You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "James E. Pratt" <jp...@norwich.edu> on 2008/03/19 13:21:20 UTC
blogspot spam
Hi. I'm seeing lots of these get by:
http://pastebin.com/m8520d64
anyone have a rule for these?
The last one I put up is at:
http://pastebin.com/m159c02de
Thanks,
Jamie
Re: blogspot spam
Posted by Arvid Ephraim Picciani <ae...@ibcsolutions.de>.
On Friday 21 March 2008 04:27:05 Loren Wilton wrote:
> body SOFTWARE_AD
> /(?:|\bbezahlen.*runterladen|Windows\bund\bmit\bMacintosh|\bOriginalversion
>en\b.*\blegal\b)/i
>
> You probably want to adjust this a little bit. There are a few things here
> that make me think you aren't getting quite what you expect.
>
> 1. Remove that first vertical bar. It serves no purpose.
right. i removed that right after i sent it to the ML ;)
> 2. You probably do not want \b between the words. This is a word-break
> "zero length character". You almost certainly don't want a zero-length
> character, you want a space or something like that.
yeah just didnt figure out how
> So the rule should probably look more like:
>
> body SOFTWARE_AD
> /(?:\bbezahlen.{0,50}runterladen|Windows\s+und\s+mit\s+Macintosh|\bOriginal
>versionen\b.{0,100}\blegal\b)/i
>
> Loren
awesome. thanks a lot
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
Re: blogspot spam
Posted by Loren Wilton <lw...@earthlink.net>.
body SOFTWARE_AD
/(?:|\bbezahlen.*runterladen|Windows\bund\bmit\bMacintosh|\bOriginalversionen\b.*\blegal\b)/i
You probably want to adjust this a little bit. There are a few things here
that make me think you aren't getting quite what you expect.
1. Remove that first vertical bar. It serves no purpose.
2. You probably do not want \b between the words. This is a word-break
"zero length character". You almost certainly don't want a zero-length
character, you want a space or something like that.
So the rule should probably look more like:
body SOFTWARE_AD
/(?:\bbezahlen.{0,50}runterladen|Windows\s+und\s+mit\s+Macintosh|\bOriginalversionen\b.{0,100}\blegal\b)/i
Loren
Re: blogspot spam
Posted by Arvid Ephraim Picciani <ae...@ibcsolutions.de>.
On Wednesday 19 March 2008 21:37:27 Loren Wilton wrote:
> This is just off the top of my head, and needs linting and maybe tweaking
> the scores.
>
> uri BAD_BLOGSPOT m'http://[a-z]+\d+\.blogspot\.com'i
> score BAD_BLOGSPOT 1
>
> body __SOFTWARES /(?:product|software|softs|opportunity|oem|best
> prices|low prices|discount|cheap)/i
>
> meta BLOG_SOFTWARE BAD_BLOGSPOT && __SOFTWARES
> score BLOG_SOFTWARE 3.5
>
> Mind the wrap!
yes! thanks a lot. based on that wrap i figured i could glue it with uri grey
(yes uribl is listing geocities in grey now)
body SOFTWARE_AD /(?:|\bbezahlen.*runterladen|
Windows\bund\bmit\bMacintosh|\bOriginalversionen\b.*\blegal\b)/i
score SOFTWARE_AD 0.5
describe SOFTWARE_AD advertising software
meta SOFT_AND_URIGREY URIBL_GREY && SOFTWARE_AD
score SOFT_AND_URIGREY 3.0
describe SOFT_AND_URIGREY contains both an url in the URIBL greylist and
software advertisement
that helps a lot.
Content analysis details: (10.5 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.5 SOFTWARE_AD BODY: advertising software
0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
[79.6.185.72 listed in dnsbl.sorbs.net]
3.1 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[79.6.185.72 listed in zen.spamhaus.org]
0.8 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[79.6.185.72 listed in zen.spamhaus.org]
1.0 URIBL_GREY Contains an URL listed in the URIBL greylist
[URIs: geocities.com]
3.0 SOFT_AND_URIGREY contains both an url in the URIBL greylist and
software advertisement
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
Re: blogspot spam
Posted by Loren Wilton <lw...@earthlink.net>.
