From: List Mail User [mailto:[EMAIL PROTECTED]
>
> >...
> >I'm running SA 3.1 and I have started to notice more spam come through
> >recently.
> >
> >Some are porn and some are medication. They don't hit much of anything
> >beyond Razor2 and Chickenpox, which isn't enough to mark them as spam.
> >
> >Some of the medication spams are using an obnoxious html table structure
> >that makes the contents of each cell print vertically.
> >
> >For example:
> > <table>
> > <tr>
> > <td>a d g</td>
> > <td>b e h</td>
> > <td>c f i</td>
> > <td width=100%></td>
> > <\tr>
> > </table>
> >
> >This results in:
> >a b c
> >d e f
> >g h i
> >
> >Has anyone else been having this problem? Any rules to catch medication
> >names in those types of tables?
>
> They should hit a well trained BAYES, and both Pyzor and DCC as
> well as Razor2 (your site may not be able to use them due to licensing
> issues). I believe that Loren has written some SARE rules for these
> also (check the archives). These are Leo Kuvayev's pill spams, and
> also very often fail many net tests (XBL, SBL, etc. and after a while
> they will hit the SURBLs and other URI tests as long as you are not
> at the very start of a spam run). They tend to run > 20 points here,
> peaking over 40 points at the end of a run (or a subsequent spam run).
> I believe some people using the SARE rules report ~100 points for them
> (after half a day or so, they fail every net test, and very
> many "small"
> rules). Also, the typical ones are delivered by zombies, so often the
> DUL tests hit right away, and if you can afford to refuse bad DNS at
> the MTA level (many large sites can't), you'll never see most of them.
>
> The last one I got hit:
> BAYES_99,DIGEST_MULTIPLE,FORGED_MUA_IMS,HELO_DYNAMIC_COMCAST,
> PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,
>
RCVD_IN_DSBL,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,URIBL_AB_SURBL,
> URIBL_COMPLETEWHOIS,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_RHS_ABUSE,
> URIBL_RHS_AHBL,URIBL_RHS_DSN,URIBL_RHS_NOCOMPLAINTS,URIBL_RHS_NOSTDMAIL,
> URIBL_RHS_POST,URIBL_RHS_URIBL_BLACK,URIBL_RHS_WHOIS,URIBL_SBL,
> URIBL_SBL_COMWHOIS,URIBL_SC_SURBL,URIBL_WS_SURBL,URIBL_XS_SURBL
>
> A slightly earlier one got a much lower score with:
> BAYES_99,DCC_CHECK,DIGEST_MULTIPLE,HTML_80_90,HTML_MESSAGE,PYZ
> OR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_BL_SPAMCO
> P_NET,RCVD_IN_XBL,UPPERCASE_25_50,URIBL_RHS_POST,URIBL_RHS_WHOIS
>
> In both cases local URI rules increased the score, but were not
> needed (i.e. they would be over most "reasonable" limits anyway).
I have a trained Bayes DB, but I didn't get anything from it. I'm
running Razor, but not Pyzor or DCC. I've got the default blacklists
and a bunch of SARE rules, but I'm not sure if I've got the one you
are referring to.
Here's my current list (updated via RDJ):
70_sare_adult.cf
70_sare_evilnum0.cf
70_sare_genlsubj0.cf
70_sare_header0.cf
70_sare_html0.cf
70_sare_obfu0.cf
70_sare_random.cf
70_sare_specific.cf
70_sare_spoof.cf
70_sare_unsub.cf
70_sare_uri0.cf
70_sare_whitelist_rcvd.cf
70_sare_whitelist_spf.cf
99_sare_fraud_post25x.cf
chickenpox.cf
weeds.cf
I don't have one to look at right now, but from memory, there was just
Razor and chickenpox that hit.
No Bayes mention at all, which is odd now that you mention it. Maybe
I should check to make sure everything is working properly.
Bowie
