Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SpamAssassin>
  3. users
No tagging of comments?
maillists at conactive
Feb 28, 2004, 8:31 AM
Post #1 of 4 (482 views)
Permalink
The only spam getting thru our SA from time to time is of this format:

<html><body>
<center><!--e2we9aigF7oX1u9--><a href="http://www.xcvxc3w.com/ghr/"><img
src="http://www.sddewwx.com/g9.gif" border=0></a></center>
<body></html>

That's the body of a standard multipart/alternative mail where the
text/plain part only contains a few line breaks. The Subject is encoded
although there is no need to:
Subject: =?iso-8859-1?B?UmU6U29tYXRyb3BpbiBpbiBhIGNhcHN1bGU=?=

It gets tagged as follows:
2.10 BAYES_90 Bayesian spam probability is 90 to 99%
0.11 HTML_60_70 Message is 60% to 70% HTML
1.23 HTML_IMAGE_ONLY_02 HTML: images with 0-200 bytes of words

I'm wondering:
- why there isn't any tagging of the comment, shouldn't comments be used
as an indication of probable spam? (Not that they could just remove the
comment, it seems to only serve as a Bayes poison, it doesn't
hide/obfuscate anything.)
- why it doesn't tag as MIME_HTML_ONLY or MIME_HTML_ONLY_MULTI or maybe
there should be a rule "MIME_NO_TEXT_PLAIN" which hits when you have
text/plain parts but no content?
- why it doesn't tag an IMG in an HREF as spammy

or do we get too many false positives with this approach?

Another lesson the message tells is that the BigEvil rules are probably
going to fail more often in the future than ever since spammers just
revolve thru random domains freshly registered for one batch of spam.


Kai

--

Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org
RE: No tagging of comments? [ In reply to ]
Tom.Meunier at courts
Feb 28, 2004, 10:16 AM
Post #2 of 4 (491 views)
Permalink
Howdy Kai,

That tripped Chris Santerre's "Mr. Wiggly" rule.

rawbody __VDRUG1 /^\<html\>\<body\>/
rawbody __VDRUG2 /^\<center\>\<\!\-\-.{10,25}\-\-\>\<a
href\=\"http\:\/\//
rawbody __VDRUG3 /[a-zA-Z]\d\.gif\" border\=0\>\<\/a\>\<\/center\>/
rawbody __VDRUG4 /^\<\/?body\>\<\/html\>/
meta MRWIGGLY (__VDRUG1 && __VDRUG2 && __VDRUG3 && __VDRUG4)
describe MRWIGGLY Mr. Wiggly enhance drug spam.
score MRWIGGLY 1.0

(Yes, I realize that wasn't exactly your question, but still...)

-tom

-----Original Message-----
From: Kai Schaetzl [mailto:maillists@conactive.com]
Sent: Saturday, February 28, 2004 9:32 AM
To: spamassassin-users@incubator.apache.org
Subject: No tagging of comments?

The only spam getting thru our SA from time to time is of this format:
Re: No tagging of comments? [ In reply to ]
lwilton at earthlink
Feb 28, 2004, 10:35 AM
Post #3 of 4 (480 views)
Permalink
> The only spam getting thru our SA from time to time is of this format:
>
> <html><body>
> <center><!--e2we9aigF7oX1u9--><a href="http://www.xcvxc3w.com/ghr/"><img
> src="http://www.sddewwx.com/g9.gif" border=0></a></center>
> <body></html>

This looks like a MR_WIGGLY spam. There is a special test to catch his
spams. There is no point in putting his domains in BigEvil because they
change several times per day. But the message format never seems to change,
so it is easy enough to catch.

Loren
Re: No tagging of comments? [ In reply to ]
maillists at conactive
Feb 28, 2004, 12:31 PM
Post #4 of 4 (480 views)
Permalink
Tom Meunier wrote on Sat, 28 Feb 2004 11:16:01 -0600:

> (Yes, I realize that wasn't exactly your question, but still...)
>

yes, thanks, remember now that I already saw this rule mentioned in the
past but thought we were already using it. I now grabbed the antidrug.cf
and added the MRWIGGLY rule to it. Both had been missing from our rule
portfolio.


Kai

--

Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal