You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Rocco Scappatura <Ro...@sttspa.it> on 2007/07/31 10:03:30 UTC
Greeting card
It is possible to block the spam sent by GreetingCards.com which invites
the receiver to access an URL and browse the ecard?
I mean that spam which has subject similar to:
You've received a greeting ecard from a Colleague!
BR,
rocsca
Re: Greeting card
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> On Fri, Aug 03, 2007 at 11:17:30PM +0200, Matus UHLAR - fantomas wrote:
> > also, not everyone is using SARE rules, and I think that until SA devels
> > won't trust them to include them into SA, many admins will not install them.
On 03.08.07 18:14, Theo Van Dinter wrote:
> fwiw, it has nothing to do with trust. SA (and all the rules, etc,)
> are distributed via the Apache Software License. The SARE rules are not
> available via that license, the rules (generally) aren't donated to the
> SA project, and we can't just go stealing other people's stuff and put
> it into SA.
>
> There's also been some disagreement wrt merging the projects (see list
> archives).
so I was mistaken... first note on their page mentions incorporating to
SpamAssassin.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #99999: Out of error messages.
Re: Greeting card
Posted by Theo Van Dinter <fe...@apache.org>.
On Fri, Aug 03, 2007 at 11:17:30PM +0200, Matus UHLAR - fantomas wrote:
> also, not everyone is using SARE rules, and I think that until SA devels
> won't trust them to include them into SA, many admins will not install them.
fwiw, it has nothing to do with trust. SA (and all the rules, etc,)
are distributed via the Apache Software License. The SARE rules are not
available via that license, the rules (generally) aren't donated to the
SA project, and we can't just go stealing other people's stuff and put
it into SA.
There's also been some disagreement wrt merging the projects (see list
archives).
--
Randomly Selected Tagline:
"History is a tool used by politicians to justify their intentions."
-- Ted Koppel
Re: Greeting card
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> Rocco Scappatura schrieb:
> >It is possible to block the spam sent by GreetingCards.com which invites
> >the receiver to access an URL and browse the ecard?
> >
> >I mean that spam which has subject similar to:
> >
> >You've received a greeting ecard from a Colleague!
On 03.08.07 17:51, arni wrote:
> I really dont understand (once again) how that can get through at any of
> you guys setups:
>
> X-Spam-Report:
> * 7.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
> * [score: 1.0000]
first, not everyone has BAYES_99 set to 7.5 - default is 3.5 which required
1.5 point more to score as spam by default.
Also, BAYES is long-run thing. spammers still try to avoid it and are
ocasionally succesfull. People must care about BAYES filters, otherwise
they'll stop be effective.
> * 3.0 BOTNET Relay might be a spambot or virusbot
> *
> [botnet0.7,ip=75.111.124.140,hostname=c75-111-124-140.mdldcmtk01.tx.dh.suddenlink.net,client,ipinhostname]
also, not everyone is using SARE rules, and I think that until SA devels
won't trust them to include them into SA, many admins will not install them.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer
Re: Greeting card
Posted by arni <ma...@arni.name>.
Rocco Scappatura schrieb:
> It is possible to block the spam sent by GreetingCards.com which invites
> the receiver to access an URL and browse the ecard?
>
> I mean that spam which has subject similar to:
>
> You've received a greeting ecard from a Colleague!
>
> BR,
>
> rocsca
>
>
I really dont understand (once again) how that can get through at any of
you guys setups:
X-Spam-Report:
* 7.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
* [score: 1.0000]
* 0.0 STOX_REPLY_TYPE STOX_REPLY_TYPE
* 2.1 TVD_FINGER_02 TVD_FINGER_02
* 2.4 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr
* 1)
* 0.0 FH_HELO_EQ_D_D_D_D Helo is d-d-d-d
* 3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
* [75.111.124.140 listed in zen.spamhaus.org]
* 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
* [Blocked - see <http://www.spamcop.net/bl.shtml?75.111.124.140>]
* 0.6 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server
* [75.111.124.140 listed in dnsbl.sorbs.net]
* 3.0 BOTNET Relay might be a spambot or virusbot
* [botnet0.7,ip=75.111.124.140,hostname=c75-111-124-140.mdldcmtk01.tx.dh.suddenlink.net,client,ipinhostname]
* 0.0 DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says domain
* signs some mails
* 0.0 BOTNET_IPINHOSTNAME Hostname contains its own IP address
* [botnet_ipinhosntame,ip=75.111.124.140,rdns=c75-111-124-140.mdldcmtk01.tx.dh.suddenlink.net]
* 0.0 BOTNET_CLIENT Relay has a client-like hostname
* [botnet_client,ip=75.111.124.140,hostname=c75-111-124-140.mdldcmtk01.tx.dh.suddenlink.net,ipinhostname]
* 1.9 RCVD_ILLEGAL_IP Received: contains illegal IP address
* 0.0 HS_INDEX_PARAM URI: Link contains a common tracker pattern.
