At Fri Jan 23 06:46:33 2004, Thomas Kinghorn wrote:
>
> Below are the headers & I have attached the mail.
>
> These are getting worse.
>
> To top it off, SA learned it as HAM.
>
> If anyone knows of any rules that could work on these mails, It would be
> greatly appreciated.
[I've posted most of these before, with the exception of
L_SPAMMY_RCVD. I make some comments at the bottom about the way one
might use "virus scanner type updates" to help deal with these spam
runs.]
> Received: from [121.98.236.198] by 219.112.180.135 with HTTP;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This seems to be a signature with these mails, but I haven't put
together a rule for them yet. The following *might* work:
header L_SPAMMY_RCVD Received =~ /from \[\d{1-3}\.\d{1-3}\.\d{1-3}\.\d{1-3}\] by
\d{1-3}\.\d{1-3}\.\d{1-3}\.\d{1-3} with HTTP;/
describe L_SPAMMY_RCVD Received header has Ratware traces
score L_SPAMMY_RCVD 1.0
> Message-Id: < <mailto:[EMAIL PROTECTED]>
> [EMAIL PROTECTED]>
Thank you for mangling that, Microsoft.
That Message-ID is typical of these messages.
header L_MSGID_SPAM1 Message-Id =~ /<[EMAIL PROTECTED]>/
describe L_MSGID_SPAM1 Message-ID has known spammer pattern
score L_MSGID_SPAM1 1.0
> Content-Type: multipart/alternative;
> boundary="686767422631711"
header L_MIME_BOUND_MANY_DIG Content-Type =~ /boundary=\"\d{15,}\"/
describe L_MIME_BOUND_MANY_DIG MIME boundary contains all digits
score L_MIME_BOUND_MANY_DIG 1.0
Another poster reported that he'd dropped this to (I think) 13 or more
repetitions.
> <TITLE>Message</TITLE>
rawbody L_TITLE_MESSAGE m{<TITLE>Message</TITLE>}
describe L_TITLE_MESSAGE Mail has an HMTL TITLE tag of "Message"
score L_TITLE_MESSAGE 1.0
> <DIV><!-- Converted from text/plain format --><FONT face=3DArial =
rawbody L_CONVERTED m{<DIV><!-- Converted from text/plain format -->}
describe L_CONVERTED Converted from text/plain
score L_CONVERTED 1.0
> size=3D2>
> STILL NO LUCK ENRGAILNG IT?<BR>
> <BR>
> Our 2 pcodruts will work for you!<BR>
> <BR>
> 1. #1 Spupelment aavilable! - Works!<BR>
One of the advantages of the "virus scanner type updates" people ask
about is that you could easily pick up spam runs like this. Similar
messages get sent out in runs of days at a time before the spammer
switches to something else (at least in my experience).
Distributing additional rules that pick up common spams would at least
have the advantage of helping to prevent corruption of Bayes databases
by making sure that a well-written spam that avoids other triggering
any rules at all doesn't get learnt as ham because it scores 0 (less
than the 0.1 which stops auto-learning as ham).
For example, just adding "pcodruts" and "aavilable" with a score of
0.1 each would make sure this probably wouldn't be learnt as ham.
Martin
--
Martin Radford | "Only wimps use tape backup: _real_
[EMAIL PROTECTED] | men just upload their important stuff -o)
Registered Linux user #9257 | on ftp and let the rest of the world /\\
- see http://counter.li.org | mirror it ;)" - Linus Torvalds _\_V
-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
