On November 9, 2014 2:12:16 AM John Hardin wrote:
Yep. .sig flamewar. Sigh.
Thats why i use no sig at all, please dont copy me :)
On Nov 8, 2014, at 5:54 PM, Reindl Harald wrote:
> Am 09.11.2014 um 01:48 schrieb Dave Pooser:
>> On 11/8/14, 5:57 PM, "Reindl Harald" wrote:
>>
>>> what is that garbage worth for?
>>
>> It's from a book by Terry Pratchett. Are we really so hard up for things to
>> talk about that we're going
On Sun, 9 Nov 2014, Reindl Harald wrote:
Am 09.11.2014 um 01:48 schrieb Dave Pooser:
On 11/8/14, 5:57 PM, "Reindl Harald" wrote:
> what is that garbage worth for?
It's from a book by Terry Pratchett. Are we really so hard up for things
to talk about that we're going to have a .sig flamew
Am 09.11.2014 um 01:48 schrieb Dave Pooser:
On 11/8/14, 5:57 PM, "Reindl Harald" wrote:
what is that garbage worth for?
It's from a book by Terry Pratchett. Are we really so hard up for things
to talk about that we're going to have a .sig flamewar now?
it's not a matter of "hard"
it's a m
On 11/8/14, 5:57 PM, "Reindl Harald" wrote:
>what is that garbage worth for?
It's from a book by Terry Pratchett. Are we really so hard up for things
to talk about that we're going to have a .sig flamewar now?
--
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com
Programming: The profession of pr
Am 09.11.2014 um 00:51 schrieb LuKreme:
On Nov 7, 2014, at 10:03 AM, Benny Pedersen wrote:
What mua clients shows invalid mimetypes ?
Most all of them
"thank you" for your "fortune footer" in the name of everybody trying to
train ham messages for bayes..
what is that garbage worth
On Nov 7, 2014, at 10:03 AM, Benny Pedersen wrote:
>
> What mua clients shows invalid mimetypes ?
Most all of them.
--
He'd never asked for an exciting life. What he really liked, what he
sought on every occasion, was boredom. The trouble was that boredom
tended to explode in your face. Just w
On November 7, 2014 6:06:40 PM "David F. Skoll" wrote:
> What mua clients shows invalid mimetypes ?
Microsoft, thank you... if the attachment name ends in ".htm" or ".html" it
is treated as HTML regardless of MIME type.
Microsoft could fix this in a monthly bugfix update for dangerous softwar
On Fri, 07 Nov 2014 18:03:32 +0100
Benny Pedersen wrote:
> What mua clients shows invalid mimetypes ?
Microsoft, thank you... if the attachment name ends in ".htm" or ".html" it
is treated as HTML regardless of MIME type.
Actually, most MUAs do this. There are an unbelievable number of MIME
ge
On November 7, 2014 5:41:30 PM "David F. Skoll" wrote:
I've seen a couple of hundred phishing emails come in that all had an
attachment of type "application/html" which is (of course) bogus.
What mua clients shows invalid mimetypes ?
On 11/07/2014 05:41 PM, David F. Skoll wrote:
Hi,
I've seen a couple of hundred phishing emails come in that all had an
attachment of type "application/html" which is (of course) bogus.
I've put in a rule to block these and will see how it goes.
I've put an example up at http://pastebin.com/M3d
On Mon, 12 Aug 2013, Kris Deugau wrote:
Amir 'CG' Caspi wrote:
My main feeling is that if anyone is
sending HTML email with LOTS of stuff commented out, that email is
almost certainly spam. Ham HTML email would probably be done with more
care.
*snigger* Take a look at the raw source from a
Amir 'CG' Caspi wrote:
> My main feeling is that if anyone is
> sending HTML email with LOTS of stuff commented out, that email is
> almost certainly spam. Ham HTML email would probably be done with more
> care.
