I'd like to try these rules as below--but suspect line breaks from the email may be a problem. Can you point me to a file to download or attach a text doc?
Thanks and glad I finally joined this list. Been using SA for a couple years now and now have had to get serious about using it well.
Joe Kletch
Line breaks shouldn't be an issue - each rule needs to be on one line, so for example
header __PORN_WORD06 Subject =~/f(?: ucke|ucek|ukce|ukec|ueck|uekc|cuek|cuke|ckue|ckeu|ceku|ceuk|kuce| kuec|kcue|kceu|kecu|keuc|euck|eukc|ecuk|ecku|ekcu|ekuc)d/i
probably appears as 3 lines, but needs to be one.
Also, just a friendly suggestion, and not picking on you, but please trim irrelevant text from your reply. As an example, your reply had 5 levels deep of "from's". There's no reason to quote that far back in a thread:
Thanks and hope this helps! :)
Evan
>On Feb 21, 2005, at 8:09 AM, Gray, Richard wrote:
<SNIP>
<SNIP>-----Original Message----- From: Pierre Thomson [mailto:[EMAIL PROTECTED] Sent: 21 February 2005 13:59 To: Gray, Richard Cc: users@spamassassin.apache.org Subject: RE: ENC: Wet 30 to 40 girls hrony and wants you
<SNIP>-----Original Message----- From: Gray, Richard [mailto:[EMAIL PROTECTED] Sent: Monday, February 21, 2005 8:28 AM To: Jeff Chan; Daniel A. de Araujo Cc: users@spamassassin.apache.org Subject: RE: ENC: Wet 30 to 40 girls hrony and wants you
<SNIP>-----Original Message----- From: Jeff Chan [mailto:[EMAIL PROTECTED] Sent: 21 February 2005 13:02 To: Daniel A. de Araujo Cc: users@spamassassin.apache.org Subject: Re: ENC: Wet 30 to 40 girls hrony and wants you
-----Mensagem original----- De: Sweetest S. Transfusion [mailto:[EMAIL PROTECTED] Enviada em: domingo, 20 de fevereiro de 2005 00:06 Para: Angelac Assunto: Fw: Wet 30 to 40 girls hrony and wants you
On Feb 21, 2005, at 8:09 AM, Gray, Richard wrote:
Try these on for size:
header __PORN_WORD01 Subject =~/n(?:ex|xe)t door/i header __PORN_WORD02 Subject =~/puss(?:y|ies)/i header __PORN_WORD04 Subject =~/(?:needs|for) m(?:one|oen|neo|noe|eno|eon)y/i header __PORN_WORD05 Subject =~/h(?:orn|onr|nro|nor|ron|rno)y/i header __PORN_WORD06 Subject =~/f(?: ucke|ucek|ukce|ukec|ueck|uekc|cuek|cuke|ckue|ckeu|ceku|ceuk|kuce| kuec|kcue|kceu|kecu|keuc|euck|eukc|ecuk|ecku|ekcu|ekuc)d/i header PORN_WORD08 Subject =~/\bMILF\b/i header PORN_WORD09 Subject =~/w(?:hor|hro|roh|rho|ohr|orh)e/i header PORN_WORD20 Subject =~/w(?: hore|hoer|hroe|hreo|heor|hero|ohre|oher|orhe|oreh|oerh|oehr|rhoe| rhep|roeh|rohe|reho|reoh|ehro|ehor|eorh|eohr|erho|eroh)s/i header PORN_WORD10 Subject =~/(?:hstoett|o(?: the|teh|het|hte|eht|eth)r|stpuid|stupid|disgusting|shy |married|brand new|dirty|average|amateur|amatuer|amtauer|real|beautiful|hot|sexy|sxey| n (?:ast|ats|tas|tsa|sta|sat)y|wet|cute).{1,3}(?:(?:step|grand)?[ \-_]?(?:mo|om)ms?|house[ \-_]?wi[fvr]es?|(?:cow)?girls?|moms?|w(?: om[ae]|o[ae]m|[ae]om|[ae]mo|m[a e]o|mo[ae])n|neigbhour|neighbour|neighbuor|(?:teen|tnee)(?: ager|agre|arg e)?s?|s(?:lu|ul)ts?|bitehcs|bitches)/i header __PORN_WORD11 Subject =~/\bcum(?:shot)?\b/i header __PORN_WORD12 Subject =~/(?:d(?:ic|ci)k|c(?:|oc|co)k/i header __PORN_WORD13 Subject =~/fucking/i header __PORN_WORD14 Subject =~/up[ \-_]c(?:los|lso|sol|slo|ols|osl)e/i header __PORN_WORD15 Subject =~/snatch/i header __PORN_WORD16 Subject =~/(?:pervert|peervrt|prevert|perevrt)/i
The hidden ones I tend to count the sum of and add a score based on how many they hit (1, 2, or 3) I don't think any have hit all 3 :) Tune them and play with them all you need. Even better would be to feed back to me the changes you make :)
I haven't updated these for today (and I have new examples)
The domains listed in these messages frequently change, so we get a burst of them that make it past the SURBL every few days. (usually weekends, we've noticed a very clear peak in spam coming at the weekends)
R
-----Original Message----- From: Pierre Thomson [mailto:[EMAIL PROTECTED] Sent: 21 February 2005 13:59 To: Gray, Richard Cc: users@spamassassin.apache.org Subject: RE: ENC: Wet 30 to 40 girls hrony and wants you
I made a few custom rules looking for intentional misspellings of certain subject words. We use Bayes, so of course the misspellings are soon recognized that way too.
The rules I made are based on the observation that the first and last letters of these obfuscated words are left alone to make them understandable. So a 5-letter word will have 6 possible variations, of which 5 are misspellings. Since these misspellings are highly unlikely to occur in ham, you can score them pretty high.
So for this word you could use:
header PT_SPELL1 Subject =~ /\bh(ron|onr|nro|nor|rno)y\b/i
Of course 6-letter and longer words have more possible misspellings, so you can't extend this method too far! Other misspelled subject words I see in today's quarantine include "pretty", "lovely", and "mother".
Good luck Pierre Thomson BIC
-----Original Message----- From: Gray, Richard [mailto:[EMAIL PROTECTED] Sent: Monday, February 21, 2005 8:28 AM To: Jeff Chan; Daniel A. de Araujo Cc: users@spamassassin.apache.org Subject: RE: ENC: Wet 30 to 40 girls hrony and wants you
I have this same SPAM regularly occuring in our network, and frequently the domain has yet to be listed in the SURBL lists.
I have yet to find another effective way of catching this other than writing a long list of rules to match the varying subject lines
-----Original Message----- From: Jeff Chan [mailto:[EMAIL PROTECTED] Sent: 21 February 2005 13:02 To: Daniel A. de Araujo Cc: users@spamassassin.apache.org Subject: Re: ENC: Wet 30 to 40 girls hrony and wants you
On Monday, February 21, 2005, 4:45:38 AM, Daniel Araujo wrote:Hi, guys. We are receiving a lot of kind these spams below. I couldnt discover a way to block them because there are o lot of types and combinations. Does someone is having the same problem ? Any ideas to block it ?
-----Mensagem original----- De: Sweetest S. Transfusion [mailto:[EMAIL PROTECTED] Enviada em: domingo, 20 de fevereiro de 2005 00:06 Para: Angelac Assunto: Fw: Wet 30 to 40 girls hrony and wants you
Buenos tardes!
Bandagi
