Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SpamAssassin>
  3. users
Re: [spa] RE: Logo spams
cgregory at hwcn
Feb 23, 2004, 12:19 PM
Post #1 of 3 (467 views)
Permalink
On Mon, 23 Feb 2004, Michele Neylon :: Blacknight Solutions wrote:
> We're still seeing a lot of these even with BigEvil, RBLs etc.
> Has anybody found a "cure" before our CTO deep sixes the rest of Asia?

Funny, I get rid of mine by nuking 'snapshut.com' and watching
for obfuscations of 'logo'.....

uri LOC_LOGOSITE /snapshut\.com/i
describe LOC_LOGOSITE Logo Site
score LOC_LOGOSITE 0.5
body LOC_LOGOOBFU /(?!logo)[l1I][o0][gq][o0]/i
describe LOC_LOGOOBFU Logo Obfuscated
score LOC_LOGOOBFU 0.5

Didn't even have to score them too high.....

- C
RE: [spa] RE: Logo spams [ In reply to ]
michele at blacknightsolutions
Feb 23, 2004, 3:04 PM
Post #2 of 3 (470 views)
Permalink
That may work :)
I'll give it a try

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: Charles Gregory [mailto:cgregory@hwcn.org]
> Sent: 23 February 2004 19:19
> To: SATalk
> Subject: Re: [spa] RE: Logo spams
>
>
> On Mon, 23 Feb 2004, Michele Neylon :: Blacknight Solutions wrote:
> > We're still seeing a lot of these even with BigEvil, RBLs etc.
> > Has anybody found a "cure" before our CTO deep sixes the rest of Asia?
>
> Funny, I get rid of mine by nuking 'snapshut.com' and watching
> for obfuscations of 'logo'.....
>
> uri LOC_LOGOSITE /snapshut\.com/i
> describe LOC_LOGOSITE Logo Site
> score LOC_LOGOSITE 0.5
> body LOC_LOGOOBFU /(?!logo)[l1I][o0][gq][o0]/i
> describe LOC_LOGOOBFU Logo Obfuscated
> score LOC_LOGOOBFU 0.5
>
> Didn't even have to score them too high.....
>
> - C
>
RE: [spa] Re: Logo spams [ In reply to ]
csanterre at MerchantsOverseas
Feb 25, 2004, 8:04 AM
Post #3 of 3 (465 views)
Permalink
Hey now! I've moved those rules into my "TO add to SARE" folder ;) So somone
listened!

*Man that folder is getting big!!*

I really need to update.

--Chris

> -----Original Message-----
> From: Charles Gregory [mailto:cgregory@hwcn.org]
> Sent: Tuesday, February 24, 2004 11:37 AM
> To: spamassassin-users@incubator.apache.org
> Subject: Re: [spa] Re: Logo spams
>
>
> >whine>
> I feel so *ignored*.....
> I posted the 'snapshut' rule and the logo obfuscation rule already.
> No one listens to me.
> >/whine>
>
> :-)
>
> - Charles
>
>
> On Mon, 23 Feb 2004, Loren Wilton wrote:
>
> > Date: Mon, 23 Feb 2004 16:23:29 -0800
> > From: Loren Wilton <lwilton@earthlink.net>
> > To: spamassassin-users@incubator.apache.org
> > Subject: [spa] Re: Logo spams
> >
> > Taking a quick look at the first one (and I wish you would
> post as text
> > rather than html next time!) I see some interesting things that will
> > probably hold for some time:
> >
> > 1. www.snapshut.info should be added to the BigEvil list
> >
> > 2. The word "logo" or "Logo" appears 8 times in the body
> of the message.
> > Suspicious.
> >
> > 3. The word "Iogo" (capital I, not L) appears twice,
> intended to be
> > obfuscation.
> >
> > 4. The word "Ioqo" (capital I, q instead of g) appears once as
> > obfuscation.
> >
> > 5. The word 'quality' is spelled "guaIity", again intended as
> > obfuscation.
> >
> > Taken together, these can make some fairly nice rules
> specific to this spam.
> >
> > body __LOGOS /(?:\blogo[s]?\b){6,99}/i
> > body __BAD_LOGOS /\bIo[gq]o[s]?\b/
> > body __POOR_QUALITY /gua[lI]ity/
> >
> > meta NASTY_LOGOS (__LOGOS && (__BAD_LOGOS || __POOR_QUALITY))
> > score NASTY_LOGOS 5.0
> >
> > uri SNAPSHUT /www\.snapshut\.info/
> > score SNAPSHUT 2.0
> >
> > Loren
> >
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal