Mailing List Archive

How to catch critters like this one??
Hi list

I thought in the meantime I'd seen all variations of spelling this
infamous aphrodisiac beginning with V...but I was stunned by this ugly
spam that made it through my SA 2.60 with Bigevil, all the Backhairs and
trained Bayes and it only got a score of 0.1 (for being pure HTML)

Does anyone have a suggestion how to raise scores on messages like this
the next time? I trained Bayes with it, of course and integrated the
alternate spelling in my V... rule, but besides that I'm at a loss right
now.

Thanks
Ralf G.


Return-Path: <jyajxrm@msn.com>
Received: from pa-bethelparkcadent1shills1b-1-160.pit.adelphia.net
(pa-bethelparkcadent1shills1b-1-160.pit.adelphia.net [24.52.64.160])
by mxs.tiscali.de (Postfix) with SMTP
id 95B6E20A3B; Sat, 31 Jan 2004 15:14:44 +0100 (CET)
Received: from [247.195.216.113] by 65.60.148.197 with HTTP;
Sat, 31 Jan 2004 11:11:33 -0200
From: "Felix Murray" <jyajxrm@msn.com>
To: gue@alphatel.de
Subject: louver jazz offspring
Mime-Version: 1.0
X-Mailer: burnside allot
Date: Sat, 31 Jan 2004 07:16:33 -0600
Reply-To: "Felix Murray" <jyajxrm@msn.com>
Content-Type: multipart/alternative;
boundary="76632517639139483976"
Message-Id: <JOBADOJ-0002413935958@annale>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on
mail.drillisch.de
X-Spam-Status: No, hits=0.1 required=5.0 tests=HTML_MESSAGE autolearn=no
version=2.60

--76632517639139483976
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit

offspring pollux hafnium impromptu checksumming harmonic expedient
dribble denver
absentee exonerate chaise sagging barrage
indefinite episcopate hereabout enhance rutile dry entire astound

--76632517639139483976
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 8bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>

