>> 
M>> Environment: SA 3.0.2 with network tests and the following 
M>SARE rule sets:
M><snip>
M>> X-SA-SysThreshold: 6.0
M>> 	0.8 HTML_IMAGE_ONLY_20 BODY: HTML: images with 
M>1600-2000 bytes of words
M>> 	0.1 HTML_40_50 BODY: Message is 40% to 50% HTML
M>> 	0.0 HTML_MESSAGE BODY: HTML included in message
M>> 
M>
M>For your message I got the following (SA 2.64 with Mail::SpamCopURI)
M>
M>SpamAssassin (score=7.908, required 5,	AB_URI_RBL 
M>1.00, BAYES_00 -4.90,
M>BLACK_URI_RBL 2.00,	HTML_MESSAGE 0.10, HTTP_ESCAPED_HOST 1.51,
M>INFO_GREYLIST_NOTDELAYED -0.00, JP_URI_RBL 1.00, OB_URI_RBL 
M>2.10, SPAMCOP_URI_RBL 3.00, WS_URI_RBL 2.10)
M>
M>Most of that is URI blacklists from surbl (supported by SA 
M>3.x by default), as well as uribl.com (not supported in 
M>default config but I added it by hand)
M>

Trouble is with the SURBL is that you can receive a lot of these spams
before they get listed, they also seem to change domain name twice a day or
more to keep ahead of the listing, that's why I wanted something to block
them if they don't hit any black lists.

Martin

Re: {SPAM} Drug SPAM problem..any fixes?

Posted by Matt Kettler <mk...@evi-inc.com>.

Dan Simmons wrote:
> Hi All,
> 
> I am having an issue with the following DRUG related spam.  Does
> anyone have any rules to catch this?
> 
> Environment: SA 3.0.2 with network tests and the following SARE rule sets:
<snip>
> X-SA-SysThreshold: 6.0
> 	0.8 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words
> 	0.1 HTML_40_50 BODY: Message is 40% to 50% HTML
> 	0.0 HTML_MESSAGE BODY: HTML included in message
> 

For your message I got the following (SA 2.64 with Mail::SpamCopURI)

SpamAssassin (score=7.908, required 5,	AB_URI_RBL 1.00, BAYES_00 -4.90,
BLACK_URI_RBL 2.00,	HTML_MESSAGE 0.10, HTTP_ESCAPED_HOST 1.51,
INFO_GREYLIST_NOTDELAYED -0.00, JP_URI_RBL 1.00, OB_URI_RBL 2.10,
SPAMCOP_URI_RBL 3.00, WS_URI_RBL 2.10)

Most of that is URI blacklists from surbl (supported by SA 3.x by default), as
well as uribl.com (not supported in default config but I added it by hand)

I'd check to see if your URIBL's are working. SA 3.x supports them by default,
but you need a relatively recent Net::DNS for them to work.

Also, if you're using a ported package for your OS distribution instead of the
official SA packages, make sure you've got an init.pre file in your
configuration. If you don't, the URIBL plugin won't load.

RE: Drug SPAM problem..any fixes?

Posted by martin smith <ma...@ntlworld.com>.

M>-----Original Message-----
M>From: Dan Simmons [mailto:dn.simmons@gmail.com] 
M>Sent: 14 May 2005 18:13
M>To: users@spamassassin.apache.org
M>Subject: Drug SPAM problem..any fixes?
M>
M>Hi All,
M>
M>I am having an issue with the following DRUG related spam.  Does
M>anyone have any rules to catch this?
M>------=_Part_26268598_14758651.1312519906417
M>Content-Type: image/gif;
M>     name="Frccf.GIF"
M>Content-Transfer-Encoding: base64
M>Content-ID: <lrvnmnh_ywroot_rvdee>
M>

You could probably write a rule to catch it using a signature from the gif,
here's an example of one I have done for some viagra/cialis spam that uses a
gif

full __MS_Drug_Gif /\bR0lGODlh/
full __MS__Gif /\bimage\/gif\b/i
meta MS_Drug_Gif __MS_Drug_Gif && __MS__Gif
score MS_Drug_Gif 5
describe MS_Drug_Gif Gif Used to Advertise Meds

R0lGODlh is the beginning of the gif when viewed raw

Martin