Date: Thu, 13 May 2004 19:13:11 -0400 From: Christopher Rued <c.rued@xsb.com> To: cyrille.lefevre@laposte.net Cc: freebsd security <freebsd-security@FreeBSD.org> Subject: Re: How do fix a good solution against spam.. Message-ID: <40A40107.1010207@xsb.com> In-Reply-To: <200405132039.i4DKd8Ms098147@mail.gits.dyndns.org> References: <200405132039.i4DKd8Ms098147@mail.gits.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------030100020200050206080300 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit hehe ... my SpamAssassin marked this as spam :-) Cyrille Lefevre wrote: > take a look here : > > http://www.merchantsoverseas.com/wwwroot/gorilla > > then let's try the attached script and patch which may not be up to date. > > PS : I don't use it since my machine is too slow and this makes mimedefang > to give up (timeout) to often. > > Cyrille Lefevre > > > ------------------------------------------------------------------------ > > diff -u orig/sa_body.cf sa/sa_body.cf > --- orig/sa_body.cf Thu Feb 19 14:56:29 2004 > +++ sa/sa_body.cf Sat Jan 31 01:57:22 2004 > @@ -4,21 +4,20 @@ > > # submitted by Yorkshire Dave. > > -> "Dear Fellow Opportunist" (my favorite ;-) > +# "Dear Fellow Opportunist" (my favorite ;-) > > body L_OPPORT /\bfellow.opportunist/i > describe L_OPPORT fellow opportunist > > -> "You need to act now or you will miss out on a great offer" > +# "You need to act now or you will miss out on a great offer" > > body L_ACTMISS /\bact.now.{1,30}or.{5,20}miss\b/i > describe L_ACTMISS act now or miss > > -body L_MISSOFFER > -/\bmiss.{1,20}(great|fantastic|unbeatable).{1.20}offer/i > +body L_MISSOFFER /\bmiss.{1,20}(great|fantastic|unbeatable).{1.20}offer/i > describe L_MISSOFFER miss great offer > > -> "CASH FOREVER" > +# "CASH FOREVER" > > body L_CASHFOREVER /\bcash.{1,3}forever\b/ > describe L_CASHFOREVER cash forever > @@ -419,8 +418,7 @@ > > # The following rules submitted by Kai MacTane. > > -body HIDDEN_VIAGRA > -/v[\s{1,5}\-\.\*_]i[\s{1,5}\-\.\*_]a[\s{1,5}\-\.\*_]g[\s{1,5}\-\.\*_]r[\s{1,5}\-\.\*_]a/i > +body HIDDEN_VIAGRA /v[\s{1,5}\-\.\*_]i[\s{1,5}\-\.\*_]a[\s{1,5}\-\.\*_]g[\s{1,5}\-\.\*_]r[\s{1,5}\-\.\*_]a/i > describe HIDDEN_VIAGRA Uses obfuscated version of "Viagra" > score HIDDEN_VIAGRA 2.00 > > @@ -1011,7 +1009,7 @@ > describe CAREER_BACK_ON_TRACK (LOCAL RULE) Talks about getting a career back on track > score CAREER_BACK_ON_TRACK 3 3 3 3 > > -raw 123X456 /123x456/i > +rawbody 123X456 /123x456/i > describe 123X456 (LOCAL RULE) 123X456 is a marker for the SoBig.E worm > score 123X456 99 99 99 99 > > diff -u orig/sa_header_other.cf sa/sa_header_other.cf > --- orig/sa_header_other.cf Thu Feb 19 14:56:29 2004 > +++ sa/sa_header_other.cf Sat Jan 31 02:18:10 2004 > @@ -9,8 +9,8 @@ > header HINET Received =~ /bHINET-IP/i > describe HINET Received line contains HINET-IP (common spam gate from pacrim) > > -header TO-EVERYONE To:addr =~ /every(?:one|body)/i > -describe TO-EVERYONE To: everyone or everybody > +header TO_EVERYONE To:addr =~ /every(?:one|body)/i > +describe TO_EVERYONE To: everyone or everybody > > > # The following rules submitted by Daniel Bird. > @@ -97,27 +97,27 @@ > score L_f_Refi 0.4 > > # Spamsign in misc headers > -Header L_hR_NOREPLY Return-path =~ /<>/ > +header L_hR_NOREPLY Return-path =~ /<>/ > describe L_hR_NOREPLY Return path is set to empty (common for bounces) (RM) > score L_hR_NOREPLY 1.1 > > -Header L_hr_clkheremail Received =~ /clkheremail\.com/ > +header L_hr_clkheremail Received =~ /clkheremail\.com/ > describe L_hr_clkheremail Spam passed through