You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Steve Lake <st...@raiden.net> on 2006/11/10 18:51:37 UTC
Well, that didn't take very bloody long
Ok, remember that "Name Wrote: :)" emails? They've completely
changed. Now it's "hi username" instead. Joy, oh joy. Can anyone find
any common elements in these emails because whoever this putz is, they're
adapting a lot. They hit us, we adapt, they immediately change tactics and
come at us again. Now with all the brilliant minds on this mailing list,
we really should be able to find out who this putz is and nail all his
stuff regardless of what tactic he switches to.
Steven Lake
Owner/Technical Writer
Raiden's Realm
www.raiden.net
A friendly web community
Re: rule secrecy *again* (Re: Well, that didn't take very
bloody long)
Posted by Steve Lake <st...@raiden.net>.
At 12:27 PM 11/11/2006 +0000, Justin Mason wrote:
>ho hum... here we go again. :(
>
>As I've noted several times recently -- these *are* being caught by rules
>which were developed "in the open" -- namely RCVD_FORGED_WROTE, which has
>been sitting in my sandbox for several weeks, was announced in a checkin
>message (with diffs!), and is currently "live" in both trunk and 3.1.x
>rule updates.
Yeah, I pushed my updates for SA and now it seems that those spams
aren't getting through anymore. heh. I can't wait for this spam war to
end so I can go back to my more laid back 3 month cycle of updates instead
of 3-4x's a day. :(
Steven Lake
Owner/Technical Writer
Raiden's Realm
www.raiden.net
A friendly web community
Re: Well, that didn't take very bloody long
Posted by Loren Wilton <lw...@earthlink.net>.
> Ok, remember that "Name Wrote: :)" emails? They've completely
> changed. Now it's "hi username" instead. Joy, oh joy. Can anyone find
> any common elements in these emails because whoever this putz is, they're
> adapting a lot. They hit us, we adapt, they immediately change tactics
> and come at us again. Now with all the brilliant minds on this mailing
> list, we really should be able to find out who this putz is and nail all
> his stuff regardless of what tactic he switches to.
The reason they adapt is because there are detailed announcements on the
mailing list of the things that are easy to spot. The guy sending these is
on the list too, so as soon as the oversight or excessive cleverness is
announced to the world, he knows what he has to fix.
Someone wants to catch these (and they are pretty easy) figure it out
yourself and install rules QUIETLY.
Loren
Re: Well, that didn't take very bloody long
Posted by Jon Trulson <jo...@radscan.com>.
On Fri, 10 Nov 2006, Steve Lake wrote:
> Ok, remember that "Name Wrote: :)" emails? They've completely
> changed. Now it's "hi username" instead. Joy, oh joy. Can anyone find any
> common elements in these emails because whoever this putz is, they're
> adapting a lot. They hit us, we adapt, they immediately change tactics and
> come at us again. Now with all the brilliant minds on this mailing list, we
> really should be able to find out who this putz is and nail all his stuff
> regardless of what tactic he switches to.
>
BAYES! :)
Of course they change their tactics. Hell, they probably read
this list, and every time someone posts a rule to 'defeat' it,
they make a simple change and start a new run. Why are you
surprised by this?
Trying to write rules for everything they could possibly
tweak is an impossible task.
It is completely *trivial* for them to bypass the rule of the
day. I have seen the latest variant as well, and good old
bayes is *still* catching every single one of them (bayes 99).
Look into bayes, and train it well. See the previous threads
about bumping up the scores for bayes 95 and 99. YMMV of
course, but it has been *extremely* successful at work and at
home in the few years we've been using spamassassin.
Expect them to adapt. It's their job after all. Use a tool
that can adapt as well :)
--
Jon Trulson
mailto:jon@radscan.com
#include <std/disclaimer.h>
"No Kill I" -Horta
Re: Well, that didn't take very bloody long
Posted by jdow <jd...@earthlink.net>.
From: "Steve Lake" <st...@raiden.net>
> Ok, remember that "Name Wrote: :)" emails? They've completely
> changed. Now it's "hi username" instead. Joy, oh joy. Can anyone find
> any common elements in these emails because whoever this putz is, they're
> adapting a lot. They hit us, we adapt, they immediately change tactics and
> come at us again. Now with all the brilliant minds on this mailing list,
> we really should be able to find out who this putz is and nail all his
> stuff regardless of what tactic he switches to.
I believe the record will show that I more or less predicted this with
the first postings of the "wrote" spam.
Obvious single features that are easily changeable are lousy for using
as rules. I figure they are digital prestidigitation - misdirect your
eye to where you want them to look so they don't notice the hard to
change features.