<TITLE>Message</TITLE>

<META content="MSHTML 6.00.2800.1276" name=GENERATOR></HEAD>
<BODY>
<DIV><!-- Converted from text/plain format --><FONT face=Arial size=2>
<p>Hi,<br>
<br>
Sucper charrge your logve livfe!<br>
Orgder your Vziagkra and Sjupyer Vicagtra sanfely and securlely onliane.<br>
<br>
<br>
Cidalsis (Susper Vieaagra) takes affhect riglht away and lafsts for
datys!<br>
<A
HREF="http://www.fnlgfhnq.fjnwnctihj.com=www.hrquwlernt.solzskvha.markityourself.com/c/?AFF_ID=c1224&irzu=hjyr">Efntaer
Heure</a><br>
<br>
<br>
Gecnekric Vifaglra coqsts 60% lesbs, salve lots of caosh!<br>
<A
HREF="http://www.chcb.cecltvlqud.com=www.efxgxozbcc.wijdvszakp.markityourself.com/v/?AFF_ID=v1224&ypgerassw=eigeegwe">Ezntver
Heqre</a><br>
<br>
<br>
Both prodfucts shiepped discrsetely to your dobor<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<A
HREF="http://www.qohbhbkjdo.wyqlwusu.com=www.wuozs.ttxgg.markityourself.com/?llmdp=uiuc">Not
itnreseted</a><br></FONT></DIV></BODY></HTML>
gustave renaissance beer cartel conscription combination committeemen
debugged aboveboard hollyhock boyd frenchmen fragmentation orwell
bayonne krishna astride boustrophedon bordello chisholm cytochemistry
degeneracy banquet cheekbone palatine anchor like abeyance equine
carrara derelict feeney colonial abbott gerundial embark lahore
nostalgic aldermen <br>
fum passaic remunerate alluvial nullstellensatz argentina gluey brig
gigavolt governess flycatcher pavanne geriatric betrayer bashaw permute
cognac antisemite banister bawdy dadaism aircraft aristocratic i'll
hempstead big headphone hellgrammite portfolio sidesaddle cumin <br>
ramp cement adequate bulblet augustine reveal diagnosis bully frantic
harrington mater descent barbarism embalm falstaff binghamton bowmen
californium censorial abyssinia boathouse incursion diversify frown
leukemia checksumming connotation crane draw constructible cretaceous
airman clive chiang goniometer idiot rhapsody <br>
morn bedford begrudge assiduity bumble axis frostbitten ia cutler
deuterium couturier alpine ado dale ashtray revision boeotia <br>
hardworking bruit anchoritism lynn bryce flew diocesan miscible
abstinent prism harvest morsel jocose nonogenarian dreamt duck
internecine defraud practice authoritarian homework bronchiole
hopkinsian alias demagnify osteoporosis bombproof patroness fairchild
bremen hipster <br>
cedric countersink finley enthalpy bane barbour brushy rightward
ineradicable cramp olga cannon kitten faint fix depositary healthful
appendage frye chandler andrews depressant algal riemannian amygdaloid
doormen colombia jukes guild catv bellingham drawn anhydrous horowitz <br>
joliet okinawa postpone registration browbeaten archer destine bender
downturn knives mackinaw producible savvy bator recruit deltoid fanciful
proud chin apparent aiken humphrey bassinet icosahedra elk heaven i'm
ineradicable extricate angstrom alkane argus angle bater capacitance
kilohm portulaca <br>
buttermilk cowpea kidnapping puffed module malaise mercedes cue eloise
disperse hysteria aerial fayetteville fidelity muong pedantry personify
caste extra kapok blackjack identity award parsimonious harbinger <br>
deadwood scopic psychiatric inhibitor prague backhand dilapidate cassius
ii accustom depression guesswork sinai castor mater hampshire secret
cryptanalyst aminobenzoic cytosine ervin cranky inflationary column
chiropractor killjoy nutrient audacious agree experimentation inculpable
catechism recipe <br>
considerate lose dustbin inexplicable acolyte curdle infamy retrieve
cyanate detractor incredulity redpoll avuncular civet appliance
chrysolite scarlet photography sanskrit crate chauffeur ambuscade
samarium heal haugen shod brownian catalogue quasicontinuous deane
crowberry ligament <br>


--76632517639139483976--




--
Ralf Guenthner
IT-Sicherheitsbeauftragter
Drillisch-Konzern

Wilhelm-Röntgen-Str. 1-5
63477 Maintal

Tel.: 06181-412246


E-Mail: r.guenthner@alphatel.de
RE: How to catch critters like this one?? [ In reply to ]
where is everyone......starting to feel very alone...

-----Original Message-----
From: Ralf Guenthner [mailto:gue@alphatel.de]
Sent: 03 February 2004 10:48
To: spamassassin-users@incubator.apache.org
Subject: How to catch critters like this one??


Hi list

I thought in the meantime I'd seen all variations of spelling this
infamous aphrodisiac beginning with V...but I was stunned by this ugly
spam that made it through my SA 2.60 with Bigevil, all the Backhairs and
trained Bayes and it only got a score of 0.1 (for being pure HTML)

Does anyone have a suggestion how to raise scores on messages like this
the next time? I trained Bayes with it, of course and integrated the
alternate spelling in my V... rule, but besides that I'm at a loss right
now.

Thanks
Ralf G.


Return-Path: <jyajxrm@msn.com>
Received: from pa-bethelparkcadent1shills1b-1-160.pit.adelphia.net
(pa-bethelparkcadent1shills1b-1-160.pit.adelphia.net [24.52.64.160])
by mxs.tiscali.de (Postfix) with SMTP
id 95B6E20A3B; Sat, 31 Jan 2004 15:14:44 +0100 (CET)
Received: from [247.195.216.113] by 65.60.148.197 with HTTP;
Sat, 31 Jan 2004 11:11:33 -0200
From: "Felix Murray" <jyajxrm@msn.com>
To: gue@alphatel.de
Subject: louver jazz offspring
Mime-Version: 1.0
X-Mailer: burnside allot
Date: Sat, 31 Jan 2004 07:16:33 -0600
Reply-To: "Felix Murray" <jyajxrm@msn.com>
Content-Type: multipart/alternative;
boundary="76632517639139483976"
Message-Id: <JOBADOJ-0002413935958@annale>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on
mail.drillisch.de
X-Spam-Status: No, hits=0.1 required=5.0 tests=HTML_MESSAGE autolearn=no
version=2.60

