Hello Kenneth-san. From: Kenneth Porter <[EMAIL PROTECTED]> Subject: Re: span float obfuscation Date: Mon, 01 May 2006 07:53:12 -0700
> On Saturday, April 29, 2006 8:28 PM +0900 MATSUDA Yoh-ichi <[EMAIL > PROTECTED]> > wrote: > > > BTW, I have more rules for catching various types of spams. > > Which is better for posting new rules? > > (1) first, posting new rules to this users ML, next, posting to Bugzilla > > (2) directly posting new rules to Bugzilla > > I'd post to bugzilla, after first looking to see if someone's already > posted either a similar rule or a methodology that eliminates the need for > the rule. Thank you for your advice. So, I've posted 2 kinds of rule. Everyone in this ML, please test them. Below rules are for detecting some types of Japanese spams. (1) Another way of RCVD_ILLEGAL_IP http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4459 header FORGED_RCVD_IP Received =~ /(\W(9[6-9]|1[01]\d|120|2(2[3-9]|[3-9]\d)|[3-9]\d\d)(\.\d{1,3}){3}[^\w\.-]|\d{1,3}\.(2(5[6-9]|[6-9]\d)|[3-9]\d\d)(\.\d{1,3}){2}|(\d{1,3}\.){2}(2(5[6-9]|[6-9]\d)|[3-9]\d\d)(\.\d{1,3})|(\d{1,3}\.){3}(2(5[6-9]|[6-9]\d)|[3-9]\d\d))/ describe FORGED_RCVD_IP Invalid IP number, over 255. score FORGED_RCVD_IP 2.5 (2) detecting same HELO and BY http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4889 header HELO_BY_SAME X-Spam-Relays-Untrusted =~ /ip=(?!(127\.0\.0\.1|192\.168(\.\d{1,3}){2}|172\.(1[6-9]|2\d|3[01](\.\d{1,3}){2}|10(\.\d{1,3}){3})))\d{2,3}(\.\d{1,3}){3} rdns=[^\[]* helo=([\w\.-]+) by=\7/ describe HELO_BY_SAME HELO is same received MTA's FQDN score HELO_BY_SAME 1.5 header HELO_BY_PARTIALSAME X-Spam-Relays-Untrusted =~ /ip=(?!(127\.0\.0\.1|192\.168(\.\d{1,3}){2}|172\.(1[6-9]|2\d|3[01](\.\d{1,3}){2}|10(\.\d{1,3}){3})))\d{2,3}(\.\d{1,3}){3} rdns=[^\[]* helo=([\w\.-]+) by=[\w\.]+\7/ describe HELO_BY_PARTIALSAME HELO is same received MTA's domain name score HELO_BY_PARTIALSAME 1.5 -- Nothing but a peace sign. MATSUDA Yoh-ichi(yoh) mailto:[EMAIL PROTECTED] http://www.flcl.org/~yoh/diary/ (only Japanese)
