I can not seem to stop these emails... (antidrug.cf obsolete)

Matt Kettler mkettler at EVI-INC.COM
Mon Nov 7 16:07:25 GMT 2005


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Rob wrote:
> Right i have that, although it seems to be over a year old.... . 

That's correct, I've not updated antidrug.cf in a long time. Really, antidrug.cf
is only for users of SA older than 3.0.0. If you've got 3.0.x or 3.1.x you don't
need antidrug.cf, as it's now a built-in ruleset.

In fact, if you have 3.0.0 or newer, you REALLY should NOT be using antidrug.cf,
as if the SA devs make any improvements, you'll be covering them up with old rules.


These
> emails are kind of new with respect to how they are made... the word
> Viagra is not in the email at all so i guess that rule will not work,
> although Viagra does show in the email when its viewed...


>  
> you can see 2 examples of the emails here...
>  
> http://www.dido.ca/spam/drug.txt


Yes, that's a newer variant that antidrug's techniques don't cover. It's yet
another "table obfuscation" spam. SARE's "specific" ruleset covers these
somewhat, but not this particular email.

Razor, dcc, pyzor, etc are good measures against these, as is good bayes training.

As for your example, here's the results I get out of SA 3.1.0 + razor +dcc

--------------------------------------------------------
Content analysis details:   (13.5 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 2.9 FROM_LOCAL_NOVOWEL     From: localpart has series of non-vowel letters
 0.0 HTML_MESSAGE           BODY: HTML included in message
 3.5 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
                            [score: 1.0000]
 0.5 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
                            above 50%
                            [cf: 100]
 0.2 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                            [cf: 100]
 2.2 DCC_CHECK              Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
 2.0 RCVD_IN_SORBS_DUL      RBL: SORBS: sent directly from dynamic IP address
                            [70.49.221.195 listed in dnsbl.sorbs.net]
 0.8 DIGEST_MULTIPLE        Message hits more than one network digest check
 0.0 UPPERCASE_25_50        message body is 25-50% uppercase

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list