AE_MEDS35 does not more work...

Coming home for some minutes I saw, I am hit by 23.000 spams in my inbox
from today...

The rule:

body            AE_MEDS35       /\bwww(?:\s\W?\s?|\W\s)\w{3,6}\d{2,6}(?:\s\W?\s?|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
describe        AE_MEDS35       obfuscated domain seen in spam
score           AE_MEDS35       6.00

doea not work on the following mail:

----8<------------------------------------------------------------------
<snip>
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on
        samba3.private.tamay-dogan.net
X-Spam-Level: *
X-Spam-Status: No, score=1.6 required=4.5 tests=BAYES_50,RCVD_IN_NJABL_PROXY
        autolearn=no version=3.2.3
<snip>
To: xml-core@...
Date: Thu, 02 Jul 2009 21:34:54 -0100
Message-ID: <292648833c6120090702213103@...>
From: Jessi <hatting@...>
Subject: Doo You Make These 44 Mistakes in sex?

Doo You Maake These 4 Mistakes in sex? www. gen65. net. Police: Dancers Shot With Paintbrall Guns In Boynton Baech Strip Club

----8<------------------------------------------------------------------


--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
<http://www.tamay-dogan.net/>                 Michelle Konzack
<http://www.can4linux.org/>                   c/o Vertriebsp. KabelBW
<http://www.flexray4linux.org/>               Blumenstrasse 2
Jabber linux4michelle@...           77694 Kehl/Germany
IRC #Debian (irc.icq.com)                     Tel. DE: +49 177 9351947
ICQ #328449886                                Tel. FR: +33  6  61925193

On Thu, 2 Jul 2009, Michelle Konzack wrote:

> body            AE_MEDS35       /\bwww(?:\s\W?\s?|\W\s)\w{3,6}\d{2,6}(?:\s\W?\s?|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
>
> doea not work on the following mail:
>
> ----8<------------------------------------------------------------------
>
> Doo You Maake These 4 Mistakes in sex? www. gen65. net. Police: Dancers Shot With Paintbrall Guns In Boynton Baech Strip Club
>
> ----8<------------------------------------------------------------------

Works here:

[6237] dbg: rules: ran body rule MEDS ======> got hit: "www. gen65. net"

The rule name in my test harness is different but I verified that the RE
is the same.

Can you post the original raw message to a pastebin, please?

--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@...    FALaholic #11174     pgpk -a jhardin@...
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Microsoft is not a standards body.
-----------------------------------------------------------------------
  2 days until the 233rd anniversary of the Declaration of Independence

>Coming home for some minutes I saw, I am hit by 23.000 spams in my inbox
>from today...
>
>The rule:
>
>body            AE_MEDS35       /\bwww(?:\s\W?\s?|\W\s)\w{3,6}\d{2,6}(?:\s\W?\s?|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
>describe        AE_MEDS35       obfuscated domain seen in spam
>score           AE_MEDS35       6.00
>does not work on the following mail:

How about:
/\bw{2,3}[[:punct:][:space:]]{1,3}[[:alpha:]]{3,6}\d{2,6}[[:punct:][:space:]]{1,3}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i

* McDonald, Dan <Dan.McDonald@...>:

> How about:
> /\bw{2,3}[[:punct:][:space:]]{1,3}[[:alpha:]]{3,6}\d{2,6}[[:punct:][:space:]]{1,3}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i

Gesundheit! :)

--
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebrandt@... | http://www.charite.de
           

Am 2009-07-02 15:18:16, schrieb John Hardin:
> Can you post the original raw message to a pastebin, please?

