You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Eddy Beliveau <ed...@hec.ca> on 2005/05/25 15:19:49 UTC
Cannot get rid of new online pharmacy spams
Hi!
I'm running spamassassin 2.4 with pamCopURI 0.24 and it work perfectly. Thanks ;-)
My current problem is that I cannot get rid of those online pharmacy spams. (see attached picture).
The email contains a picture and many words in font size 1.
Am I the only one to receive this junk.
Can someone help ?
Thanks in advance
Eddy
Re: Cannot get rid of new online pharmacy spams
Posted by Loren Wilton <lw...@earthlink.net>.
> Someone correct me if I am wrong, however the multi-line URI spams with
> ampersands need a patch that is not yet integrated into the default
> 3.0.3 distribution.
The ampersands (and ther special characters, like colons) was a separate
problem from the unescaped cr's in the url. The later was fixed in 3.0.3,
as best I recall.
Loren
Re: Cannot get rid of new online pharmacy spams
Posted by Chris Conn <cc...@abacom.com>.
> Eddy
>
> Have you tried updating to a newer version?
>
> I suspect it will be many peoples first suggestion.
>
> Alan
Hello,
Someone correct me if I am wrong, however the multi-line URI spams with
ampersands need a patch that is not yet integrated into the default
3.0.3 distribution.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4213
So simply upgrading is not sufficient. I also went through the somewhat
painless upgrade procedure, to see that the particular image spam that
this gent is showing was still able to pass unscathed...until I patched
3.0.3 source tree with the two recommended patches in this bugID.
Chris
Re: Cannot get rid of new online pharmacy spams
Posted by Loren Wilton <lw...@earthlink.net>.
> > In the mean time, I will try Chris Conn's solution:
> > rawbody __LW_URI_CR1 /href=\"[^"]*\r[^\n]/is
> > full __LW_URI_CR2 /href=\"[^"]*\r[^\n]/is
> > meta LW_URI_CR __LW_URI_CR1 || __LW_URI_CR2
> > score LW_URI_CR (YOUR CHOICE)
> > describe LW_URI_CR unescaped cr in uri
> >
> > I'll give you a follow-up very soon.
>
> Hello,
>
> This is not my solution, I stole this from another list user. Please do
> not give me credit for what for me was successful and for you may not be.
>
> Rember to put a score on the score line =)
>
> Chris
Since you mention it, it was mine. :-)
Loren
Re: Cannot get rid of new online pharmacy spams
Posted by Chris Conn <cc...@abacom.com>.
Eddy Beliveau wrote:
> Hi!
>
> Thanks to all for your replies
>
> I cannot upgrade right now, the current academic semester is not yet
> completed
>
> In the mean time, I will try Chris Conn's solution:
> rawbody __LW_URI_CR1 /href=\"[^"]*\r[^\n]/is
> full __LW_URI_CR2 /href=\"[^"]*\r[^\n]/is
> meta LW_URI_CR __LW_URI_CR1 || __LW_URI_CR2
> score LW_URI_CR (YOUR CHOICE)
> describe LW_URI_CR unescaped cr in uri
>
> I'll give you a follow-up very soon.
Hello,
This is not my solution, I stole this from another list user. Please do
not give me credit for what for me was successful and for you may not be.
Rember to put a score on the score line =)
Chris
Re: Cannot get rid of new online pharmacy spams
Posted by Eddy Beliveau <ed...@hec.ca>.
Hi!
Thanks to all for your replies
I cannot upgrade right now, the current academic semester is not yet completed
In the mean time, I will try Chris Conn's solution:
rawbody __LW_URI_CR1 /href=\"[^"]*\r[^\n]/is
full __LW_URI_CR2 /href=\"[^"]*\r[^\n]/is
meta LW_URI_CR __LW_URI_CR1 || __LW_URI_CR2
score LW_URI_CR (YOUR CHOICE)
describe LW_URI_CR unescaped cr in uri
I'll give you a follow-up very soon.
Thanks and have a nice day
Eddy
----- Original Message -----
From: "Alan Munday" <sp...@brightheadtechnology.com>
To: "Eddy Beliveau" <ed...@hec.ca>
Cc: <us...@spamassassin.apache.org>
Sent: Wednesday, May 25, 2005 9:53 AM
Subject: Re: Cannot get rid of new online pharmacy spams
> Eddy Beliveau wrote the following on 25/05/2005 14:19:
>>
>> Hi!
>>
>> I'm running spamassassin 2.4 with pamCopURI 0.24 and it work perfectly.
>> Thanks ;-)
>>
> Eddy
>
> Have you tried updating to a newer version?
