Happy NW - Not

Scott Silva ssilva at sgvwater.com
Tue Jan 2 21:05:20 CET 2007


Ken A spake the following on 1/2/2007 11:19 AM:
> 
> 
> Steve Campbell wrote:
>> Quoting Ken A <ka at pacific.net>:
>>
>>> Some of this stuff is pretty short on content, and when it's from a
>>> fresh botnet, you pretty much have to write a quick rule to nail that
>>> particular spam.
>>>
>>> body    LOCAL_STOCK_1_PHYA      /(PHYA)/
>>> describe        LOCAL_STOCK_1_PHYA      (PHYA) stock spam
>>> score   LOCAL_STOCK_1_PHYA      5.5
>>>
>>> I add these type of rules frequently. :-\
>>> And remove them when they stop hitting.
>>>
>>> Ken A
>>> Pacific.Net
>>
>> I agree here with Ken, except I used
>>
>> header rulename Subject =~ /Happy NW/i
>>
>> line in my rules. I figured there might not be many false positives,
>> and do the
>> same after it passes. I don't use Razor, or that other stuff. My
>> machines are
>> pretty tight on cycles due to BitDefender and ClamAV. A simple reload
>> makes it
>> effective right away.
> 
> 
> I do use Razor and DCC, but I'm weary of FPs, too many DNS lookups, and
> new software in general, so I haven't tried the botnet plugin (yet!).
> One or two in a thousand tends to slip through without a specific rule,
> and I like to kill ALL spam. :-)
> 
> Oh, and Happy NW.. New Wear?.. I dunno.. are spammers really this dumb?
> 
I wish they all were that stupid! Or is it an intentional typo?
A local caching nameserver can help with the lookups a lot, and doesn't add
that much overhead.
I have been testing the botnet plugin, but tweaked the score down a bit for a
while.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!



More information about the MailScanner mailing list