* 0.0 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL
* 1.5 IXHASH BODY: This mail has been classified as spam @ iX Magazine,
* Germany
* 1.5 LOGINHASH2 BODY: mail has been classified as spam @ unknown company,
* Germany
* 1.5 LOGINHASH1 BODY: mail has been classified as spam @ LogIn&Solutions
* AG, Germany
* 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
* above 50%
* [cf: 100]
* 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
* 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
* [cf: 100]
* 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
* 0.0 DIGEST_MULTIPLE Message hits more than one network digest check
* 0.1 RDNS_DYNAMIC Delivered to trusted network by host with
* dynamic-looking rDNS
its scoring huge for me,
arni
Re: Greeting card
Posted by Michael Schout <ms...@gkg.net>.
Duane Hill wrote:
> There is already a test SA does for a dotted-decimal IP in a URL:
Yeah, I was afraid of false positives by raising the score of that rule.
So I made my own rule that only matches these specific urls (with the
MD5 sum) instead.
Regards,
Michael Schout
Re: Greeting card
Posted by Michael Schout <ms...@gkg.net>.
Duane Hill wrote:
> There is already a test SA does for a dotted-decimal IP in a URL:
Yeah, I was afraid of false positives by raising the score of that rule.
So I made my own rule that only matches these specific urls (with the
MD5 sum) instead.
Regards,
Michael Schout
Re: Greeting card
Posted by Duane Hill <d....@yournetplus.com>.
On Fri, 3 Aug 2007 at 08:03 -0500, mschout@gkg.net confabulated:
> Rocco Scappatura wrote:
>> It is possible to block the spam sent by GreetingCards.com which invites
>> the receiver to access an URL and browse the ecard?
>
> All of the ones I have received have a url with a numeric ip, followed
> by usually a 32 character string in the url (MD5 hash?).
>
> Here is my rule that traps them. I have not seen any get through after
> this:
>
> body LOCAL_POSTCARD_URL m'http://\d+\.\d+\.\d+\.\d+/\?[0-9a-f]{8,}'
> describe LOCAL_POSTCARD_URL Body contains postcard scam url
> score LOCAL_POSTCARD_URL 3.0
There is already a test SA does for a dotted-decimal IP in a URL:
NORMAL_HTTP_TO_IP
I have its score set to 2.5. It appears the default score is .001.
-------
_|_
(_| |
Re: Greeting card
Posted by "John D. Hardin" <jh...@impsec.org>.
On Fri, 3 Aug 2007, Michael Schout wrote:
> Here is my rule that traps them. I have not seen any get through
> after this:
>
> body LOCAL_POSTCARD_URL m'http://\d+\.\d+\.\d+\.\d+/\?[0-9a-f]{8,}'
> describe LOCAL_POSTCARD_URL Body contains postcard scam url
> score LOCAL_POSTCARD_URL 3.0
That's a useful general rule. Here's a revision as a URI rule rather
than a BODY rule:
describe DQ_URI_ONLY_ARGS Dotted-Quad URI with only CGI arguments
uri DQ_URI_ONLY_ARGS m'^https?://\d+\.\d+\.\d+\.\d+/\?[0-9a-f]{8,}'
I've added this into
http://www.impsec.org/~jhardin/antispam/postcards.cf too.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...every time I sit down in front of a Windows machine I feel as
if the computer is just a place for the manufacturers to put their
advertising. -- fwadling on Y! SCOX
----------------------------------------------------------------------
Tomorrow: The 272nd anniversary of John Peter Zenger's acquittal
Re: Greeting card
Posted by Michael Schout <ms...@gkg.net>.
