You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Randal, Phil" <pr...@herefordshire.gov.uk> on 2006/03/20 14:04:48 UTC

{Spam?} RE: Latest spammers' trick - email address in body instead of url

There's more of this stuff out today, with the addy
uk@euroimperialz.com.

My current list email addresses used in this sort of spam is

*@nicerealmail.info
*@marketez-bonds.*
*@swiss--invest-ltd.*
*@switzerland-invest-ltd.*
*@swis-invest-ltd.*
*@swiss-investments-ltd.*
*@gala.net
*@euroimperialz.*

The rule to catch these is trivial.

Cheers,

Phil
----
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK  

> -----Original Message-----
> From: Randal, Phil 
> Sent: 10 March 2006 17:13
> To: users@spamassassin.apache.org
> Subject: RE: Latest spammers' trick - email address in body 
> instead of url
> 
> I think email addresses should be scored differently from urls.
> 
> Clicking on an email address isn't going to take you to a site which
> auto-installs all manner of malware on your PC.
> 
> But these spams are still a nuisance - especially to us 
> thankless admins
> who get enormous amounts of hassle from our end-users and management
> everytime spam slips through with a very low spamassassin score.
> 
> Cheers,
> 
> Phil
> 
> ----
> Phil Randal
> Network Engineer
> Herefordshire Council
> Hereford, UK  
> 
> > -----Original Message-----
> > From: Daryl C. W. O'Shea [mailto:spamassassin@dostech.ca] 
> > Sent: 10 March 2006 15:47
> > To: Matt Kettler
> > Cc: Randal, Phil; users@spamassassin.apache.org
> > Subject: Re: Latest spammers' trick - email address in body 
> > instead of url
> > 
> > On 10/03/06 10:26 AM, Matt Kettler wrote:
> > > Randal, Phil wrote:
> > >> Hi folks,
> > >>
> > >> We're seeing increasing amounts of spam coming in which 
> > the email's 
> > >> body contains seemingly innocuous (but obviously 
> irrelevant) text 
> > >> plus an email address for more information.
> > >>
> > >> With no urls in the message, uribls are useless...
> > >>
> > >> Currently we've had spams with emails from <whoever> (AT) 
> > >> nicerealmail .info and <whoever> (AT) marketez-bonds .net.
> > >>
> > >> Currently handling it by adding specific rules as we 
> > encounter them, 
> > >> but there has to be  a better way of handling this.
> > >>
> > >> Anyone for emailbls?  Or updating uribl to fire on 
> > >> xyz@naughtydomain.com email addresses in message bodies?
> > >>
> > >> Thoughts, anyone?
> > > 
> > > Um... SA should already be treating email addresses in 
> the body as 
> > > URIs... Are you sure yours isn't looking up the offending domains 
> > > agianst the URIBLs you're using?
> > 
> > I don't believe that's accurate.  I know Jeff C. argued that 
> > it "wasn't what SURBL was intended for" so we ended up disabling it.
> > 
> > Personally, I still think email address should be looked up.  
> > Either the domain is bad or it isn't.
> > 
> > http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4201
> > 
> > 
> > Daryl
> > 
>