>
> I suspect it will be many peoples first suggestion.
>
> Alan
Re: Cannot get rid of new online pharmacy spams
Posted by Alan Munday <sp...@brightheadtechnology.com>.
Eddy Beliveau wrote the following on 25/05/2005 14:19:
>
> Hi!
>
> I'm running spamassassin 2.4 with pamCopURI 0.24 and it work perfectly.
> Thanks ;-)
>
Eddy
Have you tried updating to a newer version?
I suspect it will be many peoples first suggestion.
Alan
Re: Cannot get rid of new online pharmacy spams
Posted by Chris Conn <cc...@abacom.com>.
Eddy Beliveau wrote:
>
> Hi!
>
> I'm running spamassassin 2.4 with pamCopURI 0.24 and it work perfectly.
> Thanks ;-)
>
> My current problem is that I cannot get rid of those online pharmacy
> spams. (see attached picture). The email contains a picture and many
> words in font size 1.
>
> Am I the only one to receive this junk.
>
> Can someone help ?
Hello,
I finally upgraded to 3.0.3 (plus patches) yesterday since SA 2.64 and
SpamcopURI 0.25 cannot identify these by default.
However, from this very list I obtained the following rule (I had to
search the gmane newsgroup as I was sure I saw this go by):
rawbody __LW_URI_CR1 /href=\"[^"]*\r[^\n]/is
full __LW_URI_CR2 /href=\"[^"]*\r[^\n]/is
meta LW_URI_CR __LW_URI_CR1 || __LW_URI_CR2
score LW_URI_CR (YOUR CHOICE)
describe LW_URI_CR unescaped cr in uri
and it was quite effective at spotting them. I was scoring this pretty
high and had no FPs.
Good luck,
Chris
Re: Cannot get rid of new online pharmacy spams
Posted by Rick Carpenter <ri...@tqci.net>.
On Wed, 2005-05-25 at 09:19 -0400, Eddy Beliveau wrote:
> Hi!
>
> I'm running spamassassin 2.4 with pamCopURI 0.24 and it work perfectly. Thanks ;-)
>
> My current problem is that I cannot get rid of those online pharmacy spams. (see attached picture).
> The email contains a picture and many words in font size 1.
>
> Am I the only one to receive this junk.
>
I think the vast majority of us receive this trash. :(
> Can someone help ?
>
> Thanks in advance
> Eddy
Rick..
---
[This E-mail scanned for viruses by tqci.net]
Re: Cannot get rid of new online pharmacy spams
Posted by Jeff Chan <je...@surbl.org>.
On Wednesday, May 25, 2005, 6:19:49 AM, Eddy Beliveau wrote:
> I'm running spamassassin 2.4 with pamCopURI 0.24 and it work perfectly. Thanks ;-)
> My current problem is that I cannot get rid of those online pharmacy spams. (see attached picture).
> The email contains a picture and many words in font size 1.
> Am I the only one to receive this junk.
> Can someone help ?
> Thanks in advance
> Eddy
Those have a URI, but they're obfuscated by breaking up the domain
name with line breaks, like:
http://spam
merdo
main.com
instead of spammerdomain.com .
The newer versions of SpamAssassin will detect these successfully
because the domain names are listed in SURBLs and new SA versions
are no longer fooled by this obfuscation technique.
Quick answer: upgrade!
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: Cannot get rid of new online pharmacy spams
Posted by Eddy Beliveau <ed...@hec.ca>.
Hi! Rishi,
Many thanks for your reply
I'm already using that antidrug.cf rule
My problem is that the drug name does not appear as text in the spam
It is included in the gif picture
So the spam contains a picture and many tiny words in the email's body
Does it sound familiar ?
Thanks,
Eddy
----- Original Message -----
From: "Rishi Kantesaria" <ri...@gmail.com>
Subject: Re: Cannot get rid of new online pharmacy spams
You can either do two things....if you don't have spamassassin rules
for Drug stuff then get that or if you have the rules and emails are
still coming adjust the score in the rules.
http://mywebpages.comcast.net/mkettler/sa/antidrug.cf
On 5/25/05, Eddy Beliveau <ed...@hec.ca> wrote:
>
> Hi!
>
> I'm running spamassassin 2.4 with pamCopURI 0.24 and it work perfectly. Thanks ;-)
>
> My current problem is that I cannot get rid of those online pharmacy spams. (see attached
> picture).
> The email contains a picture and many words in font size 1.
>
> Am I the only one to receive this junk.
>
> Can someone help ?
>
> Thanks in advance
> Eddy
>
>
>