*snigger* Take a look at the raw source from a message sent with
Outlook (especiall
At 8:23 PM -0700 08/11/2013, John Hardin wrote:
However, I may be taking too-conservative a stance here. It's
possible that, while HTML comments can appear in ham, *long* HTML
comments won't, and the fact that we're looking for long blocks of
comment text is enough safety.
That's why feeling.
On Sun, 11 Aug 2013, Amir 'CG' Caspi wrote:
At 7:20 PM -0700 08/11/2013, John Hardin wrote:
Yuck. Can you pastbin spamples, if you still have them?
Here's one that comes to mind:
http://pastebin.com/zVEH2h02
That's going to be problematic as the comment isn't gibberish, it's a
bunch of pr
At 7:20 PM -0700 08/11/2013, John Hardin wrote:
The unbounded matches you're using probably caused the RE engine to
get stuck backing off and retrying.
That's what I figured. That's why I changed things to the current
version, which is "bounded" by the end-tag of the comment. My
current ver
On Sun, 11 Aug 2013, Amir 'CG' Caspi wrote:
At 6:56 PM -0700 08/11/2013, John Hardin wrote:
I'm also going to make FP-avoidance changes that should also help.
Care to share? =)
Everything is publicly visible in my sandbox:
http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhar
On Sun, 11 Aug 2013, Amir 'CG' Caspi wrote:
At 9:31 PM -0400 08/11/2013, Alex wrote:
Are you using sqlgrey? If not, it's incredible and you should try it.
I have not implemented any sort of greylisting yet. I can't use sqlgrey
because I don't use postfix... my server runs sendmail. I'm sur
At 6:56 PM -0700 08/11/2013, John Hardin wrote:
I'm also going to make FP-avoidance changes that should also help.
Care to share? =)
Just make sure that the rule does not match the --> comment-end token
I tried doing that and it caused SA to hang... couldn't figure out
why the regex wasn't
On Sun, 11 Aug 2013, Amir 'CG' Caspi wrote:
At 2:22 AM -0600 08/11/2013, Amir 'CG' Caspi wrote:
My regex is valid and appropriate for those comments... I tested it at
regexpal.com, which shows that all three comments match just fine (all
three get highlighted).
So... why is SA hitting only o
At 9:31 PM -0400 08/11/2013, Alex wrote:
Can you post this rule again so we can investigate?
# HTML comment gibberish
# Looks for sequence of 100 or more "words" (alphanum + punct
separated by whitespace) within HTML comment
rawbody HTML_COMMENT_GIBBERISH //im
describe HTML_COMMENT_GIBBERISH
Hi,
> Further confusion. Received another of these types of spam today:
>
> http://pastebin.com/YywcFkui
>
> My new HTML_COMMENT_GIBBERISH rule didn't hit on this one at all. Running
Can you post this rule again so we can investigate?
How do you find the SPAMMY_URI_PATTERNS rule is performing?
At 2:22 AM -0600 08/11/2013, Amir 'CG' Caspi wrote:
My regex is valid and appropriate for those comments... I tested it
at regexpal.com, which shows that all three comments match just fine
(all three get highlighted).
So... why is SA hitting only on the final comment, and ignoring the first tw
On Aug 11, 2013, at 9:10 AM, Benny Pedersen wrote:
> i created MSG_ID_INSTAFILE_BIZ and HTML_ERROR_TAGS_X_HTML , but even without
> this rules its spam
It is NOW, it was not when it was originally processed, as you can see from the
SA headers included in the pastebin. If you read the messages
Amir 'CG' Caspi skrev den 2013-08-11 10:22:
http://pastebin.com/VCtvzjzV
Content analysis details: (10.9 points, 5.0 required)
pts rule name description
--
--
-0.0 RCVD_IN_MSPIKE_H3 RBL: Good repu
At 1:41 PM -0600 08/10/2013, Amir 'CG' Caspi wrote:
(The HTML comment gibberish rule would be a big step here, since
that's one of the few things that would distinguish this from ham...
unlikely that a real person would embed tens of KB of comment
gibberish.)