{^_-}
Re: Well, that didn't take very bloody long
Posted by Duane Hill <d....@yournetplus.com>.
Kelson wrote:
> Steve Lake wrote:
>> Ok, remember that "Name Wrote: :)" emails? They've completely
>> changed. Now it's "hi username" instead. Joy, oh joy. Can anyone
>> find any common elements in these emails because whoever this putz is,
>> they're adapting a lot. They hit us, we adapt, they immediately
>> change tactics and come at us again.
>
> I wrote a couple of rules for the first two rounds -- "name wrote:" and
> "it's name :)" I've stopped bothering.
>
> Between the SARE stock rules, header checks, and Bayes -- especially
> Bayes -- the only place I'm seeing these show up "uncaught" now is my
> spamtraps, and those haven't been run through SA in the first place.
Most of mine here are hitting with Bayes as well. I've only seen a
couple make it through. All others have been routed to my local folder
for Spam. Here is the scores from one such:
X-Spam-Level: xxxxxxxxxxxxxxx
X-Spam-Status: Hits:15.0 Learn:no Tests:BAYES_99,
DATE_IN_FUTURE_06_12,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,
RAZOR2_CHECK,SARE_CSBIG,SARE_MLB_Stock1,SARE_MLB_Stock5,TVD_STOCK1
> I've concluded the subject line is a trap. They make it so consistent
> that it just begs to be targeted, then they change it to another
> consistent rule just to yank our chains and keep us busy.
>
Re: Well, that didn't take very bloody long
Posted by Kelson <ke...@speed.net>.
Steve Lake wrote:
> Ok, remember that "Name Wrote: :)" emails? They've completely
> changed. Now it's "hi username" instead. Joy, oh joy. Can anyone find
> any common elements in these emails because whoever this putz is,
> they're adapting a lot. They hit us, we adapt, they immediately change
> tactics and come at us again.
I wrote a couple of rules for the first two rounds -- "name wrote:" and
"it's name :)" I've stopped bothering.
Between the SARE stock rules, header checks, and Bayes -- especially
Bayes -- the only place I'm seeing these show up "uncaught" now is my
spamtraps, and those haven't been run through SA in the first place.
I've concluded the subject line is a trap. They make it so consistent
that it just begs to be targeted, then they change it to another
consistent rule just to yank our chains and keep us busy.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: Well, that didn't take very bloody long
Posted by Tony Finch <do...@dotat.at>.
On Fri, 10 Nov 2006, Steve Lake wrote:
> Ok, remember that "Name Wrote: :)" emails? They've completely
> changed. Now it's "hi username" instead. Joy, oh joy. Can anyone find any
> common elements in these emails because whoever this putz is, they're adapting
> a lot.
http://article.gmane.org/gmane.mail.spam.spamassassin.general/90322
Tony.
--
f.a.n.finch <do...@dotat.at> http://dotat.at/
VIKING: SOUTHERLY VEERING WESTERLY 6 TO GALE 8, OCCASIONALLY SEVERE GALE 9.
HIGH. RAIN THEN SHOWERS. MODERATE OR GOOD.
Re: Well, that didn't take very bloody long
Posted by John Rudd <jr...@ucsc.edu>.
Steve Lake wrote:
> Ok, remember that "Name Wrote: :)" emails? They've completely
> changed. Now it's "hi username" instead. Joy, oh joy. Can anyone find
> any common elements in these emails because whoever this putz is,
> they're adapting a lot. They hit us, we adapt, they immediately change
> tactics and come at us again. Now with all the brilliant minds on this
> mailing list, we really should be able to find out who this putz is and
> nail all his stuff regardless of what tactic he switches to.
>
>
Try the RelayChecker plugin. Look in the message archive for this list,
for subjects containing "RelayChecker".
RelayChecker looks for things that the spammers can't control (the
hostnames of the botnets they infect).
Re: Well, that didn't take very bloody long
Posted by Kris Deugau <kd...@vianet.ca>.
Steve Lake wrote:
> Ok, remember that "Name Wrote: :)" emails? They've completely
> changed. Now it's "hi username" instead.
After feeding 10 or 20 into Bayes, they're no longer showing up in *my*
inbox, nor customer inboxes based on the lack of forwarded copies. <g>
(The ones I've been seeing are basically text-only, thus the effective
Bayes-beating. The SARE stock rules are helping too.)
This is still SA2.64, too. Upgrading would make the server roll over
and die, unfortunately.
The *ONLY* spams I've been having any great ongoing trouble with are the
image-based ones.
-kgd