Mailing List Archive

Frank Tore Johansen wrote:
> Has anyone already made a rule for these? (See attachments for
> two spam-samples)
>
> Excerp from one (btw, how can you safely whitelist emails on this
> mailing list? Has such rules ever been abused?)
>
> Plus: P@xi`l, Bu'sp@r, Ad|p.&x, I0nam.|n, M3ridi'a, X.3nica|, Am`bi3n,
> S0n'aTa, Fl3xe'ril, Ce|3b:rex, F`i0ric3t, Tram@do:|, U, L3v`|tra,
> P:r0p3cia, Acyc|0vi'r, Pr0.z@c
>
> -Frank.
>
>

Frank


scored over 10 on my system..
(score=10.804, required 5, BIZ_TLD 0.10, HTML_MESSAGE 0.10,
J_CHICKENPOX_12 0.60, J_CHICKENPOX_22 0.60, J_CHICKENPOX_71 0.60,
LOCAL_OBFU_VGR 1.80, OACYS_CONS_6 1.00, OACYS_DISGUISED_P0RN 6.00,
RM_rb_BODY 0.00, RM_rb_HTML 0.00, RM_rb_PARA 0.00, RM_rb_TITLE 0.00)

running SA 2.63 with most of the rules from Chris's rules emporiam.


--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

I am getting these through as well.... and I am running Chris's rules.

Are the OACYS_CONS_6 1.00, OACYS_DISGUISED_P0RN 6.00 rules part of SA?

Frank Tore Johansen wrote:
> Has anyone already made a rule for these? (See attachments for
> two spam-samples)
>
> Excerp from one (btw, how can you safely whitelist emails on this
> mailing list? Has such rules ever been abused?)
>
> Plus: P@xi`l, Bu'sp@r, Ad|p.&x, I0nam.|n, M3ridi'a, X.3nica|, Am`bi3n,
> S0n'aTa, Fl3xe'ril, Ce|3b:rex, F`i0ric3t, Tram@do:|, U, L3v`|tra,
> P:r0p3cia, Acyc|0vi'r, Pr0.z@c
>
> -Frank.
>
>

Frank


scored over 10 on my system..
(score=10.804, required 5, BIZ_TLD 0.10, HTML_MESSAGE 0.10,
J_CHICKENPOX_12 0.60, J_CHICKENPOX_22 0.60, J_CHICKENPOX_71 0.60,
LOCAL_OBFU_VGR 1.80, OACYS_CONS_6 1.00, OACYS_DISGUISED_P0RN 6.00,
RM_rb_BODY 0.00, RM_rb_HTML 0.00, RM_rb_PARA 0.00, RM_rb_TITLE 0.00)

running SA 2.63 with most of the rules from Chris's rules emporiam.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


I am getting these through as well.... and I am running Chris's rules.

Are the OACYS_CONS_6 1.00, OACYS_DISGUISED_P0RN 6.00 rules part of SA?

Dan

On Fri, 13 Feb 2004, Dan Didier wrote:
> I am getting these through as well.... and I am running Chris's rules.
>
> Are the OACYS_CONS_6 1.00, OACYS_DISGUISED_P0RN 6.00 rules part of SA?

OK, I found those rules. The link is
http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm
and it was mentioned on this list only 3 days ago.

The OACYS rules are in the nov2rules.cf file. Is this the latest version
of this file? I found it really helpfull that half of the rules on that
page had an URL that would always point to the latest version, and wish
that all used this method. Then I could write a cronjob to update those
each night... 8)

-Frank.

> On Fri, 13 Feb 2004, Dan Didier wrote:
>> I am getting these through as well.... and I am running Chris's rules.
>>
>> Are the OACYS_CONS_6 1.00, OACYS_DISGUISED_P0RN 6.00 rules part of SA?
>
> OK, I found those rules. The link is
> http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm
> and it was mentioned on this list only 3 days ago.
>
> The OACYS rules are in the nov2rules.cf file. Is this the latest version
> of this file? I found it really helpfull that half of the rules on that
> page had an URL that would always point to the latest version, and wish
> that all used this method. Then I could write a cronjob to update those
> each night... 8)
>
> -Frank.
>
>

Hi Frank,

There are a couple of pages you may want to visit for more custom rules
and information.

http://wiki.spamassassin.org/w/CustomRulesets has a list of several custom
rulesets that actively being updated.

http://www.exit0.us is another wiki devoted to custom rules, these are not
all in a single file, but you can read through them and pull out ones that
you think may help. These rules may not be updated that often but it is a
great resource. Also you will find a list of helpful links to more custom
rule sites.

Make sure to check out http://www.exit0.us/index.php/RulesDuJour for a
script to automate the download of the more popular custom sets.

HTH,
matt

Frank,

Frank Tore Johansen said:
>
> Has anyone already made a rule for these? (See attachments for
> two spam-samples)

Try these generated rules from the CMOScript CGI:
http://sandgnat.com/cmos/cmos.jsp?words=phentermin+viagra+valium+paxil+buspar+adipex+ionamin+meridia+xenical+ambien+sonata+flexeril+celebrex+fioricet+tramadol+levitra+propecia+acyclovir+prozac+ultram+ativan+soma

I haven't tested this particular set for false positives, so it might be
prudent to do so yourself.

>
> Excerp from one (btw, how can you safely whitelist emails on this
> mailing list? Has such rules ever been abused?)

use whitelist_from_rcvd instead of whitelist_from, methinks (I personally
skip checking posts to this list using procmail based on List-ID header)


--
Chris Thielen

Easily generate SpamAssassin rules to catch obfuscated spam phrases
(0BFU$C/\TED SPA/\/\ P|-|RA$ES):
http://www.sandgnat.com/cmos/