--76632517639139483976
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit

offspring pollux hafnium impromptu checksumming harmonic expedient
dribble denver
absentee exonerate chaise sagging barrage
indefinite episcopate hereabout enhance rutile dry entire astound

--76632517639139483976
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 8bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>

<TITLE>Message</TITLE>

<META content="MSHTML 6.00.2800.1276" name=GENERATOR></HEAD>
<BODY>
<DIV><!-- Converted from text/plain format --><FONT face=Arial size=2>
<p>Hi,<br>
<br>
Sucper charrge your logve livfe!<br>
Orgder your Vziagkra and Sjupyer Vicagtra sanfely and securlely onliane.<br>
<br>
<br>
Cidalsis (Susper Vieaagra) takes affhect riglht away and lafsts for
datys!<br>
<A
HREF="http://www.fnlgfhnq.fjnwnctihj.com=www.hrquwlernt.solzskvha.markityour
self.com/c/?AFF_ID=c1224&irzu=hjyr">Efntaer
Heure</a><br>
<br>
<br>
Gecnekric Vifaglra coqsts 60% lesbs, salve lots of caosh!<br>
<A
HREF="http://www.chcb.cecltvlqud.com=www.efxgxozbcc.wijdvszakp.markityoursel
f.com/v/?AFF_ID=v1224&ypgerassw=eigeegwe">Ezntver
Heqre</a><br>
<br>
<br>
Both prodfucts shiepped discrsetely to your dobor<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<A
HREF="http://www.qohbhbkjdo.wyqlwusu.com=www.wuozs.ttxgg.markityourself.com/
?llmdp=uiuc">Not
itnreseted</a><br></FONT></DIV></BODY></HTML>
gustave renaissance beer cartel conscription combination committeemen
debugged aboveboard hollyhock boyd frenchmen fragmentation orwell
bayonne krishna astride boustrophedon bordello chisholm cytochemistry
degeneracy banquet cheekbone palatine anchor like abeyance equine
carrara derelict feeney colonial abbott gerundial embark lahore
nostalgic aldermen <br>
fum passaic remunerate alluvial nullstellensatz argentina gluey brig
gigavolt governess flycatcher pavanne geriatric betrayer bashaw permute
cognac antisemite banister bawdy dadaism aircraft aristocratic i'll
hempstead big headphone hellgrammite portfolio sidesaddle cumin <br>
ramp cement adequate bulblet augustine reveal diagnosis bully frantic
harrington mater descent barbarism embalm falstaff binghamton bowmen
californium censorial abyssinia boathouse incursion diversify frown
leukemia checksumming connotation crane draw constructible cretaceous
airman clive chiang goniometer idiot rhapsody <br>
morn bedford begrudge assiduity bumble axis frostbitten ia cutler
deuterium couturier alpine ado dale ashtray revision boeotia <br>
hardworking bruit anchoritism lynn bryce flew diocesan miscible
abstinent prism harvest morsel jocose nonogenarian dreamt duck
internecine defraud practice authoritarian homework bronchiole
hopkinsian alias demagnify osteoporosis bombproof patroness fairchild
bremen hipster <br>
cedric countersink finley enthalpy bane barbour brushy rightward
ineradicable cramp olga cannon kitten faint fix depositary healthful
appendage frye chandler andrews depressant algal riemannian amygdaloid
doormen colombia jukes guild catv bellingham drawn anhydrous horowitz <br>
joliet okinawa postpone registration browbeaten archer destine bender
downturn knives mackinaw producible savvy bator recruit deltoid fanciful
proud chin apparent aiken humphrey bassinet icosahedra elk heaven i'm
ineradicable extricate angstrom alkane argus angle bater capacitance
kilohm portulaca <br>
buttermilk cowpea kidnapping puffed module malaise mercedes cue eloise
disperse hysteria aerial fayetteville fidelity muong pedantry personify
caste extra kapok blackjack identity award parsimonious harbinger <br>
deadwood scopic psychiatric inhibitor prague backhand dilapidate cassius
ii accustom depression guesswork sinai castor mater hampshire secret
cryptanalyst aminobenzoic cytosine ervin cranky inflationary column
chiropractor killjoy nutrient audacious agree experimentation inculpable
catechism recipe <br>
considerate lose dustbin inexplicable acolyte curdle infamy retrieve
cyanate detractor incredulity redpoll avuncular civet appliance
chrysolite scarlet photography sanskrit crate chauffeur ambuscade
samarium heal haugen shod brownian catalogue quasicontinuous deane
crowberry ligament <br>


