RE: [SAtalk] Image-only spam

Wed, 24 Dec 2003 07:26:02 -0800 

Hi Barry,
This will also snag a few of those if you want to use them.  You could
write them to hit the body as well if you wanted, i just use a subject
rule for now.

describe J_PARIS        obfu paris
header   J_PARIS        Subject =~
/[EMAIL PROTECTED]|1\!][sz5\$](?<!(?:paris))/i
score    J_PARIS        1.0

describe J_HILTON       obfu hilton
header   J_HILTON       Subject =~
/h[iíl\|1\!][l1\!\|][t7\+][o0u]n(?<!(?:hilton))/i
score    J_HILTON       1.0

Jennifer

> -----Original Message-----
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On 
> Behalf Of Barry Callahan
> Sent: Wednesday, December 24, 2003 9:13 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [SAtalk] Image-only spam
> 
> 
> Heh.
> 
> Went to http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 
> and installed the following rulesets:
> 
> bigevil.cf
> nov2rules.cf
> popcornonly.cf
> weedsonly.cf
> backhair.cf
> 
> I've got SpamAssassin monitoring a handful of addresses where >98% of 
> all traffic is spam.  So far, I've had one spam squeak through with a 
> score of 4.8...  A snippet follows:
> 
> *SNIPPET*
> X-Spam-Status: No, hits=4.8 required=5.0 
> tests=BIZ_TLD,BigEvilList_184,
>       OACYS_CONS_6 autolearn=no version=2.61
> X-Spam-Level: ****
> X-Spam-Checker-Version: SpamAssassin 2.61 
> (1.212.2.1-2003-12-09-exp) on
>       s3.lakotacreations.com
> 
> Download the Parls HlLton stolen s-e-x video!
> 
> This is the original private Parls HlLton sex video that 
> Paris and Rick 
> Soloman made that has been leaked out,
> and is now available for you to download.
> Get it while you can, the HiIton's family lawyers are doing 
> everything 
> they can to stop re-distribution of this video
> 
http://www.crockolate.biz/paris/paris.html



rGzmj0jwTA
*/SNIPPET*

To catch these in the future, I added the pattern s-e-x to the 
DISGUISE_PORN rule in 20_porn.cf

Now to start looking at some real email and see if I have any problems 
with false positives. :)

barryc wrote:
> After replacing the RPM I got from RedHat (2.44) with the RPMs found 
> on the
> SpamAssassin website (2.61) it's now catching 2/3 of the spam.
> 
> The image-only spam I'm getting is now being tagged at 2.0 - 3.6.
> 
> Now that I'm running a modern release of SpamAssassin, I'll take a 
> look at DCC
> and Razor, and I'll look into setting up a Bayesian database.




-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for
IBM's Free Linux Tutorials.  Learn everything from the bash shell to sys
admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Spamassassin-talk mailing list [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to