On Sun, 2008-06-15 at 19:10 -0500, Chris wrote: > On Sunday 15 June 2008 12:03 pm, John Hardin wrote: > > Folks: > > > > I tried posting this to [EMAIL PROTECTED] but it bounced... > > > > I'm seeing recent 419 spams (e.g. the ATM Card variant) making it > > through SA lately. It hits BAYES_99, but no SARE rules. > > > > Are these rules defunct? > > > > Suggestion: grabbing Justin Mason's SOUGHT tools and using them against > > a 419-specific corpus might be a really good way to keep the fraud > > ruleset current without a lot of manual effort... > > John, I assume you're talking about spam with a subject such as: > > (RE:YOUR ATM-211 CARD UPDATE!!)
PAYMENT-CODE -(ATM-411) Similar, yes. "We'll send you a $1500/day-capable ATM card..." > Content analysis details: (20.8 points, 5.0 required) > > pts rule name description > ---- ---------------------- -------------------------------------------------- > 1.7 SARE_FRAUD_X3 Matches 3+ phrases commonly used in fraud spam > 1.7 SARE_FRAUD_X4 Matches 4+ phrases commonly used in fraud spam > Notice SARE rules were in fact hit. They *did not* hit for me. I've published one of the messages here: http://www.impsec.org/~jhardin/atm_spam_01.txt -- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ [EMAIL PROTECTED] FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- I'm seriously considering getting one of those bright-orange prison overalls and stencilling PASSENGER on the back. Along with the paper slippers, I ought to be able to walk right through security. -- Brian Kantor in a.s.r ----------------------------------------------------------------------- 3 days until SWMBO's Birthday