--76632517639139483976--




--
Ralf Guenthner
IT-Sicherheitsbeauftragter
Drillisch-Konzern

Wilhelm-Röntgen-Str. 1-5
63477 Maintal

Tel.: 06181-412246


E-Mail: r.guenthner@alphatel.de
Re: How to catch critters like this one?? [ In reply to ]
> Does anyone have a suggestion how to raise scores on messages like this
> the next time? I trained Bayes with it, of course and integrated the
> alternate spelling in my V... rule, but besides that I'm at a loss right
> now.

Looks like the spammer's solution to the detection of their "insert random
punctation" approach is to insert random letters instead. It's highly
likely that this approach is going to generate a *lot* of uncommon letter
sequences, so I'd look to trigger on that. IIRC someone has already
produced set of regular expressions based rules for letter sequences that
do not occur in English, but I can't locate it on Google. Anyone got a
link, because I think it may be time to add it to the collection...

Andy

The only person to have all his work done by Friday was Robinson Crusoe
Re: How to catch critters like this one?? [ In reply to ]
I think your looking for the TripWire rules .. located here

http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm



>>> "Andy Blanchard" <andyb@zocalo.uk.com> 02/03/04 10:30AM >>>
> Does anyone have a suggestion how to raise scores on messages like this
> the next time? I trained Bayes with it, of course and integrated the
> alternate spelling in my V... rule, but besides that I'm at a loss right
> now.

Looks like the spammer's solution to the detection of their "insert random
punctation" approach is to insert random letters instead. It's highly
likely that this approach is going to generate a *lot* of uncommon letter
sequences, so I'd look to trigger on that. IIRC someone has already
produced set of regular expressions based rules for letter sequences that
do not occur in English, but I can't locate it on Google. Anyone got a
link, because I think it may be time to add it to the collection...

Andy

The only person to have all his work done by Friday was Robinson Crusoe
Re: How to catch critters like this one?? [ In reply to ]
At 15.30 03/02/2004 +0000, Andy Blanchard wrote:
>IIRC someone has already
>produced set of regular expressions based rules for letter sequences that
>do not occur in English, but I can't locate it on Google. Anyone got a
>link, because I think it may be time to add it to the collection...

That's the Tripwire ruleset.

http://www.merchantsoverseas.com/wwwroot/gorilla/99_FVGT_Tripwire.cf

Since it uses arithmetic meta rules it will work only on SA 2.50+
Bye,

Gio.

--
System Engineer @ Reitek S.p.A.
g.carbone@reitek.com
Re: How to catch critters like this one?? [ In reply to ]
On Tue, 03 Feb 2004 09:48:23 +0100, Ralf Guenthner <gue@alphatel.de>
wrote:
>Does anyone have a suggestion how to raise scores on messages like this
>the next time?

I've just been learning messages like this as spam and it scored
BAYES_99 for me.

