Happy NW - Not

Steve Campbell campbell at cnpapers.com
Tue Jan 2 20:03:13 CET 2007 

Quoting Ken A <ka at pacific.net>:

> 
> Some of this stuff is pretty short on content, and when it's from a 
> fresh botnet, you pretty much have to write a quick rule to nail that 
> particular spam.
> 
> body    LOCAL_STOCK_1_PHYA      /(PHYA)/
> describe        LOCAL_STOCK_1_PHYA      (PHYA) stock spam
> score   LOCAL_STOCK_1_PHYA      5.5
> 
> I add these type of rules frequently. :-\
> And remove them when they stop hitting.
> 
> Ken A
> Pacific.Net

I agree here with Ken, except I used

header rulename Subject =~ /Happy NW/i

line in my rules. I figured there might not be many false positives, and do the
same after it passes. I don't use Razor, or that other stuff. My machines are
pretty tight on cycles due to BitDefender and ClamAV. A simple reload makes it
effective right away.

Steve Campbell


> 
> 
> Furnish, Trever G wrote:
> > In my case bayes_99 is hitting most of them, but that's not enough to
> > catch on its own.  Still catching a lot of them though due to other
> > rules' contributions.
> > 
> > Here's a report from one that was caught:
> > 
> > X-HJ-MailScanner-SpamCheck: spam, SpamAssassin (not cached,
> > score=10.249,
> > 	required 5, BAYES_99 3.50, FORGED_RCVD_HELO 0.14,
> > 	RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50,
> > 	RAZOR2_CHECK 0.50, SARE_LWSHORTT 0.79, SARE_MLB_Stock1 1.66,
> > 	SARE_MLB_Stock2 1.66)
> > 
> > Razor has started to hit on them too.  The ones that were missed at my
> > site didn't trip the SARE or Razor rules listed above, but that seems to
> > have stopped happening.  They're mostly being caught for me. 
> > 
> >> -----Original Message-----
> >> From: mailscanner-bounces at lists.mailscanner.info 
> >> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf 
> >> Of John Schmerold
> >> Sent: Tuesday, January 02, 2007 11:31 AM
> >> To: MailScanner discussion
> >> Subject: Happy NW - Not
> >>
> >> What's everyone doing to get rid of the endless emails with 
> >> Happy NW on the subject line?
> >>
> >>
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website! 
> 




-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/

More information about the MailScanner mailing list