OK, I'm trying to test an HTML co
On Sat, 10 Aug 2013, Amir 'CG' Caspi wrote:
At 2:17 PM -0700 08/10/2013, John Hardin wrote:
Perhaps it's time to bring FuzzyOCR up-to-date...?
Is this something I need to manually update or something that needs updating
in the SA distribution?
FuzzyOCR was a SA plugin a few years back. It
At 2:17 PM -0700 08/10/2013, John Hardin wrote:
Perhaps it's time to bring FuzzyOCR up-to-date...?
Is this something I need to manually update or something that needs
updating in the SA distribution?
Thanks.
--- Amir
On Sat, 10 Aug 2013, Amir 'CG' Caspi wrote:
It looks like both this and the previous type of spam are bypassing Bayes by
embedding images and using no rendered text. Well, not NO text, but very
little, mostly a "successful delivery" message and the unsub/report links.
That is, Bayes sees abso
At 10:41 AM -0700 08/09/2013, John Hardin wrote:
Can you provide a spample or two?
Looks like a similar spam method has come out in recent weeks (since
Jul 30, it seems) that uses slightly different footers... example is
here:
http://pastebin.com/QCmSPzwG
Although running SA on this spam _
At 10:41 AM -0700 08/09/2013, John Hardin wrote:
Can you provide a spample or two?
Sure.
http://pastebin.com/VfSCB7fw
http://pastebin.com/VCtvzjzV
Note the "outl" and "outi" links near the very bottom. The actual
domains used in these URIs vary... they used to be .pw, but recently
most have
On Fri, August 9, 2013 1:01 pm, RW wrote:
> BAYES works on rendered text it doesn't see the HTML.
Hmmm. It doesn't see HTML comments, which would appear in rendered HTML
source even though they are "invisible?" OK, in that case, I have NO idea
why the spam isn't hitting Bayes, because it looks p
On Fri, 9 Aug 2013 11:19:08 -0600
Amir 'CG' Caspi wrote:
> A number of my users have been receiving spam formatted in a
> very specific way which seems to very often miss Bayes... I don't
> know why, whether it's because of the HTML gibberish flooding Bayes
> with useless tokens (to reduc
On Fri, 9 Aug 2013, Amir 'CG' Caspi wrote:
A number of my users have been receiving spam formatted in a very
specific way which seems to very often miss Bayes...
Can you provide a spample or two?
I recommend this rule be added to the general distribution.
They can be added but unless such
Good morning *,
Am 2009-08-04 13:51:24, schrieb Jason L Tibbitts III:
> > "DS" == Dan Schaefer writes:
>
> DS> I'm glad to see this SPAM traffic has come to a halt. At least on my
> DS> mail server...
>
> Yes, I haven't seen any of those spams since the morning of the 31st.
> My servers wer
> "DS" == Dan Schaefer writes:
DS> I'm glad to see this SPAM traffic has come to a halt. At least on my
DS> mail server...
Yes, I haven't seen any of those spams since the morning of the 31st.
My servers were rejecting them like mad right up until that point in
time (10:30CDT), and then noth
Hi Dan and *,
Am 2009-08-04 14:37:46, schrieb Dan Schaefer:
> I'm glad to see this SPAM traffic has come to a halt. At least on my
> mail server...
They have seen, the out spamassassin is working verry efficient. I get
only one or two spams per day... which are catched by SA of course.
Than
I'm glad to see this SPAM traffic has come to a halt. At least on my
mail server...
--
Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.
(apologies for top posting, but the email software here does not really do
quoting in a way that works out well otherwise)
If your mail contains SpamAssassin headers then it was (obviously) processed
through SpamAssassin. Just because you have BL checks in your MTA does not
necessarily mean th
On Thu, 23 Jul 2009, Dan Schaefer wrote:
> > Are you quite sure that an upstream copy of SA, e.g. in your ISP
> > or at a sender site that scans for outgoing spam, hasn't already
> > added X-* headers to the message?