Alan
--
Please avoid sending me Word or PowerPoint attachments.
See http://www.fsf.org/philosophy/no-word-attachments.html
Re: How to catch critters like this one?? [ In reply to ]
Andy Blanchard wrote:

>>Does anyone have a suggestion how to raise scores on messages like this
>>the next time? I trained Bayes with it, of course and integrated the
>>alternate spelling in my V... rule, but besides that I'm at a loss right
>>now.
>
>
> Looks like the spammer's solution to the detection of their "insert random
> punctation" approach is to insert random letters instead. It's highly
> likely that this approach is going to generate a *lot* of uncommon letter
> sequences, so I'd look to trigger on that. IIRC someone has already
> produced set of regular expressions based rules for letter sequences that
> do not occur in English, but I can't locate it on Google. Anyone got a
> link, because I think it may be time to add it to the collection...
>
> Andy
>
> The only person to have all his work done by Friday was Robinson Crusoe
>
>

In the meantime I integrated the Tripwire rules pointed out by Thomas
Kinghorn and others. Now I'll wait and see... Maybe you should do the same?

Regards
Ralf G.
Re: How to catch critters like this one?? [ In reply to ]
=> That's the Tripwire ruleset.

I see various of these rulesets that are in the form filename.cf. Are these
used automatically if the ruleset file is in the proper SA directory, or do
they have to be specifically invoked somewhere? - John
Re: How to catch critters like this one?? [ In reply to ]
>From: John Fleming <john@wa9als.com>
>To: spamassassin-users@incubator.apache.org
>References: <5.2.1.1.0.20040203163835.02681258@localhost>
>Subject: Re: How to catch critters like this one??
>Date: Tue, 3 Feb 2004 12:17:51 -0500
>
>=> That's the Tripwire ruleset.
>
>I see various of these rulesets that are in the form filename.cf.
>Are these used automatically if the ruleset file is in the proper
>SA directory, or do they have to be specifically invoked somewhere?
>- John

Used automatically. Typically put all these configuration files in

/etc/mail/spamassassin

on a Unix box. You'll need to stop & restart spamd if your're using
that.
RE: How to catch critters like this one?? [ In reply to ]
John Fleming Sent: Tuesday, February 03, 2004 12:18 PM

> => That's the Tripwire ruleset.
>
> I see various of these rulesets that are in the form filename.cf. Are
these
> used automatically if the ruleset file is in the proper SA directory, or
do
> they have to be specifically invoked somewhere? - John

Just place it in your /etc/mail/spamassassin folder and restart spamd. As
long as it's got .cf in the file name, it'll pick it up.

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz
Re: How to catch critters like this one?? [ In reply to ]
On Tue, 2004-02-03 at 00:48, Ralf Guenthner wrote:
> Hi list
>
> I thought in the meantime I'd seen all variations of spelling this
> infamous aphrodisiac beginning with V...but I was stunned by this ugly
> spam that made it through my SA 2.60 with Bigevil, all the Backhairs and
> trained Bayes and it only got a score of 0.1 (for being pure HTML)
>

Go get antidrug.cf - it's a very well thought out ruleset and stops a
lot of drug-related spam.

- Jon

--
jon@tgpsolutions.com

Administrator, tgpsolutions
http://www.tgpsolutions.com
Re: How to catch critters like this one?? [ In reply to ]
At Tue Feb 3 08:48:23 2004, Ralf Guenthner wrote:
>
> Hi list
>
> I thought in the meantime I'd seen all variations of spelling this
> infamous aphrodisiac beginning with V...but I was stunned by this ugly
> spam that made it through my SA 2.60 with Bigevil, all the Backhairs and
> trained Bayes and it only got a score of 0.1 (for being pure HTML)
>
> Does anyone have a suggestion how to raise scores on messages like this
> the next time? I trained Bayes with it, of course and integrated the
> alternate spelling in my V... rule, but besides that I'm at a loss right
> now.

This is generated by a specific bit of ratware -- there are a set of
common traits in the headers. I've submitted a set of rules for this
to the bugzilla -- see bug #2992 at
http://bugzilla.spamassassin.org/show_bug.cgi?id=2992

Martin
--
Martin Radford | "Only wimps use tape backup: _real_
martin@zamenhof.demon.co.uk | men just upload their important stuff -o)
Registered Linux user #9257 | on ftp and let the rest of the world /\\
- see http://counter.li.org | mirror it ;)" - Linus Torvalds _\_V