You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Robert Menschel <Ro...@Menschel.net> on 2005/02/20 05:33:10 UTC

[SARE] Rules updates: URI

Just a quick note that SARE has published new URI rules files.

New files 70_sare_uri0.cf, 70_sare_uri1.cf, 70_sare_uri3.cf, and
70_sare_uri_eng.cf replace the previous file 70_sare_uri.cf

The old file has been left in our http://www.rulesemporium.com/rules/
directory, unchanged. We expect to delete that file in about a month.

I have updated the RDJ snippet for uri.cf to point to the new uri0.cf
file, and added snippets for the other files as well.  I believe I've
done this correctly, but as I don't use and cannot test RDJ, I can't
be sure.

If I've done it right, anyone using RDJ and including 70_sare_uri.cf
as the default index 1122 should automatically pull in the new uri0.c
file.

Assuming this is the case, you will want to delete the uri.cf file,
since it includes several rules which have been archived.  You can
retrieve the new snippet from
http://www.rulesemporium.com/rdj/rdj_sare_uri.txt to add uri1.cf and
uri3.cf to your RDJ setup if you wish.

George Georgalis (and others): I've made a first pass at incorporating
your suggestions for a change log into these files.  There's a new
file, http://www.rulesemporium.com/rules/70_sare_uri.log, which
contains the full change log.  The
http://www.rulesemporium.com/rules/70_sare_uri0.cf file contains the
change log for this update only.  Is this the type of thing you were
hoping to see?  What can we do to improve it?

Bob Menschel

[SARE] Rules updates: Rolex

Posted by Robert Menschel <Ro...@Menschel.net>.

SARE has finally completed a first pass evaluation of several sets of
submitted rules concerning Rolex spam. You'll find a beta test of
these rules at
http://www.rulesemporium.com/rules/70_sare_specific_rolex.cf

You'll find a hit-frequencies report for these rules at the top of
that file.

The 70_sare_specific.cf rule set file is intended to catch the M.O. of
specific spammers and/or specific spam that might otherwise elude more
general-purpose rules.

One of the recent categories of spam seen and complained about is
"Rolex" spam, claiming to sell actual or replica Rolex and other brand
watches. This file, 70_sare_specific_rolex.cf, is our initial
publication to catch these specific spams.

This is a beta test release -- these rules have NOT been through a
full SARE mass-check run yet. They have been tested against well over
150,000 emails, and so should be safe to use, but we do not yet have
the confidence behind these rules that we have for most of our other
rule set files. 

IOW: Use at your own risk.
(Well, ALL our rules files are "use at your own risk," but these are
more so.) 

Our intent is to roll these rules into the full specific.cf file once
these have been properly validated. The rules will be very likely be
renamed at that time. 

Note that some of these rules /do/ hit the very occasional ham. They
should not cause false positives.

Bob Menschel

Re: [SARE] Rules updates: URI

Posted by George Georgalis <ge...@galis.org>.

On Sat, Feb 19, 2005 at 08:33:10PM -0800, Robert Menschel wrote:
>
>I have updated the RDJ snippet for uri.cf to point to the new uri0.cf
>file, and added snippets for the other files as well.  I believe I've
>done this correctly, but as I don't use and cannot test RDJ, I can't
>be sure.

I'm overloaded and haven't had the chance to try...

>George Georgalis (and others): I've made a first pass at incorporating
>your suggestions for a change log into these files.  There's a new
>file, http://www.rulesemporium.com/rules/70_sare_uri.log, which
>contains the full change log.  The
>http://www.rulesemporium.com/rules/70_sare_uri0.cf file contains the
>change log for this update only.  Is this the type of thing you were
>hoping to see?  What can we do to improve it?

That looks good!

A couple minors, I would keep it consistent and simple, my next step
will be parsing this to see how changes pertain to local configurations.
So a limited, fixed set of categories should be defined.

I would change 'Expanded' to 'Changed' so their are fewer standard
categories. On the user end "Removed" makes more sense than "Archived"
- either way, SARE_URI_DMEDZD should be in the gone list.

My first thought was 'these should be formatted to 80 cols to conform to
email standard' but considering they will be grep-ed, I have rethought
that and now think the various line types should have no breaks and no
commas. Then the following (untested) can be used.

CHANGED=$(grep '^#@@#.*Changed' $cf | sed 's/^#@@#.*Changed//')
REMOVED=$(grep '^#@@#.*Removed' $cf | sed 's/^#@@#.*Removed//')
    NEW=$(grep '^#@@#.*New' $cf     | sed 's/^#@@#.*New//')

Changed, Removed and New being the limited number of machine readable
categories I'll be looking for. The other lines are still informative
but could be formatted in any convenient human readable way.

# SARE Spammer URI Rule Set for SpamAssassin - file 0 
# Version:  01.01.00
# Created:  2004-09-13
# Modified: 2005-02-19
# Usage instructions and documentation are found in 70_sare_uri0.cf 
#@@# Revision History:  Full Revision History stored in 70_sare_uri.log
#@@# 01.01.00: Split to multiple files depending on efficiency
#@@#           Added SARE_URI_NO_THANKS, SARE_URI_VISIT_US, SARE_URI_4_BIZ, SARE_URI_HGH, SARE_URI_OFF, SARE_URI_OPTOUT, SARE_URI_REPLICA, 
#@@#                 SARE_URI_RM, SARE_URI_HEX32, SARE_URI_DOM_ENDU, SARE_URI_NUM_SUBDOM, SARE_URI_RAW_ONLY, SARE_URI_SHARE_DIG, SARE_URI_NO_MORE,
#@@#                 SARE_URI_MIXED_CASE
#@@#           Replaced SARE_URI_DMEDZD with SARE_URI_DMEDZDc
#@@#           Minor score tweaks based on recent mass-checks
#@@#           Defined SARE_URI_H0 rule to verify that 70_sare_uri0.cf is present if any other URI rules file is used.
#@@#           Archived SARE_URI_SUCCEZZ, SARE_URI_HOUSE, SARE_URI_P8, SARE_URI_REFID2, SARE_URI_REFID3, SARE_URI_AFF_DIG, SARE_URI_IPPORT3333, 
#@@#                    SARE_URI_SQUARE
#@@#           Expanded SARE_URI_SIXCAPS 
#
# License:  Artistic - see http://www.rulesemporium.com/license.txt
# Current   Maintainer: Bob Menschel - uri@rulesemporium.com
# Current   Home: http://www.rulesemporium.com/rules/70_sare_uri0.cf

I'm not sure why "Usage instructions and documentation" are referenced here.
And, I don't see a log: http://www.rulesemporium.com/rules/70_sare_uri.log
Is there any reason why http://www.rulesemporium.com/rules/ is not available?(to see all snipits and rules, in a directory format)

Regarding the comment on too much disclosure in the logs, there is
nothing keeping spammers from diff-ing the cf files, I would refer
to the quote "Rogues are very keen in their profession, and already
know much more than we can teach them respecting their several kinds
of roguery." http://www.deter.com/unix/papers/treatise_locks.html
Rudimentary Treatise on the Construction of Locks, 1853 (excerpt) --
Charles Tomlinson

// George

-- 
George Georgalis, systems architect, administrator Linux BSD IXOYE
http://galis.org/george/ cell:646-331-2027 mailto:george@galis.org