Mailing List Archive

On Sun, 8 Feb 2004, Matthias Fuhrmann wrote:

> another anyoing spammer:

They're all annoying.

> <html><body>
> <center><!--sriwQlj8pV75--><a href="http://www.sortffr.com"><img src="http://www.rockedce.com/v9.gif" border=0></a></center>
> <body></html>
>
> 3 lines.
> didnt got hit hard enough yet, only 6.5 points (requiered 5).
> anyone seen this yet and got more examples, or might write a regex ?

This is a _very_ common ratware indicator. This rule will bag it:

rawbody LOCAL_CENTER_COM /<center><!--/
describe LOCAL_CENTER_COM Message has a center followed by a comment
score LOCAL_CENTER_COM 2.5

In one corpus, that rule hit a couple of thousand spams and not a
single ham.

+------------------------------------------------+---------------------+
| Carl Richard Friend (UNIX Sysadmin) | West Boylston |
| Minicomputer Collector / Enthusiast | Massachusetts, USA |
| mailto:crfriend@rcn.com +---------------------+
| http://users.rcn.com/crfriend/museum | ICBM: 42:22N 71:47W |
+------------------------------------------------+---------------------+

On Sun, 8 Feb 2004, Carl R. Friend wrote:

> On Sun, 8 Feb 2004, Matthias Fuhrmann wrote:
>
> > another anyoing spammer:
>
> They're all annoying.

yes :)

> > 3 lines.
> > didnt got hit hard enough yet, only 6.5 points (requiered 5).
> > anyone seen this yet and got more examples, or might write a regex ?
>
> This is a _very_ common ratware indicator. This rule will bag it:
>
> rawbody LOCAL_CENTER_COM /<center><!--/
> describe LOCAL_CENTER_COM Message has a center followed by a comment
> score LOCAL_CENTER_COM 2.5
>
> In one corpus, that rule hit a couple of thousand spams and not a
> single ham.

thnx. i'll give it a try. inspired by your regex i made a more safer
additional version which i gave even more points:

rawbody LOCAL_CENTER_COM_2 /<center><!--[ \S]*.gif/
describe LOCAL_CENTER_COM_2 Message has a center followed by a comment
score LOCAL_CENTER_COM_2 10

regards,
Matthias

> <html><body>
> <center><!--sriwQlj8pV75--><a href="http://www.sortffr.com"><img
src="http://www.rockedce.com/v9.gif" border=0></a></center>
> <body></html>

You might want to try this too:

uri AMB_IMAGE_CONTENT /\/[a-z][a-z]?[0-9][0-9]?\.(gif|jpg)/i
describe AMB_IMAGE_CONTENT Contains a URI linking to a numbered gif/jpg
score AMB_IMAGE_CONTENT 3.0

Note that my default score is quite high. I get no problems from this,
but if you subscribe to a lot of HTML lists you may have a problem with
false positives so I'd start with a lower score if that's the case or use
some judicious whitelisting to cancel out the FPs.

Andy

This hits everytime:

rawbody __VDRUG1 /^\<html\>\<body\>/
rawbody __VDRUG2 /^\<center\>\<\!\-\-.{10,25}\-\-\>\<a href\=\"http\:\/\//
rawbody __VDRUG3 /[a-zA-Z]\d\.gif\" border\=0\>\<\/a\>\<\/center\>/
rawbody __VDRUG4 /^\<\/?body\>\<\/html\>/
meta MRWIGGLY (__VDRUG1 && __VDRUG2 && __VDRUG3 && __VDRUG4)
describe MRWIGGLY Mr. Wiggly enhance drug spam.
score MRWIGGLY 2.0

--Chris

> -----Original Message-----
> From: Matthias Fuhrmann
> [mailto:Matthias.Fuhrmann@stud.uni-hannover.de]
> Sent: Saturday, February 07, 2004 8:06 PM
> To: spamassassin-users@incubator.apache.org
> Subject: html image only
>
>
>
> Hi,
>
> another anyoing spammer:
>
> <html><body>
> <center><!--sriwQlj8pV75--><a
> href="http://www.sortffr.com"><img
> src="http://www.rockedce.com/v9.gif" border=0></a></center>
> <body></html>
>
> 3 lines.
> didnt got hit hard enough yet, only 6.5 points (requiered 5).
> anyone seen this yet and got more examples, or might write a regex ?
>
> tia,
> Matthias
>