stock spam

Martin Hepworth martinh at solidstatelogic.com
Tue Nov 21 17:31:45 GMT 2006 

Rob Freeman wrote:
> We are getting some spam that seems to be skipped by MailScanner and 
> spamassasin.  Mainly stock junk email.   I am now having to write custom 
> rules in the spam.assassin.prefs.conf file, but this is after they have 
> been delivered to some people.  I tried custom rules that I have seen on 
> the list to block out image spams:
> 
>  
> 
> uri             IE_VULN         /%([01][0-9a-f]|7f).*@/i
> 
> score           IE_VULN         100.0
> 
> describe        IE_VULN         Internet Explorer vulnerability
> 
>  
> 
> full     CRF_GIF_ATTACH   /name=\"?[0-9a-z._\-]{3,18}\.gif\"?/i
> 
> describe CRF_GIF_ATTACH   Email has a inline gif
> 
> score    CRF_GIF_ATTACH   3.25
> 
>  
> 
> full     CRF_PNG_ATTACH   /name=\"?[0-9a-z._\-]{3,18}\.png\"?/i
> 
> describe CRF_PNG_ATTACH   Email has a inline png
> 
> score    CRF_PNG_ATTACH   3.25
> 
>  
> 
> This catches most of the image spam, but getting a lot of stock spam.  I 
> am running bayes, with DCC, pyzor, and razor.  Some of them still get 
> through though.  It is almost like spamassasin rules are not ran against 
> some emails.
> 
>  
> 
> This is MailScanner version 4.56.8
> 
> Module versions are:
> 
> 1.00    AnyDBM_File
> 
> 1.16    Archive::Zip
> 
> 1.03    Carp
> 
> 1.119   Convert::BinHex
> 
> 1.00    DirHandle
> 
> 1.05    Fcntl
> 
> 2.73    File::Basename
> 
> 2.08    File::Copy
> 
> 2.01    FileHandle
> 
> 1.06    File::Path
> 
> 0.14    File::Temp
> 
> 0.78    Filesys::Df
> 
> 1.35    HTML::Entities
> 
> 3.54    HTML::Parser
> 
> 2.37    HTML::TokeParser
> 
> 1.21    IO
> 
> 1.10    IO::File
> 
> 1.123   IO::Pipe
> 
> 1.74    Mail::Header
> 
> 3.05    MIME::Base64
> 
> 5.420   MIME::Decoder
> 
> 5.420   MIME::Decoder::UU
> 
> 5.420   MIME::Head
> 
> 5.420   MIME::Parser
> 
> 3.03    MIME::QuotedPrint
> 
> 5.420   MIME::Tools
> 
> 0.11    Net::CIDR
> 
> 1.08    POSIX
> 
> 1.77    Socket
> 
> 1.4     Sys::Hostname::Long
> 
> 0.18    Sys::Syslog
> 
> 1.86    Time::HiRes
> 
> 1.02    Time::localtime
> 
>  
> 
> Optional module versions are:
> 
> 0.17    Convert::TNEF
> 
> 1.814   DB_File
> 
> 1.13    DBD::SQLite
> 
> 1.50    DBI
> 
> 1.15    Digest
> 
> 1.01    Digest::HMAC
> 
> 2.36    Digest::MD5
> 
> 2.10    Digest::SHA1
> 
> 0.44    Inline
> 
> 0.17    Mail::ClamAV
> 
> 3.001007        Mail::SpamAssassin
> 
> 1.999001        Mail::SPF::Query
> 
> 0.20    Net::CIDR::Lite
> 
> 1.24    Net::IP
> 
> 0.57    Net::DNS
> 
> 0.32    Net::LDAP
> 
> 1.94    Parse::RecDescent
> 
> missing SAVI
> 
> 2.56    Test::Harness
> 
> 0.47    Test::Simple
> 
> 1.95    Text::Balanced
> 
> 1.35    URI
> 
>  
> 
> Spammassin rules:
> 
>  
> 
> 70_sare_adult.cf
> 
> 70_sare_bayes_poison_nxm.cf
> 
> 70_sare_evilnum0.cf
> 
> 70_sare_genlsubj0.cf
> 
> 70_sare_genlsubj1.cf
> 
> 70_sare_header0.cf
> 
> 70_sare_header1.cf
> 
> 70_sare_html0.cf
> 
> 70_sare_html1.cf
> 
> 70_sare_html.cf
> 
> 70_sare_obfu.cf
> 
> 70_sare_oem.cf
> 
> 70_sare_random.cf
> 
> 70_sare_specific.cf
> 
> 70_sare_spoof.cf
> 
> 70_sare_stocks.cf
> 
> 70_sare_unsub.cf
> 
> 70_sare_uri0.cf
> 
> 72_sare_bml_post25x.cf
> 
> 72_sare_redirect_post3.0.0.cf
> 
> 88_FVGT_body.cf
> 
> 88_FVGT_headers.cf
> 
> 88_FVGT_rawbody.cf
> 
> 88_FVGT_subject.cf
> 
> 88_FVGT_uri.cf
> 
> 99_FVGT_meta.cf
> 
> 99_FVGT_Tripwire.cf
> 
> 99_sare_fraud_post25x.cf
> 
>  
> 
> Example email:
> 
>  
> 
> Stocks Quotes in attachement
> 
> Impose rational academic reputation rid societies.
> Kicked Programand camps incentive defections.
> Paragraph replaces lesser evilsin?
> Build maintain places publish literature Recognises.
> Partner in Taizhou Evening wu Xianghu beating in yearold stormed in offices!
> Singapore Germany or Austria buys about things.
> 
>  
> 
> How can I slap these stock emails upside the head?
> 
>  
> 
> Thanks
> 
>  
> 
> Rob
> 
check you've got the latest SA (3.1.7) AND the SARE_Stock and Fred's 
rules from www.rulesemporium.com

-- 
Martin Hepworth
Senior Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

More information about the MailScanner mailing list