stock spam

Rob Freeman rob at robhq.com
Tue Nov 21 15:16:50 GMT 2006


We are getting some spam that seems to be skipped by MailScanner and
spamassasin.  Mainly stock junk email.   I am now having to write custom
rules in the spam.assassin.prefs.conf file, but this is after they have been
delivered to some people.  I tried custom rules that I have seen on the list
to block out image spams:

 

uri             IE_VULN         /%([01][0-9a-f]|7f).*@/i

score           IE_VULN         100.0

describe        IE_VULN         Internet Explorer vulnerability

 

full     CRF_GIF_ATTACH   /name=\"?[0-9a-z._\-]{3,18}\.gif\"?/i

describe CRF_GIF_ATTACH   Email has a inline gif

score    CRF_GIF_ATTACH   3.25

 

full     CRF_PNG_ATTACH   /name=\"?[0-9a-z._\-]{3,18}\.png\"?/i

describe CRF_PNG_ATTACH   Email has a inline png

score    CRF_PNG_ATTACH   3.25

 

This catches most of the image spam, but getting a lot of stock spam.  I am
running bayes, with DCC, pyzor, and razor.  Some of them still get through
though.  It is almost like spamassasin rules are not ran against some
emails.

 

This is MailScanner version 4.56.8

Module versions are:

1.00    AnyDBM_File

1.16    Archive::Zip

1.03    Carp

1.119   Convert::BinHex

1.00    DirHandle

1.05    Fcntl

2.73    File::Basename

2.08    File::Copy

2.01    FileHandle

1.06    File::Path

0.14    File::Temp

0.78    Filesys::Df

1.35    HTML::Entities

3.54    HTML::Parser

2.37    HTML::TokeParser

1.21    IO

1.10    IO::File

1.123   IO::Pipe

1.74    Mail::Header

3.05    MIME::Base64

5.420   MIME::Decoder

5.420   MIME::Decoder::UU

5.420   MIME::Head

5.420   MIME::Parser

3.03    MIME::QuotedPrint

5.420   MIME::Tools

0.11    Net::CIDR

1.08    POSIX

1.77    Socket

1.4     Sys::Hostname::Long

0.18    Sys::Syslog

1.86    Time::HiRes

1.02    Time::localtime

 

Optional module versions are:

0.17    Convert::TNEF

1.814   DB_File

1.13    DBD::SQLite

1.50    DBI

1.15    Digest

1.01    Digest::HMAC

2.36    Digest::MD5

2.10    Digest::SHA1

0.44    Inline

0.17    Mail::ClamAV

3.001007        Mail::SpamAssassin

1.999001        Mail::SPF::Query

0.20    Net::CIDR::Lite

1.24    Net::IP

0.57    Net::DNS

0.32    Net::LDAP

1.94    Parse::RecDescent

missing SAVI

2.56    Test::Harness

0.47    Test::Simple

1.95    Text::Balanced

1.35    URI

 

Spammassin rules:

 

70_sare_adult.cf

70_sare_bayes_poison_nxm.cf

70_sare_evilnum0.cf

70_sare_genlsubj0.cf

70_sare_genlsubj1.cf

70_sare_header0.cf

70_sare_header1.cf

70_sare_html0.cf

70_sare_html1.cf

70_sare_html.cf

70_sare_obfu.cf

70_sare_oem.cf

70_sare_random.cf

70_sare_specific.cf

70_sare_spoof.cf

70_sare_stocks.cf

70_sare_unsub.cf

70_sare_uri0.cf

72_sare_bml_post25x.cf

72_sare_redirect_post3.0.0.cf

88_FVGT_body.cf

88_FVGT_headers.cf

88_FVGT_rawbody.cf

88_FVGT_subject.cf

88_FVGT_uri.cf

99_FVGT_meta.cf

99_FVGT_Tripwire.cf

99_sare_fraud_post25x.cf

 

Example email:

 

Stocks Quotes in attachement

Impose rational academic reputation rid societies.
Kicked Programand camps incentive defections.
Paragraph replaces lesser evilsin?
Build maintain places publish literature Recognises.
Partner in Taizhou Evening wu Xianghu beating in yearold stormed in offices!
Singapore Germany or Austria buys about things.

 

How can I slap these stock emails upside the head?

 

Thanks

 

Rob

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061121/a70d32b7/attachment.html


More information about the MailScanner mailing list