(okay, second try, now that the list seems to be working again)
> s> rawbody L_Text_Padding_In_Html /<(title>)?[ '-.,?!\w]{50,}>/
> s> describe L_Text_Padding_In_Html Text padding within brackets or HTML
> s> title to fool bayesian filter
rawbody L_Text_Padding_In_Html /<(title>)?[- '\.
Hello sckot,
Wednesday, January 21, 2004, 2:09:51 PM, you wrote:
s>I've noticed several spam mails with a lot of quoted text (quotes from
s> Dave Barry, some of Moby Dick, that sort of thing. Usually all
s> punction is stripped out, but not always.) included within brackets or
s> an HTML titl
I've noticed several spam mails with a lot of quoted text (quotes from
Dave Barry, some of Moby Dick, that sort of thing. Usually all
punction is stripped out, but not always.) included within brackets or
an HTML title. It's likely being used to counterweight the
message against a Bayesian filte
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Robert Wagner
Sent: Thursday, October 09, 2003 9:15 AM
To: Spamassassin-Talk (E-mail)
Subject: [SAtalk] Catching Lots of Remarks in HTML Messages
We seem to be getting more messages like:
GIRLS THAT RE
A rule for this already exists, it's called: OBFUSCATING_COMMENT
If you like, you can give this test a higher score in your local.cf file.
No, the rules are not additive!
Frederic Tarasevicius
Internet Information Services, Inc.
Robert Wagner wrote:
> We seem to be getting more messages like:
On Thu, Oct 09, 2003 at 09:15:29AM -0500, Robert Wagner wrote:
> We seem to be getting more messages like:
> GIRLS T
> HAT RE
See what the OBFUSCATING_COMMENT test in 2.6x and 2.5x does.
--
(Mr.) Hannu Liljemark | Appelsiini Finland Oy | http://appelsiini.com
um keeper
http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm
"A little nonsense now and then, is relished by the wisest men." - Willy
Wonka
> -Original Message-
> From: Robert Wagner [mailto:[EMAIL PROTECTED]
> Sent: Thursday, October 09, 2003 10:15 AM
> To: Spamassa
We seem to be getting more messages like:
GIRLS THAT RE
I was curious if Spamassassin would catch these with a rule like:
body LOTS_REMARKS /\b\b/i
describe LOTS_REMARKS HTML Lots of Remarks
The other question is-> Are the rules additive? Such that i
On Tue, Sep 23, 2003 at 07:16:47AM -0500, Philip Mak wrote:
...
> Unfortunately, sometimes one of these virus e-mails passes through a
> virus-stripping SMTP that removes the virused attachment, leaving the
> rest of the (junk) message. These messages end up passing through the
> ClamAV filter sinc
I broke down and installed ClamAV, after being deluged by hundreds of
Microsoft virus e-mails per day that SpamAssassin didn't catch. It
works great, catching all those viruses and keeping them out of my
inbox. (I'm not particularly worried about viruses themselves since I
read my e-mail using mutt
gain,
John McGivern
-Original Message-
From: Chris Santerre [mailto:[EMAIL PROTECTED]
Sent: August 20, 2003 4:06 PM
To: John McGivern; Robert Menschel
Cc: [EMAIL PROTECTED]
Subject: RE: [SAtalk] catching the Banned CD spam!
COuld it possible be the double base64 text trick again? Those tend
ilto:[EMAIL PROTECTED]
> Sent: Wednesday, August 20, 2003 9:08 AM
> To: Robert Menschel
> Cc: [EMAIL PROTECTED]
> Subject: RE: [SAtalk] catching the Banned CD spam!
>
>
> Hey everyone! Thanks for all the responses! I was out of
> the office yesterday.
>
> I do have
At 8/20/03 09:28 AM , Sandy S wrote:
I'm no expert so I may be off-base here, but shouldn't the rule have ()?
body RULE_NAME /(bannedc|banned c)/i
I think that without them you're scanning for one of the following strings:
"bannedcanned c" or "bannedbanned c".
And personally, I'd just do:
body RULE
From: "John McGivern" <[EMAIL PROTECTED]>
To: "Robert Menschel" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, August 20, 2003 8:07 AM
Subject: RE: [SAtalk] catching the Banned CD spam!
> Hey everyone! Thanks for all the responses! I was o
Sent: August 18, 2003 10:09 PM
To: John McGivern
Cc: [EMAIL PROTECTED]
Subject: Re: [SAtalk] catching the Banned CD spam!