Rocco Scappatura wrote:
> It is possible to block the spam sent by GreetingCards.com which invites
> the receiver to access an URL and browse the ecard?
All of the ones I have received have a url with a numeric ip, followed
by usually a 32 character string in the url (MD5 hash?).
Here is my rule that traps them. I have not seen any get through after
this:
body LOCAL_POSTCARD_URL m'http://\d+\.\d+\.\d+\.\d+/\?[0-9a-f]{8,}'
describe LOCAL_POSTCARD_URL Body contains postcard scam url
score LOCAL_POSTCARD_URL 3.0
Regards,
Michael Schout
Re: Geeting cart
Posted by Igor Chudov <ic...@Algebra.Com>.
On Tue, Jul 31, 2007 at 10:03:30AM +0200, Rocco Scappatura wrote:
> It is possible to block the spam sent by GreetingCards.com which invites
> the receiver to access an URL and browse the ecard?
>
> I mean that spam which has subject similar to:
>
> You've received a greeting ecard from a Colleague!
Here's my rule for it.
header IGOR_POSTCARD_VIRUS Subject =~ /you\'ve received (a|an) (greeting (e)?card|ecard|postcard) from a\b/i
score IGOR_POSTCARD_VIRUS 3
describe IGOR_POSTCARD_VIRUS PostCard virus
Re: Greeting card
Posted by David Baron <d_...@012.net.il>.
On Tuesday 31 July 2007, Rocco Scappatura wrote:
> It is possible to block the spam sent by GreetingCards.com which invites
> the receiver to access an URL and browse the ecard?
>
> I mean that spam which has subject similar to:
>
> You've received a greeting ecard from a Colleague!
Mine stops it fine. Probably trained bayes for these but the URL might be on
one of those lists such as razor, botnet, etc.
Re: Greeting card
Posted by Johann Spies <js...@sun.ac.za>.
On Tue, Jul 31, 2007 at 10:03:30AM +0200, Rocco Scappatura wrote:
> It is possible to block the spam sent by GreetingCards.com which invites
> the receiver to access an URL and browse the ecard?
>
> I mean that spam which has subject similar to:
>
> You've received a greeting ecard from a Colleague!
>
Since we started using Clamav most (almost all) of those spam are
refused.
Regards
Johann
--
Johann Spies Telefoon: 021-808 4036
Informasietegnologie, Universiteit van Stellenbosch
"Have not I commanded thee? Be strong and of a good
courage; be not afraid, neither be thou dismayed; for
the LORD thy God is with thee whithersoever thou
goest." Joshua 1:9
Re: Greeting card
Posted by Michael Schout <ms...@gkg.net>.
Rocco Scappatura wrote:
> It is possible to block the spam sent by GreetingCards.com which invites
> the receiver to access an URL and browse the ecard?
All of the ones I have received have a url with a numeric ip, followed
by usually a 32 character string in the url (MD5 hash?).
Here is my rule that traps them. I have not seen any get through after
this:
body LOCAL_POSTCARD_URL m'http://\d+\.\d+\.\d+\.\d+/\?[0-9a-f]{8,}'
describe LOCAL_POSTCARD_URL Body contains postcard scam url
score LOCAL_POSTCARD_URL 3.0
Regards,
Michael Schout
Re: Greeting card
Posted by Diego Pomatta <in...@abelsonsa.com.ar>.
Rocco Scappatura escribió:
> It is possible to block the spam sent by GreetingCards.com which invites
> the receiver to access an URL and browse the ecard?
>
> I mean that spam which has subject similar to:
>
> You've received a greeting ecard from a Colleague!
>
> BR,
>
> rocsca
>
>
>
I asked something about custom rules yesterday. Since the rule I used as
example (and one I was going to implement) had something to do with
greeting ecards, Dan Barker suggested this link:
http://www.impsec.org/~jhardin/antispam/postcards.cf
I used it, and it worked.
Saved time, didn't have to write the rules myself. ;)
All you have to do is copy the file postcards.cf to your preferences directory (/etc/mail/spamassassin in my case) and restart spamd, if you use it.
/Regards