Happy NW - Not

Ken A ka at pacific.net
Tue Jan 2 20:19:14 CET 2007 


Steve Campbell wrote:
> Quoting Ken A <ka at pacific.net>:
> 
>> Some of this stuff is pretty short on content, and when it's from a 
>> fresh botnet, you pretty much have to write a quick rule to nail that 
>> particular spam.
>>
>> body    LOCAL_STOCK_1_PHYA      /(PHYA)/
>> describe        LOCAL_STOCK_1_PHYA      (PHYA) stock spam
>> score   LOCAL_STOCK_1_PHYA      5.5
>>
>> I add these type of rules frequently. :-\
>> And remove them when they stop hitting.
>>
>> Ken A
>> Pacific.Net
> 
> I agree here with Ken, except I used
> 
> header rulename Subject =~ /Happy NW/i
> 
> line in my rules. I figured there might not be many false positives, and do the
> same after it passes. I don't use Razor, or that other stuff. My machines are
> pretty tight on cycles due to BitDefender and ClamAV. A simple reload makes it
> effective right away.


I do use Razor and DCC, but I'm weary of FPs, too many DNS lookups, and 
new software in general, so I haven't tried the botnet plugin (yet!). 
One or two in a thousand tends to slip through without a specific rule, 
and I like to kill ALL spam. :-)

Oh, and Happy NW.. New Wear?.. I dunno.. are spammers really this dumb?

Ken A
Pacific.Net

> Steve Campbell
> 
> 
>>
>> Furnish, Trever G wrote:
>>> In my case bayes_99 is hitting most of them, but that's not enough to
>>> catch on its own.  Still catching a lot of them though due to other
>>> rules' contributions.
>>>
>>> Here's a report from one that was caught:
>>>
>>> X-HJ-MailScanner-SpamCheck: spam, SpamAssassin (not cached,
>>> score=10.249,
>>> 	required 5, BAYES_99 3.50, FORGED_RCVD_HELO 0.14,
>>> 	RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50,
>>> 	RAZOR2_CHECK 0.50, SARE_LWSHORTT 0.79, SARE_MLB_Stock1 1.66,
>>> 	SARE_MLB_Stock2 1.66)
>>>
>>> Razor has started to hit on them too.  The ones that were missed at my
>>> site didn't trip the SARE or Razor rules listed above, but that seems to
>>> have stopped happening.  They're mostly being caught for me. 
>>>
>>>> -----Original Message-----
>>>> From: mailscanner-bounces at lists.mailscanner.info 
>>>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf 
>>>> Of John Schmerold
>>>> Sent: Tuesday, January 02, 2007 11:31 AM
>>>> To: MailScanner discussion
>>>> Subject: Happy NW - Not
>>>>
>>>> What's everyone doing to get rid of the endless emails with 
>>>> Happy NW on the subject line?
>>>>
>>>>
>> -- 
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website! 
>>
> 
> 
> 
> 
> -------------------------------------------------
> This mail sent through IMP: http://horde.org/imp/

More information about the MailScanner mailing list