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello John,
I find the following rules work well for me:
header RM_sp_BannedCD Subject =~ /b\s?a\s?n\s?n\s?e\s?d\s?c\s
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello John,
I find the following rules work well for me:
header RM_sp_BannedCD Subject =~ /b\s?a\s?n\s?n\s?e\s?d\s?c\s?d/i
describe RM_sp_BannedCD Subject mentions the supposedly banned CD
scoreRM_sp_BannedCD 1.21 # 21 spam, 0 ham, Aug 12
At 8/18/03 02:07 PM , Rich Puhek wrote:
body BANNED_CD /banned c/
will not match "Banned CD", but
body BANNED_CD /banned c/i
will match it.
Even better might be: /banned\s*c\s*d/i
I'd *definitely* go with the latter, because either of the first two rules
will also catch things like:
the
On Mon, 2003-08-18 at 22:07, Rich Puhek wrote:
> John McGivern wrote:
> > Hi everyone,
> >
> > I don't know if you guys get the SPAM that advertises the "Banned CD" I get
> > dozens of them. Anyway, I've added a body rule looking for the term "bannedc" or
> > "banned c" and yet it still doesn'
John McGivern wrote:
Hi everyone,
I don't know if you guys get the SPAM that advertises the "Banned CD" I get dozens of them. Anyway, I've added a body rule looking for the term "bannedc" or "banned c" and yet it still doesn't catch it eventhough the text is right there! I know the rule is wo
Hi everyone,
I don't know if you guys get the SPAM that advertises the "Banned CD" I get dozens of
them. Anyway, I've added a body rule looking for the term "bannedc" or "banned c" and
yet it still doesn't catch it eventhough the text is right there! I know the rule is
working because if I e
At 03:44 PM 8/18/2003 -0400, John McGivern wrote:
I don't know if you guys get the SPAM that advertises the "Banned CD" I
get dozens of them. Anyway, I've added a body rule looking for the term
"bannedc" or "banned c" and yet it still doesn't catch it eventhough the
text is right there! I kno
At Mon Aug 18 20:44:24 2003, John McGivern wrote: [reformatted]
> I don't know if you guys get the SPAM that advertises the "Banned
> CD" I get dozens of them. Anyway, I've added a body rule looking
> for the term "bannedc" or "banned c" and yet it still doesn't catch
> it eventhough the text is
John McGivern wrote:
Hi everyone,
I don't know if you guys get the SPAM that advertises the "Banned CD"
I get dozens of them.
I get 7-9 per week, but SA has been catching each & every one of them.
Have you fed them through sa-learn, by chance?
-Jonathan
--
What's the rule you've written?
On Mon, Aug 18, 2003 at 03:44:24PM -0400, John McGivern is rumored to have said:
>
> Hi everyone,
>
> I don't know if you guys get the SPAM that advertises the
> "Banned CD" I get dozens of them. Anyway, I've added a body rule ...
--
"Men and nations behave
"Mathew Hendry" <[EMAIL PROTECTED]> writes:
> Is there an easy way to detect fraudulent links like the following from
> a recent scamspam.
>
> href=3D"http://hyperiod.hypermart.net/fraud.html";> face=3DArial=20
> size=3D2>BestBuy.com/fraud_department.html
>
> i.e. both the href and the visible
Jonathan Nichols wrote:
> Mathew Hendry wrote:
>> Is there an easy way to detect fraudulent links like the following
>> from a recent scamspam.
>>
>> > href=3D"http://hyperiod.hypermart.net/fraud.html";>> face=3DArial=20 size=3D2>BestBuy.com/fraud_department.html
>
> Wow, that one has changed a
Mathew Hendry wrote:
Is there an easy way to detect fraudulent links like the following from
a recent scamspam.
http://hyperiod.hypermart.net/fraud.html";>BestBuy.com/fraud_department.html
Wow, that one has changed already.. it was going to "digitalgamma.com"
when it first came out.
-
Is there an easy way to detect fraudulent links like the following from
a recent scamspam.
http://hyperiod.hypermart.net/fraud.html";>BestBuy.com/fraud_department.html
i.e. both the href and the visible text look like URLs, but don't come
anywhere close (I guess that's the tricky part :) to match
Hi
I just notice that if I send a spam (5.01 points) to to mail accounts only
account nr 1 not nr 2 catches and tags the mail as a spam.
I'm using procmail for delivery and I have edited the /etc/procmailrc file
with the necessary instructions to run spamassassin, and indeed it works
fine on some
| get though. I have tried to add a line to my user_prefs, but did not
| manage to get it right. Is there a proper way to do this?
You didn't say what the line that you added was. If you're the only one
using the system, creating a rule in local.cf would be a better option. I
don't recommend doin
In my opinion its best to leave virus scanning in the hands
of a anti-virus software package and spam scanning in the
hands of SA...
