Re: [SAtalk] what can we do with those spam mails

2004-01-15 Thread Brent J. Nordquist
in-talk&m=107408986927266&w=2 -- Brent J. Nordquist <[EMAIL PROTECTED]> N0BJN Other contact information: http://kepler.acns.bethel.edu/~bjn/contact.html * Fast pipe * Always on * Get out of the way - Tim Bray http://tinyurl.com/7sti --

Re[4]: [SAtalk] what can we do with those spam mails

2004-01-22 Thread Brent J. Nordquist
tent-Type: text/plain; charset=us-ascii ... (Two dashes in the boundary itself, plus upper letters.) So, I've changed to this here: Content-Type =~ /boundary=\"-*[A-Z]*\d{13,}\"/ -- Brent J. Nordquist <[EMAIL PROTECTED]> N0BJN Other contact information: http://kepler.acns.bethe

Re: [SAtalk] Re: Obfusticated URI?

2004-01-22 Thread Brent J. Nordquist
ot; as the host might trigger this rule, so I added an exception for that host. -- Brent J. Nordquist <[EMAIL PROTECTED]> N0BJN Other contact information: http://kepler.acns.bethel.edu/~bjn/contact.html * Fast pipe * Always on * Get out of the way - Tim Bray http://tinyurl.com/7sti

Re: [SAtalk] SA missed an 'invisible font'?

2004-01-22 Thread Brent J. Nordquist
;t quoted.] Sometimes the space is left out: "font-size:0pt" Sometimes it's a 1-point font, equally bogus: "font-size: 1pt" Sometimes I see "px" instead of "pt": "font-size: 1px" [Don't know if "px" is ev

[SAtalk] All-upper-case Message-ID

2004-01-22 Thread Brent J. Nordquist
Message-Id is all upper-case score BCS_UPPER_MESSID 2.0 -- Brent J. Nordquist <[EMAIL PROTECTED]> N0BJN Other contact information: http://kepler.acns.bethel.edu/~bjn/contact.html * Fast pipe * Always on * Get out of the way - Tim Bray http://t

Re: [SAtalk] Re: X-Originating-IP isn't a number

2004-01-23 Thread Brent J. Nordquist
you mean the body has those random words, and the X-Originating-IP header is in the form: X-Originating-IP: [53x.comIP] If it's the latter, that's a piece of ratware that is detectable. See the latest rnd_uc_char.cf ruleset at http://kepler.acns.bethel.edu/~bjn/spamassassin/

Re: [SAtalk] interesting subject masking

2004-01-30 Thread Brent J. Nordquist
l=spamassassin-talk&m=107409131129110&w=2 -- Brent J. Nordquist <[EMAIL PROTECTED]> N0BJN Other contact information: http://kepler.acns.bethel.edu/~bjn/contact.html * Fast pipe * Always on * Get out of the way - Tim Bray http://tinyurl.com/7sti

[SAtalk] Ruleset for RND UC CHAR spam

2003-12-19 Thread Brent J. Nordquist
|org|biz).*IP\]/ describe XOIP_RND_UC_CHAR X-Originating-IP fits RND_UC_CHAR pattern score XOIP_RND_UC_CHAR 2.0 -- Brent J. Nordquist <[EMAIL PROTECTED]> N0BJN Other contact information: http://kepler.acns.bethel.edu/~bjn/contact.html * Fast pipe * Always on

RE: [SAtalk] Ruleset for RND UC CHAR spam

2003-12-20 Thread Brent J. Nordquist
as more than 8 upper-case letters. So here's the revised rule I'm now using which will catch both kinds of subject: Subject =~ /^Re:\s[A-Z]{2,},(\d+,)?\s[a-z]+\s[a-z]+\s[a-z]+\s*$/ -- Brent J. Nordquist <[EMAIL PROTECTED]> N0BJN Other contact information: http://kepler.acns.bethe

[SAtalk] X-MT-nn: header (variable headers in general)

2003-12-22 Thread Brent J. Nordquist
e a way to write a rule that tests for a header whose name matches a certain pattern? -- Brent J. Nordquist <[EMAIL PROTECTED]> N0BJN Other contact information: http://kepler.acns.bethel.edu/~bjn/contact.html * Fast pipe * Always on * Get out of the way - Tim Bray http://

Re: [SAtalk] [RD]X-MT-nn: header (variable headers in general)

2003-12-22 Thread Brent J. Nordquist
ITY_UNREG ALL=~ /X-UnityUser:\sUnregistered\sUser/ but that technique doesn't work either; my guess is because the space on which the pattern space is operating is only the value. Any other ideas? -- Brent J. Nordquist <[EMAIL PROTECTED]> N0BJN Other contact information: http://kepler

Re: [SAtalk] X-MT-nn: header (variable headers in general)

2003-12-22 Thread Brent J. Nordquist
On Mon, 22 Dec 2003, Brent J. Nordquist <[EMAIL PROTECTED]> wrote: > I've noticed several messages (all spam) with this header: > > X-MT-17: 1906684 > X-MT-25: 1906684 > etc. > > Is there a way to write a rule that tests for a header whose name > matches a cer

Re[2]: [SAtalk] X-Mailer is totally bogus

2004-01-07 Thread Brent J. Nordquist
ow > do you expect me to believe that I have one spam in my corpus with the following, so I added a second rule to catch the case where the only numbers are bunched at the end. X-Mailer: caesar pithy splotch1454 -- Brent J. Nordquist <[EMAIL PROTECTED]> N0BJN Other cont

[SAtalk] My custom rulesets for random-word spam

2004-01-08 Thread Brent J. Nordquist
se .cf files are available here: http://kepler.acns.bethel.edu/~bjn/spamassassin/ Feedback very welcome! -- Brent J. Nordquist <[EMAIL PROTECTED]> N0BJN Other contact information: http://kepler.acns.bethel.edu/~bjn/contact.html * Fas

Re: [SAtalk] Rules for word-jumble spam

2004-01-12 Thread Brent J. Nordquist
OPwebMail X-Mailer =~ /mPOP Web-Mail/ > > I don't find any indication anywhere on the Web that mPOP is used for > anything but spam. Thanks for the corpus data on this; I've been wondering about that. I have that in my ruleset n

[SAtalk] Ratware update (was Re: New Ruleset Available! TRIPWIRE!)

2004-01-14 Thread Brent J. Nordquist
.edu/~bjn/spamassassin/ -- Brent J. Nordquist <[EMAIL PROTECTED]> N0BJN Other contact information: http://kepler.acns.bethel.edu/~bjn/contact.html * Fast pipe * Always on * Get out of the way - Tim Bray http://tinyurl.com/7sti --- This

Re: [SAtalk] Re: Obfusticated URI?

2004-01-14 Thread Brent J. Nordquist
On Wed, 14 Jan 2004, Larry Starr <[EMAIL PROTECTED]> wrote: > On Wednesday 14 January 2004 08:33 am, Brent J. Nordquist wrote: > > > uri BCS_URI_2E_OBFU /=2[Ee]/ > > A posting from David Funk, correctly points out that "=2E" is valid > Quoted-P

Re: [SAtalk] Does somebody have a rule against 'unnecessary encoding' of subjects?

2004-01-14 Thread Brent J. Nordquist
On Wed, 14 Jan 2004, Chr. von Stuckrad <[EMAIL PROTECTED]> wrote: > Does somebody have/know a rule to catch 'unnecessary encodings'? Please check the archive before you post. Keith C. Ivey just posted a rule for this exact thing earlier today. Search for "Munged&q