clkheremail.com relay (RM) > score L_hr_clkheremail 3.1 > > -Header L_hr_HeloIP Received =~ /helo=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/i > +header L_hr_HeloIP Received =~ /helo=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/i > describe L_hr_HeloIP Received has helo=IP - may be valid DSL router w/nat - may be spam (RM) > score L_hr_HeloIP 0.5 > > -Header L_hx_PSSBulk X-Mailer =~ /PSS\ Bulk\ Mailer/ > +header L_hx_PSSBulk X-Mailer =~ /PSS\ Bulk\ Mailer/ > describe L_hx_PSSBulk Uses PSS Bulk Mailer (RM) > score L_hx_PSSBulk 1.1 > > -Header L_hx_XaM3API exists:X-XaM3-API-Version > +header L_hx_XaM3API exists:X-XaM3-API-Version > describe L_hx_XaM3API X-XaM3-API-Version header found, often spamsign (RM) > score L_hx_XaM3API 1.1 > > -Header L_hx_JLH exists:X-JLH > +header L_hx_JLH exists:X-JLH > describe L_hx_JLH X-JLH header found, possible spamsign (RM) > score L_hx_JLH 1.1 > > diff -u orig/sa_header_subject.cf sa/sa_header_subject.cf > --- orig/sa_header_subject.cf Thu Feb 19 14:56:29 2004 > +++ sa/sa_header_subject.cf Sat Jan 31 02:08:47 2004 > @@ -27,59 +27,59 @@ > # The following rules submitted by Robert Menschel. > > # Spamsign subjects > -Header L_s_casino Subject =~ /c[a\@]sin[o0]/i > +header L_s_casino Subject =~ /c[a\@]sin[o0]/i > describe L_s_casino Subject mentions a casino (RM) > score L_s_casino 1.1 > > -Header L_s_CopyDVD Subject =~ /c[o0]py\ dvd/i > +header L_s_CopyDVD Subject =~ /c[o0]py\ dvd/i > describe L_s_CopyDVD Subject mentions copying DVDs (RM) > score L_s_CopyDVD 3.1 > > -Header L_s_Drugs Subject =~ /V[i1][A\@]GR[A\@]|ph[a\@]rm[a\@]c/i > +header L_s_Drugs Subject =~ /V[i1][A\@]GR[A\@]|ph[a\@]rm[a\@]c/i > describe L_s_Drugs Subject mentions known spam subject (RM) > score L_s_Drugs 2.1 > > -Header L_s_GetPaid Subject =~ /Get\ P[a\@]id/i > +header L_s_GetPaid Subject =~ /Get\ P[a\@]id/i > describe L_s_GetPaid Subject mentions getting paid for something (RM) > score L_s_GetPaid 1.1 > > -Header L_s_HelpInvest Subject =~ /help.{1,10}invest/i > +header L_s_HelpInvest Subject =~ /help.{1,10}invest/i > describe L_s_HelpInvest Subject mentions help in investing something (RM) > score L_s_HelpInvest 1.1 > > -Header L_s_MaskedWords1 Subject =~ /Ga,ng|L0SE|W\@rning|si0n|t(?:\|0|\|o|i0)n/i > +header L_s_MaskedWords1 Subject =~ /Ga,ng|L0SE|W\@rning|si0n|t(?:\|0|\|o|i0)n/i > describe L_s_MaskedWords1 masked spam word(s) in subject (RM) > score L_s_MaskedWords1 9.1 > > -Header L_s_MaskedWords2 Subject =~ /che\@p|F0r|d0main|Ple\@se|m0ve/i > +header L_s_MaskedWords2 Subject =~ /che\@p|F0r|d0main|Ple\@se|m0ve/i > describe L_s_MaskedWords2 masked spam word(s) in subject (RM) > score L_s_MaskedWords2 9.1 > > -Header L_s_MaskedWords3 Subject =~ /p\@tients|ph0t0|b0y|g1rl|vide0/i > +header L_s_MaskedWords3 Subject =~ /p\@tients|ph0t0|b0y|g1rl|vide0/i > describe L_s_MaskedWords3 masked spam word(s) in subject (RM) > score L_s_MaskedWords3 9.1 > > -Header L_s_MaskedWords4 Subject =~ /5emin|ch[à\@]rge|Êbãy|pen1s/i > +header L_s_MaskedWords4 Subject =~ /5emin|ch[à\@]rge|Êbãy|pen1s/i > describe L_s_MaskedWords4 masked spam word(s) in subject (RM) > score L_s_MaskedWords4 7.1 > > -Header L_s_MaskedWordsC Subject =~ /reaI|excIusive/ > +header L_s_MaskedWordsC Subject =~ /reaI|excIusive/ > describe L_s_MaskedWordsC masked spam word(s) in subject - case sensitive (RM) > score L_s_MaskedWordsC 9.1 > > -Header L_s_PleaseRead Subject =~ /please\ re[a\@]d/i > +header L_s_PleaseRead Subject =~ /please\ re[a\@]d/i > describe L_s_PleaseRead Subject includes request to please read the message (RM) > score L_s_PleaseRead 0.6 > > -Header L_s_profile Subject =~ /I\ saw\ your\ profile/i > +header L_s_profile Subject =~ /I\ saw\ your\ profile/i > describe L_s_profile Subject mentions your profile (RM) > score L_s_profile 1.1 > > -Header L_s_porn Subject =~ /p[o0]rn|fuck|violenced|jerk\ off/i > +header L_s_porn Subject =~ /p[o0]rn|fuck|violenced|jerk\ off/i > describe L_s_porn Subject seems to be about porn (RM) > score L_s_porn 2.1 > > -Header L_s_Tax Subject =~ /T[a\@]x/i > +header L_s_Tax Subject =~ /T[a\@]x/i > describe L_s_Tax Subject mentions taxes (RM) > score L_s_Tax 1.1 > > diff -u orig/sa_meta.cf sa/sa_meta.cf > --- orig/sa_meta.cf Thu Feb 19 14:56:29 2004 > +++ sa/sa_meta.cf Sat Jan 31 03:00:13 2004 > @@ -9,9 +9,11 @@ > > #Check for a beginning HTML tag <HTML> > rawbody __MK_HTML_TAG_START /\<html/i > +describe <html > > #Check for a closing HTML tag </html> > rawbody __MK_HTML_TAG_END /\<\/html\>/i > +describe </html> > > #Check to see if the HTML message is made correctly. Seeing a lot of SPAM that isn't > meta MK_BAD_HTML_4 HTML_MESSAGE && !__MK_HTML_TAG_START && !__MK_HTML_TAG_END > @@ -102,8 +104,7 @@ > > header __THEBAT_UA User-Agent =~ /The Bat/ > meta L_FORGED_MUA_THEBAT ( __THEBAT_UA && !__THEBAT_MSGID ) > -describe L_FORGED_MUA_THEBAT Forged message pretending to be from the > -bat! > +describe L_FORGED_MUA_THEBAT Forged message pretending to be from the bat! > > #spewing virus reports to forged sender addresses is spamming, talking > # about them on mailing lists isn't. > @@ -111,7 +112,8 @@ > body __VIRUS_WARNING_FWD /(attachment|email|file|message|scanner).{0,50}(contain(s|ed)|infect(ion|ed)|report(s|ed)|detected).{0,50}virus/is > body __VIRUS_WARNING_REV /virus.{0,50}(found|infect(ion|ed)|reported|detected).{0,50}(attachment|email|file|message)/is > body __FORGING_VIRUS /(braid.a|bugbear|klez|sobig|winevar|yaha.e)/i > -meta L_BROKEN_ANTIVIRUS ((__VIRUS_WARNING_FWD || __VIRUS_WARNING_REV) && __FORGING_VIRUS && ! (REFERENCES || IN_REP_TO)) describe L_BROKEN_ANTIVIRUS UBE from dysfunctional virus scanner > +meta L_BROKEN_ANTIVIRUS ((__VIRUS_WARNING_FWD || __VIRUS_WARNING_REV) && __FORGING_VIRUS && ! (REFERENCES || IN_REP_TO)) > +describe L_BROKEN_ANTIVIRUS UBE from dysfunctional virus scanner > > # The following rules were submitted by Sandy S. (The last S is for Secret!) > > diff -u orig/sa_oct03_rules.cf sa/sa_oct03_rules.cf > --- orig/sa_oct03_rules.cf Thu Feb 19 14:56:29 2004 > +++ sa/sa_oct03_rules.cf Sat Jan 31 02:57:16 2004 > @@ -223,7 +223,7 @@ > > rawbody MY_ONECHAR_SCRIPT /\/..?\.(pl|plx|cgi|asp)/ > describe MY_ONECHAR_SCRIPT 1 or 2 letter script name found. > -score MY_ONE_CHAR_SCRIPT .33 > +score MY_ONECHAR_SCRIPT .33 > > rawbody MY_THISIS /this is spam/i > describe MY_THISIS They said this is spam themselves! > diff -u orig/sa_uri.cf sa/sa_uri.cf > --- orig/sa_uri.cf Thu Feb 19 14:56:29 2004 > +++ sa/sa_uri.cf Sat Jan 31 02:10:42 2004 > @@ -358,8 +358,7 @@ > > uri MY_BLUETABS /fastbluetabs\.com/i > score MY_BLUETABS 5.000 > -describe MY_BLUETABS Message contains a link or email address to > -fastbluetabs.com > +describe MY_BLUETABS Message contains a link or email address to fastbluetabs.com > > uri MY_CERTREWARDS /certrewards\.com/i > score MY_CERTREWARDS 5.000 > > > ------------------------------------------------------------------------ > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Christopher Rued Software Engineer XSB, Inc. 631-444-6818 --------------030100020200050206080300--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40A40107.1010207>