>> http://pastebin.com/m8520d64
>>
>> http://pastebin.com/m159c02de
>>
This is just off the top of my head, and needs linting and maybe tweaking
the scores.
uri BAD_BLOGSPOT m'http://[a-z]+\d+\.blogspot\.com'i
score BAD_BLOGSPOT 1
body __SOFTWARES /(?:product|software|softs|opportunity|oem|best
prices|low prices|discount|cheap)/i
meta BLOG_SOFTWARE BAD_BLOGSPOT && __SOFTWARES
score BLOG_SOFTWARE 3.5
Mind the wrap!
Loren
RE: blogspot spam
Posted by Michael Hutchinson <mh...@manux.co.nz>.
> -----Original Message-----
> From: Arvid Ephraim Picciani [mailto:aep@ibcsolutions.de]
> Sent: Thursday, 20 March 2008 9:04 a.m.
> To: users@spamassassin.apache.org
> Subject: Re: blogspot spam
>
> On Wednesday 19 March 2008 20:48:00 Michael Hutchinson wrote:
> > For those that don't run SA 3.2.3, you could test this rule:
> > uri CST_URI_BLOGSPOT m,http://\w+\.blogspot\.com\b,
> > describe CST_URI_BLOGSPOT blogspot.com throwaway URI
> > score CST_URI_BLOGSPOT 3.4
>
> thanks Mike, does that match bloglinks like
myblog.blogspot.com/myentryxy
> ?
Apparently, yes :) I have not seen any come through since I employed the
rule. I am sure you'd be able to modify the RegExp if required, making
it match, say up to 12 characters (of anything) past the / after .com
I'm pretty sure you wont need to do that. Employ it and score it at 0.01
to test it :)
> if not it might be fine for around 1.0 points imo. i have sare_oem on
3.0
> becouse our entire company runs linux, so we don't talk about windows
> software anyway :P
> i'd prefer a working uribl though :(
HEH, I've just gone thru and rescored a pile of URIBL stuff.. this
combined with our recent addition of pyzor has started to score spam
hard.
Cheers,
Mike
Re: blogspot spam
Posted by Arvid Ephraim Picciani <ae...@ibcsolutions.de>.
On Wednesday 19 March 2008 20:48:00 Michael Hutchinson wrote:
> For those that don't run SA 3.2.3, you could test this rule:
> uri CST_URI_BLOGSPOT m,http://\w+\.blogspot\.com\b,
> describe CST_URI_BLOGSPOT blogspot.com throwaway URI
> score CST_URI_BLOGSPOT 3.4
thanks Mike, does that match bloglinks like myblog.blogspot.com/myentryxy ?
if not it might be fine for around 1.0 points imo. i have sare_oem on 3.0
becouse our entire company runs linux, so we don't talk about windows
software anyway :P
i'd prefer a working uribl though :(
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
RE: blogspot spam
Posted by Evan Platt <ev...@espphotography.com>.
At 12:48 PM 3/19/2008, Michael Hutchinson wrote:
>For those that don't run SA 3.2.3, you could test this rule:
>
>uri CST_URI_BLOGSPOT m,http://\w+\.blogspot\.com\b,
>describe CST_URI_BLOGSPOT blogspot.com throwaway URI
>score CST_URI_BLOGSPOT 3.4
>
>A few people disagree with this, as it will score against legitimate
>email for some domains. I created it for our site as we do not receive
>newsletters with blogspot links, so we hose the emails with 3.4 points,
>which is enough to push them over the 5.0 threshold, as they score on
>other rules too.
>
>Be warned, beware, don't use this unless you're really sure you don't
>want blogspot links in emails. Customers might become annoyed.
>
>(Ours haven't, though, and it's been a month).
Blogspot is a spamhaven. I've been back and forth with their clueless
abuse desk, and they've confirmed that basically if they shut down a
blogspot site for spamming, there's nothing to prevent the spammer
from creating the site again.