- Original Message Follows -
> Dear all - I have been receiving a lot of mail that seems
> to originate from the 'Bugbear' virus. This all has a 'To:
> undi
Dear all - I have been receiving a lot of mail that seems to originate
from the 'Bugbear' virus. This all has a 'To: undisclosed receipients'
header, which gets scored by spamassassin. Unfortunately the scoring is
not high enough to always pass the threshold, and most of these mails
get though. I
On Wednesday 05 June 2002 03:38 pm, Bryan Hoover wrote:
> What will all the spammers do when they figure out it doesn't work
> anymore? I wonder how long it will take for this to happen?
Oh, but it does! People actually make money off of this. Really. It's also
a lot cheaper than postal mail
Craig R Hughes wrote:
> I wrote a letter to Senator Burns and the cosponsors of the bill
> offering my
> time free to them if they needed any technology consulting help
> regarding spam
> issues. Haven't heard back.
>
Indeed. We don't need laws, when we've got revenge (ha, ha)!
What will all
Bryan Hoover wrote:
BH> Ryan Hayle wrote:
BH>
BH> > * Progress of Senate anti-spam bill
BH> >
BH> > Over a year ago, Sen. Conrad Burns (R-MT) introduced S.630, the CAN
BH> > SPAM Act of 2001. This bill would require UCE to have a valid return
BH> > address to facilitate consumers' removal from sp
Ryan Hayle wrote:
> * Progress of Senate anti-spam bill
>
> Over a year ago, Sen. Conrad Burns (R-MT) introduced S.630, the CAN
> SPAM Act of 2001. This bill would require UCE to have a valid return
> address to facilitate consumers' removal from spam lists.
I hope this sort of thing doesn't cat
I just found it very amusing to see "CAUSE NEWS" in my spam folder. :)
You might consider using this to try to further refine your filters so
as not to block such a message, although I understand why it would be
difficult.
Ryan
--- Begin Message ---
SPAM: Start SpamAssass
Charlie> There was some discussion about making a 419-specific version
Charlie> of the phrases test.
After posting my previous message I almost immediately received three 419
variants. I then spent a little time looking at them and some websites
devoted to them and came up with a couple
Matt Sergeant wrote:
> > On Fri, May 24, 2002 at 12:51:24AM -0500, Skip Montanaro wrote:
> >
> >>After posting my previous message I almost immediately received three 419
> >>variants. I then spent a little time looking at them and some websites
> >>devoted to them and came up with a couple othe
> The current SA tests don't seem to catch the very common Nigerian scam. You
> know "The assets of dictator So And So are frozen. We need your help. Send
> us your bank account number and we'll transfer a bunch of money there" (or
> something like that). Have others developed better tests to
Bill D wrote:
> On Fri, May 24, 2002 at 12:51:24AM -0500, Skip Montanaro wrote:
>
>>Charlie> There was some discussion about making a 419-specific version
>>Charlie> of the phrases test.
>>After posting my previous message I almost immediately received three 419
>>variants. I then spent
On Fri, May 24, 2002 at 12:51:24AM -0500, Skip Montanaro wrote:
> Charlie> There was some discussion about making a 419-specific version
> Charlie> of the phrases test.
> After posting my previous message I almost immediately received three 419
> variants. I then spent a little time looki
There was some discussion about making a 419-specific version of the
phrases test.
I don't think anything came of it, though.
Would probably be a worthwhile place to invest energy.
On Thu, 23 May 2002, Skip Montanaro wrote:
> The current SA tests don't seem to catch the very common Nigerian sc
The current SA tests don't seem to catch the very common Nigerian scam. You
know "The assets of dictator So And So are frozen. We need your help. Send
us your bank account number and we'll transfer a bunch of money there" (or
something like that). Have others developed better tests to catch th
On 3/8/02 1:58 AM, "Matt Sergeant" <[EMAIL PROTECTED]> wrote:
> I've stated before that I personally am not interested in extending
> SpamAssassin to be an anti-virus tool. We have here at work one of the
> world's best AV tools (and written in Perl too), but the code for
> detecting viruses is *
On Fri, 8 Mar 2002, Daniel Pittman wrote:
> > Low-hanging fruit, though it's out of date these days, catch
> > the snowhite virus since it's there:
> >
> > header SNOWWHITE_VIRUS Subject =~ /Snowwhite.*REAL story/
> > describe SNOWWHITE_VIRUS The snow white virus
> > score SNOWWHITE
On Fri, 8 Mar 2002, David G. Andersen wrote:
> Matthew Cline just mooed:
>> First a few rules to match non-spam:
[...]
>> While there would be no effort in faking this, it might take a while
>> for some of the spammers to catch on.
>>
>> uri HTTPS_URL /https:\/\//
>> descr
47 matches
Mail list logo
