Happy NW - Not
Steve Campbell
campbell at cnpapers.com
Tue Jan 2 20:03:13 CET 2007
Quoting Ken A <ka at pacific.net>:
>
> Some of this stuff is pretty short on content, and when it's from a
> fresh botnet, you pretty much have to write a quick rule to nail that
> particular spam.
>
> body LOCAL_STOCK_1_PHYA /(PHYA)/
> describe LOCAL_STOCK_1_PHYA (PHYA) stock spam
> score LOCAL_STOCK_1_PHYA 5.5
>
> I add these type of rules frequently. :-\
> And remove them when they stop hitting.
>
> Ken A
> Pacific.Net
I agree here with Ken, except I used
header rulename Subject =~ /Happy NW/i
line in my rules. I figured there might not be many false positives, and do the
same after it passes. I don't use Razor, or that other stuff. My machines are
pretty tight on cycles due to BitDefender and ClamAV. A simple reload makes it
effective right away.
Steve Campbell
>
>
> Furnish, Trever G wrote:
> > In my case bayes_99 is hitting most of them, but that's not enough to
> > catch on its own. Still catching a lot of them though due to other
> > rules' contributions.
> >
> > Here's a report from one that was caught:
> >
> > X-HJ-MailScanner-SpamCheck: spam, SpamAssassin (not cached,
> > score=10.249,
> > required 5, BAYES_99 3.50, FORGED_RCVD_HELO 0.14,
> > RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50,
> > RAZOR2_CHECK 0.50, SARE_LWSHORTT 0.79, SARE_MLB_Stock1 1.66,
> > SARE_MLB_Stock2 1.66)
> >
> > Razor has started to hit on them too. The ones that were missed at my
> > site didn't trip the SARE or Razor rules listed above, but that seems to
> > have stopped happening. They're mostly being caught for me.
> >
> >> -----Original Message-----
> >> From: mailscanner-bounces at lists.mailscanner.info
> >> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf
> >> Of John Schmerold
> >> Sent: Tuesday, January 02, 2007 11:31 AM
> >> To: MailScanner discussion
> >> Subject: Happy NW - Not
> >>
> >> What's everyone doing to get rid of the endless emails with
> >> Happy NW on the subject line?
> >>
> >>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
More information about the MailScanner
mailing list