Oh, sure, it may say "This website has been disabled" - until the
spammer recreates the site.
Kind of like throwing someone in jail, but not locking the cell, and
then going home for the night.
Yes, I've got blogspot spams I've reported 2+ years ago.
Oldest one is 07/26/2005: http://1stpromotion.youknowtherest.com
RE: blogspot spam
Posted by Michael Hutchinson <mh...@manux.co.nz>.
> -----Original Message-----
> From: Yet Another Ninja [mailto:sa-list@alexb.ch]
> Sent: Thursday, 20 March 2008 1:48 a.m.
> To: Arvid Ephraim Picciani
> Cc: users@spamassassin.apache.org
> Subject: Re: blogspot spam
>
> On 3/19/2008 1:24 PM, Arvid Ephraim Picciani wrote:
> > On Wednesday 19 March 2008 13:21:20 James E. Pratt wrote:
> >> Hi. I'm seeing lots of these get by:
> >>
> >> http://pastebin.com/m8520d64
> >>
> >> anyone have a rule for these?
> >>
> >> The last one I put up is at:
> >>
> >> http://pastebin.com/m159c02de
> >>
> >> Thanks,
> >>
> >> Jamie
> >
> > yeah exactly my issue. the site is in uribl already but sa doesn't
work
> with
> > uribl and subdomains. see previous posts.
> > SARE_OEM helps a little.
> >
>
> it does work!
>
> if runing > SA 3.2.3 add to local.cf:
>
> util_rb_2tld blogspot.com
>
For those that don't run SA 3.2.3, you could test this rule:
uri CST_URI_BLOGSPOT m,http://\w+\.blogspot\.com\b,
describe CST_URI_BLOGSPOT blogspot.com throwaway URI
score CST_URI_BLOGSPOT 3.4
A few people disagree with this, as it will score against legitimate
email for some domains. I created it for our site as we do not receive
newsletters with blogspot links, so we hose the emails with 3.4 points,
which is enough to push them over the 5.0 threshold, as they score on
other rules too.
Be warned, beware, don't use this unless you're really sure you don't
want blogspot links in emails. Customers might become annoyed.
(Ours haven't, though, and it's been a month).
Cheers,
Mike
Re: blogspot spam
Posted by Yet Another Ninja <sa...@alexb.ch>.
On 3/19/2008 1:24 PM, Arvid Ephraim Picciani wrote:
> On Wednesday 19 March 2008 13:21:20 James E. Pratt wrote:
>> Hi. I'm seeing lots of these get by:
>>
>> http://pastebin.com/m8520d64
>>
>> anyone have a rule for these?
>>
>> The last one I put up is at:
>>
>> http://pastebin.com/m159c02de
>>
>> Thanks,
>>
>> Jamie
>
> yeah exactly my issue. the site is in uribl already but sa doesn't work with
> uribl and subdomains. see previous posts.
> SARE_OEM helps a little.
>
it does work!
if runing > SA 3.2.3 add to local.cf:
util_rb_2tld blogspot.com
Re: blogspot spam
Posted by Arvid Ephraim Picciani <ae...@ibcsolutions.de>.
On Wednesday 19 March 2008 13:21:20 James E. Pratt wrote:
> Hi. I'm seeing lots of these get by:
>
> http://pastebin.com/m8520d64
>
> anyone have a rule for these?
>
> The last one I put up is at:
>
> http://pastebin.com/m159c02de
>
> Thanks,
>
> Jamie
yeah exactly my issue. the site is in uribl already but sa doesn't work with
uribl and subdomains. see previous posts.
SARE_OEM helps a little.
--
best regards
Arvid Ephraim Picciani
Re: blogspot spam
Posted by Benny Pedersen <me...@junc.org>.
On Wed, March 19, 2008 13:21, James E. Pratt wrote:
> http://pastebin.com/m8520d64
> http://pastebin.com/m159c02de
http://www.gossamer-threads.com/lists/spamassassin/users/90664
Botnet plugin hits them nicely
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098