>
> No. Is that even possible to track down?
There would probably b
On Thu, 2009-07-23 at 12:25 -0400, Dan Schaefer wrote:
> > Are you quite sure that an upstream copy of SA, e.g. in your ISP or at a
> > sender site that scans for outgoing spam, hasn't already added X-*
> > headers to the message?
> >
> >
> > Martin
> >
> >
> No. Is that even possible to track d
On Thu, 23 Jul 2009, Dan Schaefer wrote:
Are you quite sure that an upstream copy of SA, e.g. in your ISP or at
a sender site that scans for outgoing spam, hasn't already added X-*
headers to the message?
No. Is that even possible to track down?
There would probably be an X-Spam-Checker-V
Are you quite sure that an upstream copy of SA, e.g. in your ISP or at
a sender site that scans for outgoing spam, hasn't already added X-*
headers to the message?
No. Is that even possible to track down?
There would probably be an X-Spam-Checker-Version header in your
inbound mail strea
Are you quite sure that an upstream copy of SA, e.g. in your ISP or at a
sender site that scans for outgoing spam, hasn't already added X-*
headers to the message?
Martin
No. Is that even possible to track down?
--
Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Cor
Dan Schaefer wrote:
>
> If this is the case, then why does my email have the X-* headers in
> it? I have nothing in my postfix header_checks to discard the BL
> rules. Does anyone have a detailed flow chart of SA/postfix setup and
> describes blacklisting? Or even a webpage describing the proces
On Wed, 22 Jul 2009, Dan Schaefer wrote:
For those of you that manage these rules,
URI_OBFU_X9_WS, URI_OBFU_WWW, AE_MEDS38, AE_MEDS39 did not mark this
email as spam
http://pastebin.com/m40f7cff4
The URI is not obfuscated, therefore it triggered the URIBL tests
properly (and scored 3 additio
Dan Schaefer wrote:
It means that if you were using BL at MTA level your SA might never
have seen the message at all.
No your rule would not be "overlooked" 'because the site is in a
blacklist' *unless* you were using the BL in your MTA and rejected
the transaction from a blacklisted IP add
It means that if you were using BL at MTA level your SA might never have seen
the message at all.
No your rule would not be "overlooked" 'because the site is in a blacklist'
*unless* you were using the BL in your MTA and rejected the transaction from a
blacklisted IP address and, thus, never
>For those of you that manage these rules,
>URI_OBFU_X9_WS, URI_OBFU_WWW, AE_MEDS38, AE_MEDS39 did not mark this
email as spam
I'm up to AE_MED45, so I wouldn't expect AE_MEDS38 and 39 to be
hitting anything currently.
>http://pastebin.com/m40f7cff4
This is not an obfuscated domain. You
On Thu, 2009-07-23 at 07:34 +0100, rich...@buzzhost.co.uk wrote:
> It's catching on :-)
this new obfuscation is already caught by AE_MED45, but I can foresee a
variant that might not match...
How about:
body__MED_OB
/\bw{2,3}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[
It means that if you were using BL at MTA level your SA might never have seen
the message at all.
No your rule would not be "overlooked" 'because the site is in a blacklist'
*unless* you were using the BL in your MTA and rejected the transaction from a
blacklisted IP address and, thus, never su
>From: Dan Schaefer [mailto:d...@performanceadmin.com]
>For those of you that manage these rules,
>URI_OBFU_X9_WS, URI_OBFU_WWW, AE_MEDS38, AE_MEDS39 did not mark this email as
>spam
I'm up to AE_MED45, so I wouldn't expect AE_MEDS38 and 39 to be hitting
anything currently.
>http://pastebin.co
On Wed, July 22, 2009 21:56, Dan Schaefer wrote:
> Does this mean that if I have a custom rule to search for exactly the
> "via" site, my rule will be overlooked because the site is in a blacklist?
what problem ?
