Mailing List Archive

Mr Wiggly has changed
Looks like the clever fellow who brought you Mr Wigglies V word email has
changed his modus operandi.

I've just received a new version of the same old message which was missed by
the Mr Wiggly rules.

Message source here: http://www.mailsecurity.net.au/tmp/mrwiggly.txt

Chris - let me know if you need any more copies, I'm sure our spamtraps will
have hundreds shortly.

Regards,

David Hooton


========================================================================
Pain free spam & virus protection by: www.mailsecurity.net.au
Forward undetected SPAM to: spam@mailsecurity.net.au
========================================================================
Re: Mr Wiggly has changed [ In reply to ]
> I've just received a new version of the same old message which was missed
> by the Mr Wiggly rules.
>
> Message source here: http://www.mailsecurity.net.au/tmp/mrwiggly.txt

Persistant little swine this one... The following works nicely for me and
has generated no false positives yet (hence the high score), YMMV:

# Look for URIs linking to a .GIF or .JPG with one or two letters
# then one or two numbers as the name
uri AMB_IMAGE_CONTENT /\/[a-z][a-z]?[0-9][0-9]?\.(gif|jpg)/i
describe AMB_IMAGE_CONTENT Contains URI linking to numbered GIF or JPG
score AMB_IMAGE_CONTENT 3.0

Andy
RE: Mr Wiggly has changed [ In reply to ]
> -----Original Message-----
> From: Andy Blanchard [mailto:andyb@zocalo.uk.com]
> Sent: Tuesday, February 03, 2004 1:22 PM
> To: spamassassin-users@incubator.apache.org
> Subject: Re: Mr Wiggly has changed
>
>
> > I've just received a new version of the same old message
> which was missed
> > by the Mr Wiggly rules.
> >
> > Message source here: http://www.mailsecurity.net.au/tmp/mrwiggly.txt
>
> Persistant little swine this one... The following works
> nicely for me and
> has generated no false positives yet (hence the high score), YMMV:
>
> # Look for URIs linking to a .GIF or .JPG with one or two letters
> # then one or two numbers as the name
> uri AMB_IMAGE_CONTENT /\/[a-z][a-z]?[0-9][0-9]?\.(gif|jpg)/i
> describe AMB_IMAGE_CONTENT Contains URI linking to numbered
> GIF or JPG
> score AMB_IMAGE_CONTENT 3.0
>
> Andy


I have exaclty the same, but I've seen some FPs on it, and scored it below
1.0. Be carefull :)

--Chris
RE: Mr Wiggly has changed [ In reply to ]
> -----Original Message-----
> From: David Hooton [mailto:djh-lists@platformhosting.com]
> Sent: Tuesday, February 03, 2004 10:27 AM
> To: spamassassin-users@incubator.apache.org
> Subject: Mr Wiggly has changed
>
>
> Looks like the clever fellow who brought you Mr Wigglies V
> word email has
> changed his modus operandi.
>
> I've just received a new version of the same old message
> which was missed by
> the Mr Wiggly rules.
>
> Message source here: http://www.mailsecurity.net.au/tmp/mrwiggly.txt
>
> Chris - let me know if you need any more copies, I'm sure our
> spamtraps will
> have hundreds shortly.
>
> Regards,
>
> David Hooton

Hmm...it may be the sinus meds cloud I'm in, but I don't see what changed?
This should have been tagged????

--Chris
Re[2]: Mr Wiggly has changed [ In reply to ]
Hello Andy,

Tuesday, February 3, 2004, 10:22:15 AM, you wrote:

>> I've just received a new version of the same old message which was missed
>> by the Mr Wiggly rules.

AB> Persistant little swine this one... The following works nicely for me and
AB> has generated no false positives yet (hence the high score), YMMV:

AB> # Look for URIs linking to a .GIF or .JPG with one or two letters
AB> # then one or two numbers as the name
AB> uri AMB_IMAGE_CONTENT /\/[a-z][a-z]?[0-9][0-9]?\.(gif|jpg)/i
AB> describe AMB_IMAGE_CONTENT Contains URI linking to numbered GIF or JPG
AB> score AMB_IMAGE_CONTENT 3.0

A nice rule, but does hit ham here:

OVERALL SPAM HAM S/O SCORE NAME
91185 73148 18037 0.802 0.00 0.00 (all messages)
5345 5254 91 0.934 0.81 3.00 AMB_IMAGE_CONTENT

OVERALL% SPAM% HAM% S/O RANK SCORE NAME
91185 73148 18037 0.802 0.00 0.00 (all messages)
100.000 80.2193 19.7807 0.802 0.00 0.00 (all messages as %)
5.862 7.1827 0.5045 0.934 0.81 3.00 AMB_IMAGE_CONTENT

Hits 7% of my spam, and 0.5% of my ham.

Hits heavily on about.com's newsletters, and thebluebook.com's notices.

I'm going to try a modification that excludes those specific graphics,
and see what happens...

Bob Menschel
RE: Re[2]: Mr Wiggly has changed [ In reply to ]
-----Original Message-----
From: Robert Menschel [mailto:Robert@Menschel.net]
Sent: Wednesday, February 04, 2004 8:53 AM
To: Andy Blanchard
Cc: spamassassin-users@incubator.apache.org
Subject: Re[2]: Mr Wiggly has changed

A nice rule, but does hit ham here:

OVERALL SPAM HAM S/O SCORE NAME
91185 73148 18037 0.802 0.00 0.00 (all messages)
5345 5254 91 0.934 0.81 3.00 AMB_IMAGE_CONTENT

OVERALL% SPAM% HAM% S/O RANK SCORE NAME
91185 73148 18037 0.802 0.00 0.00 (all messages)
100.000 80.2193 19.7807 0.802 0.00 0.00 (all messages as %)
5.862 7.1827 0.5045 0.934 0.81 3.00 AMB_IMAGE_CONTENT


Could you tell me how you produce this report? If I need to RTFM please let
me know what manual to read. :)

Thanks,
Jason
Re[4]: Mr Wiggly has changed [ In reply to ]
Hello Jason,

Wednesday, February 4, 2004, 6:58:58 AM, you wrote:

JC> OVERALL SPAM HAM S/O SCORE NAME
JC> 91185 73148 18037 0.802 0.00 0.00 (all messages)
JC> 5345 5254 91 0.934 0.81 3.00 AMB_IMAGE_CONTENT

JC> OVERALL% SPAM% HAM% S/O RANK SCORE NAME
JC> 91185 73148 18037 0.802 0.00 0.00 (all messages)
JC> 100.000 80.2193 19.7807 0.802 0.00 0.00 (all messages as %)
JC> 5.862 7.1827 0.5045 0.934 0.81 3.00 AMB_IMAGE_CONTENT

JC> Could you tell me how you produce this report? If I need to RTFM
JC> please let me know what manual to read. :)

See http://www.exit0.us/index.php/Against%20a%20Corpus and then
http://www.exit0.us/index.php/BobCorpusTest for some guidance.

Bob Menschel