RE: spam attacks - so and so wrote about a stock

[Duncan, Brian M.]

Title: RE: spam attacks - so and so wrote about a stock

Ahh OK sorry, I figured it was animated gifs period.

 

Thanks for clarifying that for me.

 

---

From: Chris Santerre [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 19, 2006 9:46 AM
To: Duncan, Brian M.; users@spamassassin.apache.org
Subject: RE: spam attacks - so and so wrote about a stock

No, you got it all wrong :)

 

The ruleset looks for animated gif stock SPAMS, not animated gifs. They purposely do NOT bother to look at the animated gif at all. They use other features that those spams have in common. Watch your traps and see. They will catch the animated gif spams, but not by looking at the gif.

 

So sending a test email with an animated gif in it, won't work :)

 

--Chris

-----Original Message-----
From: Duncan, Brian M. [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 19, 2006 10:04 AM
To: users@spamassassin.apache.org
Subject: RE: spam attacks - so and so wrote about a stock

Sorry Chris I replied directly to you instead of the list before.

 

I put in place the new rules yesterday and I am not getting a hit on animated gifs from the new addition.

 

It should be this part of the new sarstock rules that it hits right?

 

# Chris Santerre
# SpamAssassin RulesEmporium (SARE)
#
# Salty Stock Rules
# 10/18/06
# Version: 2.51
#
# These rules have been tested.
# They are meant to catch stock spams with inline gifs
#
# [EMAIL PROTECTED]

 

rawbody __MY_CID        /src\=\"cid\:/i
describe __MY_CID       SARE inline attached image
# avg S/O .85

 

rawbody __MY_CLOSING /\<\/FONT\>\<\/DIV\>\<\/BODY\>\<\/HTML\>/i
describe __MY_CLOSING font,div,body,html closing
# avg S/O .70

 

rawbody __MY_EMPTY_FONT /face\=Arial size\=.\>\<\/FONT\>\<\/DIV\>/i
describe __MY_EMPTY_FONT SARE Empty font tag
# avg S/O .78

 

rawbody __MY_ARIAL2 /face\=Arial size\=2\>/i
describe __MY_ARIAL2 SARE Arial font size 2
# avg S/O .74

 

rawbody __MY_STYLE /\<STYLE\>\<\/STYLE\>/
describe __MY_STYLE SARE Empty STYLE tags
# avg S/O Not tested seperetly.

 

I sent a test message to myself with an inline stock animated gif from a previous message I have.

SARE_GIF_ATTACH is older, which just checks for a GIF extension in the body.  I assume the new rules are for catching animated gifs, or am I off about that?

 

The box I sent it through is NOT running fuzzy ocr right now or imageinfo, it just has most of the SARE rules.  Including the updated stock ones from yesterday.

 

X-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=3.556,
 required 6.5, AWL 3.45, BAYES_00 -2.60, DNS_FROM_RFC_ABUSE 0.20,
 HTML_MESSAGE 0.00, SARE_GIF_ATTACH 2.50)

Content-Type: image/gif; name=boathouse.gif
Content-Transfer-Encoding: base64
Content-ID: <[EMAIL PROTECTED]>
Content-Location: 1_multipart%3F2_boathouse.gif
X-Attachment-Id: 0.1
Content-Disposition: inline; filename="boathouse.gif"
 

 

 

 

---

From: Chris Santerre [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 19, 2006 8:43 AM
To: 'Spamassassin List'
Cc: users@spamassassin.apache.org
Subject: RE: spam attacks - so and so wrote about a stock

> -----Original Message-----
> From: Spamassassin List [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, October 19, 2006 1:13 AM
> Cc: users@spamassassin.apache.org
> Subject: Re: spam attacks - so and so wrote about a stock
>
>
> > Rob McEwen (PowerView Systems) wrote:
> >> In the meantime, it sure would be nice if that new ruleset
> that Chris
> >> bragged about could get on the SARE website ASAP.
> >>
> >> (Where are you Doc Schneider? I hope we haven't caught you
> on a busy day.
> >> Please hurry.)
> >>
> >> Rob McEwen
> >> PowerView Systems
> >
> > I just got it in the rules set and committed it. Should be
> available
> > within the hour. 8*)
>
> Any update on this? How do i apply it?

Yup, there was an official announcment made. the updated ruleset is here:
http://www.rulesemporium.com/rules/70_sare_stocks.cf

Is you use RDJ, then just go have a coffee and smile. Tell your boss you've been working all day on a "Spam Solution" If not, the manual way....

copy ruleset to your rules directory.
(might be /etc/mail/spamassassin)

Restart spamd if you use it.

Enjoy! (You may even be able to stop using FuzzyOCR if you want ;) )

I suppose you can still tell your boss you were hard at work all morning working on the spam problem :)

Thanks,

Chris Santerre
SysAdmin and Spamfighter
www.rulesemporium.com
www.uribl.com

=========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). ===========================================================