--
xpoint
Benny Pedersen wrote:
On Wed, July 22, 2009 21:39, Dan Schaefer wrote:
For those of you that manage these rules,
URI_OBFU_X9_WS, URI_OBFU_WWW, AE_MEDS38, AE_MEDS39 did not mark this email as
spam
http://pastebin.com/m40f7cff4
reject it with rbl testing in mta, and its found in blackli
On Wed, July 22, 2009 21:39, Dan Schaefer wrote:
> For those of you that manage these rules,
> URI_OBFU_X9_WS, URI_OBFU_WWW, AE_MEDS38, AE_MEDS39 did not mark this email as
> spam
> http://pastebin.com/m40f7cff4
reject it with rbl testing in mta, and its found in blacklist, reason it not
found
For those of you that manage these rules,
URI_OBFU_X9_WS, URI_OBFU_WWW, AE_MEDS38, AE_MEDS39 did not mark this email as
spam
http://pastebin.com/m40f7cff4
--
Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.
On Wed, July 22, 2009 13:16, twofers wrote:
> "Because we CAN'T."
Obama says "yes we can" :)
> My point exactly. No matter what, with the current system of internet email,
just becurse main stream spammers is so clueless that thay start using
recipient equal to sender evelope says thay newer g
Charles,
"Because we CAN'T."
My point exactly. No matter what, with the current system of internet email,
SPAM will never be stopped or filtered out completely. A completely new concept
of verifying internet email would be required for that and unfortunately, that
will never happen simply becau
Sometimes I wished everyone getting involved in heated discussions and
proposals, also would carefully read any post with a related topic...
I did leak the other day, that I actually am hacking such a beast.
Sorry. Sometimes the mailbox overload is a bit much, and I just have to
delete things w
Sometimes I wished everyone getting involved in heated discussions and
proposals, also would carefully read any post with a related topic...
On Tue, 2009-07-21 at 11:29 -0400, Charles Gregory wrote:
> Further to my original post, I haven't read all of today's mail yet, but
FWIW, neither did I, a
On Tue, 21 Jul 2009, twofers wrote:
so why not let them show us what they've got, show us where we
need to make adjustments and corrections and in turn we will continue to
refine our process, ever so more, squeezing them out...inch by inch.
Because we CAN'T. While the spammers are free
Charles,
Although I understand your reservations, I feel in this case that it's best to
lay it all out there and give it to them, let them do what they do. In my mind
it's nothing more than "Flushing" out the best they can offer and finding the
loopholes, and closing them up.
There are more
On Wed, 15 Jul 2009, MrGibbage wrote:
I wonder if the spammers are reading this forum. That seemed awful fast.
I'm sure they do. But I also suspect that they have a simple 'feedback'
mechanism that let's them know how much of their spew is getting rejected
on their botnets, and when the rejec
On Wed, 15 Jul 2009, MrGibbage wrote:
I wonder if the spammers are reading this forum. That seemed awful fast.
Of course they are.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79
>Which of course means we've long since passed the point where any of
>these are going to do the spammers any good. That's the frustrating
>part.
I thought that the point was that since it cost a spammer the same to send
out a million emails as to send out one, he was happy if only one of th
Chris Owen wrote:
> On Jul 13, 2009, at 2:55 PM, Charles Gregory wrote:
>
To answer your next post, I don't use '\b' because the next 'trick'
coming
will likely be something looking like Xwww herenn comX... :)
>>> At that point it can be dealt with.
>
>> Well, they're getting clos
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Jul 13, 2009, at 2:55 PM, Charles Gregory wrote:
To answer your next post, I don't use '\b' because the next
'trick' coming
will likely be something looking like Xwww herenn comX... :)
At that point it can be dealt with.
Well, they're getti
On Mon, 13 Jul 2009, John Hardin wrote:
> The + signs are a little risky, it might be better to use {1,3} instead.
(nod) Though without the '/m' option it would be limited to the same line.
body rules work on paragraphs, but you are right, the badness has an upper
limit.
