On 3/10/2013 3:37 PM, Dan Mahoney, System Admin wrote:
Here's the current version I'm using based on 3.4.0 trunk:
#YAHOO COMPROMISED ACCOUNT SPAMS - SCORED HIGH BECAUSE THESE ARE
COMPROMISED ACCOUNTS WHICH MAKES ALL OF YAHOO!'s PROCEDURES QUESTIONABLE
header __KAM_YAHOO1 From =~
/\@(yahoo.com|yahoo.com.id|rocketmail.com)/i
header __KAM_YAHOO2 Subject =~ /^(FOR |Hey$|hi$|look at
this$|great!?$|amazing!?|the best!?$|excellent!?$|very
good!?$|great!?$)/
body __KAM_YAHOO3 /\d{1,2}[\\\/]\d{1,2}[\\\/]\d{2,4}
\d{1,2}\:\d{1,2}\:\d{1,2} (AM|PM)/
header __KAM_YAHOO4 From:name =~ /Connor Hopkins/i
meta KAM_YAHOO (__KAM_YAHOO1 + __KAM_YAHOO2 +
__KAM_YAHOO3 + __KAM_YAHOO4 + __KAM_BODY_LENGTH_LT_128 +
MISSING_SUBJECT >= 3)
describe KAM_YAHOO Compromised Yahoo! Accounts Sending Spam
score KAM_YAHOO 9.0
Just to add a late reply to the game, I'm still getting these. Kevin,
it looks like your rules YAHOO1 and YAHOO3 are still appropriate, but
neither of the others.
Perhaps. Feel free to modify for your copora.
I think there's a few other things I've noticed that I don't know how
to match:
the body doesn't "contain" the link, it pretty much "IS" the link.
However, I don't know how to write a rule that says "contains a link
and NOTHING ELSE".
I don't know that we have that and my corpora show that isn't always the
case. I used the body length check for this scenario but perhaps a new
eval of body length minus URI's? Thoughts?
I also don't know how to write rules that say "the text/plain portion
contains a link, and the text/html portion contains more". I'm not
aware of how "body" gets interpreted in multipart/alternative
messages. Kevin, if you're able to tell me more about this, I'm happy
to learn.
I don't know a way to do that either. It might exist or it might need an
eval custom rule but I usually expect text and html versions to be
different so i don't think this would be a likely Spam indicator.
Writing rules is easy for some, but I'm more about solving the
problem. The answer isn't "many people write many custom rulesets",
it's "surbl catches up faster" or "yahoo acknowledges the problem."
Yahoo's procedures are very questionable. I typically send 5-10 YOUR
EMAIL ADDRESS IS COMPROMISED AND SENDING SPAM, CHANGE YOUR PASSWORD,
emails a week if not more. And this has been going on for a good number
of months.
While yahoo's abuse reporting procedures leave much to be desired,
this is actually one of the reasons I was asking about a channel to
autoreport mail to spamcop (and yahoo, if they were willing to take
it, but they don't seem to be -- blog post coming on that, soon).
Good idea.
Regards,
KAM
