Tiny text only spam (semi OT)

Gary Faith gafaith at asdm.net
Fri Jul 3 14:50:41 IST 2009 

I believe that I have also been greatly troubled by the same messages. 
The common thread to these messages is what I call an obfucated URL
where the URL has spaces in multiple places.  I created a cf file in
/etc/mail/spmassassin directory and wrote my first spamassassin rule. 
It might not be the best but it is working for me.  Basically, the rule
matches a URL that starts with www.  followed by a space followed by
some text ending in a period like pill45. followed by another space then
a TLD like com, net or org.  I started with a small score for testing
but have significantly raised the score to 4.5 now.
 
# Rule to find URLs with spaces
body            ASDM_OBF_URL           /www\.\s(.+?)\s[A-Za-z]{2,4}/i
score           ASDM_OBF_URL           4.5
describe        ASDM_OBF_URL           URLs with spaces
I haven't seen any false positives yet.
 
Gary Faith


>>> Alessandro Bianchi <alex at skynet-srl.com> 7/3/2009 7:56 AM >>>
Il 03/07/2009 13:00, mailscanner-request at lists.mailscanner.info ha
scritto: 


Alessandro Bianchi wrote: 


Hi guys 

Those damned spemmers have found a way to break in 

After image only spam, they have managed to build plain text only spam
(no links or hrml or images, just text) that slips throught my MS
installation. 

They often place in ortographic errors to "fool" spamassassin. 

Hi, 

They are being detected as : Sanesecurity.Spam.10528 

Cheers, 

Steve 
Sanesecurity 
sanesecurity.com 
Thaks Steve for helping me

I've just installed unofficial signs and sit here for looking at it
working!

For Alex

Very unfortunately RBLs don't help at all since SA decreases the
score!

Look at this:


-2.60BAYES_00 
0.91RCVD_IN_PBL 
0.10RDNS_DYNAMIC 
1.42SARE_ADULT2

Spamassassin reports it as BAYES_00 and clean message and that "kills"
the others checks.

If I decrease the BAYES_00 score, it will likely break legitimate
emails

So I'm testing the unofficial signs and I'll let you know

Thank you very much for your precious help!

Alessandro
-- 

SkyNet SRL
P.zza XXV Aprile 14 - 28021 Borgomanero (NO) - ITALY
Tel. +39 0322 836487/834765 - Fax.+39 0322.836608
info at skynet-srl.com -www.skynet-srl.com






Le informazioni contenute in questo messaggio sono riservate e
confidenziali e ne é vietata la diffusione in qualunque forma.
Qualora Lei non fosse la persona a cui il presente messaggio é
destinato, La invitiamo ad eliminarlo dandocene gentilmente
comunicazione.
Per qualsiasi informazione in merito si prega di contattare
info at skynet-srl.com. ( Rif. D.L. 196/200 )
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090703/6ae333fd/attachment.html

More information about the MailScanner mailing list