Ugh. Forgot it was '
On Mon, 13 Jul 2009, Charles Gregory wrote:
On Mon, 13 Jul 2009, John Hardin wrote:
Why be restrictive on the domain name?
If a conservative spec is sufficient to match the spam, then we're
helping avoid false positives I'd rather tweak the rule to
catch the new tricks of the spammer tha
On Mon, 13 Jul 2009, John Hardin wrote:
Why be restrictive on the domain name?
If a conservative spec is sufficient to match the spam, then we're
helping avoid false positives I'd rather tweak the rule to
catch the new tricks of the spammer than overgeneralize. :)
The + signs are a little
On Mon, 13 Jul 2009, Charles Gregory wrote:
On Mon, 13 Jul 2009, rich...@buzzhost.co.uk wrote:
On Mon, 2009-07-13 at 10:46 -0400, Charles Gregory wrote:
> (?!www\.[a-z]{2,6}[0-9]{2,6}\.(com|net|org))
> www[^a-z0-9]+[a-z]{2,6}[0-9]{2,6}[^a-z0-9]+(com|net|org)
Does not seem to work with;
ww
On Mon, 13 Jul 2009, McDonald, Dan wrote:
On Mon, 2009-07-13 at 16:03 +0100, rich...@buzzhost.co.uk wrote:
On Mon, 2009-07-13 at 10:46 -0400, Charles Gregory wrote:
(?!www\.[a-z]{2,6}[0-9]{2,6}\.(com|net|org))
www[^a-z0-9]+[a-z]{2,6}[0-9]{2,6}[^a-z0-9]+(com|net|org)
Does not seem to work wit
On Mon, 13 Jul 2009, rich...@buzzhost.co.uk wrote:
On Mon, 2009-07-13 at 10:46 -0400, Charles Gregory wrote:
(?!www\.[a-z]{2,6}[0-9]{2,6}\.(com|net|org))
www[^a-z0-9]+[a-z]{2,6}[0-9]{2,6}[^a-z0-9]+(com|net|org)
Does not seem to work with;
www. meds .com
Correct. With spaces being one of the
On Mon, 2009-07-13 at 16:03 +0100, rich...@buzzhost.co.uk wrote:
> On Mon, 2009-07-13 at 10:46 -0400, Charles Gregory wrote:
> > (?!www\.[a-z]{2,6}[0-9]{2,6}\.(com|net|org))
> > www[^a-z0-9]+[a-z]{2,6}[0-9]{2,6}[^a-z0-9]+(com|net|org)
>
> Does not seem to work with;
>
> www. meds .com
It shouldn
On Mon, 2009-07-13 at 10:46 -0400, Charles Gregory wrote:
> (?!www\.[a-z]{2,6}[0-9]{2,6}\.(com|net|org))
> www[^a-z0-9]+[a-z]{2,6}[0-9]{2,6}[^a-z0-9]+(com|net|org)
Does not seem to work with;
www. meds .com
If I might interject. This seems to be an excellent occasion for
the PerlRE 'negative look-ahead' code (excuse the line wrap):
body =~ /(?!www\.[a-z]{2,6}[0-9]{2,6}\.(com|net|org))
www[^a-z0-9]+[a-z]{2,6}[0-9]{2,6}[^a-z0-9]+(com|net|org)/i
...unless someone can think of an FP for this r
On Fri, 10 Jul 2009, McDonald, Dan wrote:
They have. They are using underscores, which are a [:punct:], but don't form a
\b break.
