Re: spam

Chris Thu, 07 Dec 2006 17:33:56 -0800

On Tuesday 05 December 2006 3:31 pm, Rosenbaum, Larry M. wrote:
> Has anybody come up with a rule for these yet?  I tried the following:
>
> body     ORNL_B0RKEN1 /^\d{3,5}\n{1,3}$/s
> describe ORNL_B0RKEN1 B0rken spamware, message just contains a short
> number
> score    ORNL_B0RKEN1 1
>
I believe I've posted before that these type spams are picked up quite well on 
my home box with these rules:


Content analysis details:   (13.6 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 2.6 HELO_DYNAMIC_DIALIN    Relay HELO'd using suspicious hostname
                            (T-Dialin)
 0.0 BOTNET_CLIENTWORDS     Hostname contains client-like substrings
 0.0 BOTNET_IPINHOSTNAME    Hostname contains its own IP address
 5.0 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
                            [score: 1.0000]
 0.0 BOTNET_CLIENT          Hostname looks like a client hostname
 5.0 BOTNET                 Any Botnet rule hit
 1.0 SAGREY                 Adds 1.0 to spam from first-time senders

Content analysis details:   (15.2 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 4.2 HELO_DYNAMIC_IPADDR    Relay HELO'd using suspicious hostname (IP addr
                            1)
 0.0 BOTNET_IPINHOSTNAME    Hostname contains its own IP address
 5.0 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
                            [score: 0.9955]
 0.0 BOTNET_CLIENT          Hostname looks like a client hostname
 5.0 BOTNET                 Any Botnet rule hit
 1.0 SAGREY                 Adds 1.0 to spam from first-time senders

Content analysis details:   (12.8 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 2.6 HELO_DYNAMIC_DIALIN    Relay HELO'd using suspicious hostname
                            (T-Dialin)
 0.0 BOTNET_CLIENTWORDS     Hostname contains client-like substrings
 0.0 BOTNET_IPINHOSTNAME    Hostname contains its own IP address
 4.2 BAYES_95               BODY: Bayesian spam probability is 95 to 99%
                            [score: 0.9865]
 0.0 BOTNET_CLIENT          Hostname looks like a client hostname
 5.0 BOTNET                 Any Botnet rule hit
 1.0 SAGREY                 Adds 1.0 to spam from first-time senders

These are from earlier this month, looks like the Botnet plug-in and a good 
bayes database are your best bet.

-- 
Chris

pgpPZafdzdlRT.pgp
Description: PGP signature

Re: spam

Reply via email to