New rules:
body__MED_BEG_SP/\bw{2,3}[[:space:]][[:alpha:]]{2,6}\d{2,6}/i
body__MED_BEG_PUNCT /\bw{2,3}[[:punct:]]{1,3}[[:alpha:]]{2,6}\d{2,6}/i
body
On Sat, 11 Jul 2009, Jason L Tibbitts III wrote:
I still wonder, though, if we shouldn't be turning these back into
hostnames and looking them up in the regular URI blacklists
Given the obvious objections to having the primary URIBL mechanism try to
parse obfuscations, I once again questio
2009/7/11 Sim :
>> New rules:
>> body __MED_BEG_SP /\bw{2,3}[[:space:]][[:alpha:]]{2,6}\d{2,6}/i
>> body __MED_BEG_PUNCT /\bw{2,3}[[:punct:]]{1,3}[[:alpha:]]{2,6}\d{2,6}/i
>> body __MED_BEG_DOT /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}/i
>> body __MED_BEG_BOTH
>> /\bw{2,3}[[:punct:][:spac
From: Jason L Tibbitts III [mailto:ti...@math.uh.edu]
>> "MD" == McDonald, Dan writes:
>
>MD> The rules I posted last night catch those. They switched from
underscores to commas this morning, and my rules still catch them.
>I still wonder, though, if we shouldn't be turning these back into
>hos
> "MD" == McDonald, Dan writes:
MD> The rules I posted last night catch those. They switched from
MD> underscores to commas this morning, and my rules still catch them.
FYI, they're also using plus signs, which also seem to be caught
properly by your rules. I think we're good until they sw
On Sat, 2009-07-11 at 07:14 -0500, McDonald, Dan wrote:
> From: rich...@buzzhost.co.uk [mailto:rich...@buzzhost.co.uk]
> >On Fri, 2009-07-10 at 22:46 -0500, McDonald, Dan wrote:
> >> >From: Jason L Tibbitts III [mailto:ti...@math.uh.edu]
> >> > "MD" == McDonald, Dan writes:
> >>
> >> MD> They
From: rich...@buzzhost.co.uk [mailto:rich...@buzzhost.co.uk]
>On Fri, 2009-07-10 at 22:46 -0500, McDonald, Dan wrote:
>> >From: Jason L Tibbitts III [mailto:ti...@math.uh.edu]
>> > "MD" == McDonald, Dan writes:
>>
>> MD> They are using underscores, which are a [:punct:], but don't form
>> MD>
Dnia 2009-07-10, pią o godzinie 16:48 -0700, fchan pisze:
> Don't tempt them, I already get enough spam not only from these guys.
> Also they will flood the network with smtp useless connections and
> unless you have good network attack mitigation system so you don't
> have a DDoS, don't tempt them
> New rules:
> body __MED_BEG_SP /\bw{2,3}[[:space:]][[:alpha:]]{2,6}\d{2,6}/i
> body __MED_BEG_PUNCT /\bw{2,3}[[:punct:]]{1,3}[[:alpha:]]{2,6}\d{2,6}/i
> body __MED_BEG_DOT /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}/i
> body __MED_BEG_BOTH
> /\bw{2,3}[[:punct:][:space:]]{2,5}[[:alpha:]]{2
On Fri, 2009-07-10 at 22:46 -0500, McDonald, Dan wrote:
> >From: Jason L Tibbitts III [mailto:ti...@math.uh.edu]
> > "MD" == McDonald, Dan writes:
>
> MD> They are using underscores, which are a [:punct:], but don't form
> MD> a \b break.
>
> >I'm becoming confused as to what they could poss
>From: Jason L Tibbitts III [mailto:ti...@math.uh.edu]
> "MD" == McDonald, Dan writes:
MD> They are using underscores, which are a [:punct:], but don't form
MD> a \b break.
>I'm becoming confused as to what they could possibly hope to
>accomplish by that.
right now I think they are sticking
> "MD" == McDonald, Dan writes:
MD> They are using underscores, which are a [:punct:], but don't form
MD> a \b break.
I'm becoming confused as to what they could possibly hope to
accomplish by that. At least when using dots and spaces users could
cut and paste the hostname into a browser (i
>From: fchan [mailto:fc...@molsci.org]
>Don't tempt them, I already get enough spam not
>only from these guys. Also they will flood the
>network with smtp useless connections and unless
>you have good network attack mitigation system so
>you don't have a DDoS, don't tempt them.
Pretty soon th
Don't tempt them, I already get enough spam not
only from these guys. Also they will flood the
network with smtp useless connections and unless
you have good network attack mitigation system so
you don't have a DDoS, don't tempt them.
Dnia 2009-07-11, sob o godzinie 00:18 +0200, Pawe¸ T«cza pi
Dnia 2009-07-11, sob o godzinie 00:18 +0200, Paweł Tęcza pisze:
> I received very similar spam too. It also includes "www.ma29. net"
> domain. It's probably personal dedication from the spammers to me ;)
> Thank you! I know you're watching that mailing list.
Hey spammers! ;)
It's after midnight
On Fri, 10 Jul 2009, McDonald, Dan wrote:
body__MED_END_BOTH
/\b[[:alpha:]]{2,6}\d{2,6}[[:punct:][:space:]]{2,5}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
Let's see how long it takes them to come up with a workaround for this!
A domain name with 7+ letters? www. goodmeds123. com ? :)
--
J
Am 2009-07-10 11:39:02, schrieb Daniel Schaefer:
> Since we're sharing rules for this recent Spam outbreak, here is my rule:
> body DRUG_SITE /www(\.|\
> )*(med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)[0-9]{2}(\.|\
> )*(net|com)/
> score DRUG_SITE 0.5
> describe DRUG_SITE Test to find spam drug
John Hardin wrote:
On Fri, 10 Jul 2009, Daniel Schaefer wrote:
Doesn't the . (period) need escaped in this? [.\s]{1,3}
Nope. "[]" means "explicit set of characters", and "." = "any
character" conflicts with that context.
Thanks for the clarification. I'm still learning REs.
--
Dan Schaef
On Fri, 10 Jul 2009, Daniel Schaefer wrote:
Doesn't the . (period) need escaped in this? [.\s]{1,3}
Nope. "[]" means "explicit set of characters", and "." = "any character"
conflicts with that context.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec
John Hardin wrote:
On Fri, 10 Jul 2009, Daniel Schaefer wrote:
Gerry Maddock wrote:
> > McDonald, Dan wrote:
> >
> > body DRUG_SITE /www(\.|\
> > ) *(med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)[0-9]{2}(\.|\ >
> ) )*(net|com)/
> > You should avoid the use of *, as it allows spammers to co
On Fri, 10 Jul 2009, Daniel Schaefer wrote:
Gerry Maddock wrote:
> > McDonald, Dan wrote:
> >
> > body DRUG_SITE /www(\.|\
> > ) *(med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)[0-9]{2}(\.|\
> > ) )*(net|com)/
>
> You should avoid the use of *, as it allows spammers to consume all
> of yo
2009/7/10 John Hardin :
> On Fri, 10 Jul 2009, Sim wrote:
>
>>>
>>> /\bwww(?:\s\W?\s?|\W\s)\w{3,6}\d{2,6}(?:\s\W?\s?|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
>>
>> I'm using it without good results for this format:
>>
>> bla bla www. site. net. bla bla
>>
>> Have you any idea?
>
> There are no di
> Yes, remove the outer parentheses.
>
> Here are the rules I am using:
> body AE_MEDS35 /w{2,4}\s(?:meds|shop)\d{1,4}\s(?:net|com|org)/
> describe AE_MEDS35 obfuscated domain seen in spam
> score AE_MEDS35 3.00
>
> body AE_MEDS38
> /\(\s?w{2,4}\s[[:alpha:]]{4}\d{1,4
Gerry Maddock wrote:
McDonald, Dan wrote:
Since we're sharing rules for this recent Spam outbreak, here is my
rule:
body DRUG_SITE /www(\.|\
)*(med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)[0-9]{2}(\.|\ )*(net|
com)/
You should avoid the use of *, as it allows spamm
1 - 100 of 262 matches
Mail list logo