I am on GSM (O2) and not able to upload to <pastebin>
(I can view contents abut not upload)

I will try to upload it to

<http://devel.debian.tamay-dogan.net/tmp/spamassassin/>

Thanks, Greetings and nice Day/Evening
    Michelle Konzack
    Systemadministrator
    Tamay Dogan Network
    Debian GNU/Linux Consultant

--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
<http://www.tamay-dogan.net/>                 Michelle Konzack
<http://www.can4linux.org/>                   c/o Vertriebsp. KabelBW
<http://www.flexray4linux.org/>               Blumenstrasse 2
Jabber linux4michelle@...           77694 Kehl/Germany
IRC #Debian (irc.icq.com)                     Tel. DE: +49 177 9351947
ICQ #328449886                                Tel. FR: +33  6  61925193

Michelle Konzack pisze:
> Am 2009-07-02 15:18:16, schrieb John Hardin:
>> Can you post the original raw message to a pastebin, please?
>
> I am on GSM (O2) and not able to upload to <pastebin>
> (I can view contents abut not upload)
>
> I will try to upload it to
>
> <http://devel.debian.tamay-dogan.net/tmp/spamassassin/>

Hello,

$ wget
http://devel.debian.tamay-dogan.net/tmp/spamassassin/non_working_sa.00.msg
...
$ wget
http://devel.debian.tamay-dogan.net/tmp/spamassassin/non_working_sa.11.msg

$ spamassassin -D < non_working_sa.00.msg > non_working_sa.00.log 2>&1
...
$ spamassassin -D < non_working_sa.00.msg > non_working_sa.11.log 2>&1

$ grep "ran body rule LOCAL_BODY_WWW_MEDSXX_NET" non_working_sa.*.log
non_working_sa.00.log:[16376] dbg: rules: ran body rule
LOCAL_BODY_WWW_MEDSXX_NET ======> got hit: "www. gen88. net"
non_working_sa.01.log:[17726] dbg: rules: ran body rule
LOCAL_BODY_WWW_MEDSXX_NET ======> got hit: "www. gen88. net"
non_working_sa.02.log:[21854] dbg: rules: ran body rule
LOCAL_BODY_WWW_MEDSXX_NET ======> got hit: "www. gen88. net"
non_working_sa.10.log:[22118] dbg: rules: ran body rule
LOCAL_BODY_WWW_MEDSXX_NET ======> got hit: "www. gen88. net"
non_working_sa.11.log:[22291] dbg: rules: ran body rule
LOCAL_BODY_WWW_MEDSXX_NET ======> got hit: "www. gen88. net"

I have probably older version John's regexp and as you can see above it
works for me very well.

# Thanks to John Hardin! :)
body     LOCAL_BODY_WWW_MEDSXX_NET
/\bwww(?:\s|\s\W|\W\s)\w{3,6}\d{2,6}(?:\s|\s\W|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
score    LOCAL_BODY_WWW_MEDSXX_NET      5.0
describe LOCAL_BODY_WWW_MEDSXX_NET      "(www medsXX net)" spam

Kind regards,

P.

Paweł Tęcza pisze:                                      ^^
Should be non_working_sa.11.msg, of course. It's only typo, I've checked
all your spam samples.

P.

On Thu, July 2, 2009 23:54, Michelle Konzack wrote:
> Coming home for some minutes I saw, I am hit by 23.000 spams in my inbox
> from today...

use postfwd ?

RCVD_IN_NJABL_PROXY < hits and can be tested in mta

23000 spams in home mailbox/mta is to much to just say i dont care :)

--
xpoint

Hello,

In a maill which hit the score I see this:

----[ STDIN ]-----------------------------------------------------------
Spam detection software, running on the system "vserver1.tamay-dogan.net", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  Profile of aa sexually Dull Peerson www. gen65. net. Hohusefly
   Geets Laser Glasses [...]

Content analysis details:   (4.5 points, 4.5 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
-1.0 RCVD_IN_DNSWL_LOW      RBL: Sender listed at http://www.dnswl.org/, low
                            trust
                            [70.103.162.29 listed in list.dnswl.org]
 0.6 RCVD_IN_SORBS_WEB      RBL: SORBS: sender is a abuseable web server
                            [87.24.43.52 listed in dnsbl.sorbs.net]
 6.0 AE_MEDS35              BODY: obfuscated domain seen in spam
-1.1 BAYES_05               BODY: Bayesian spam probability is 1 to 5%
                            [score: 0.0466]
------------------------------------------------------------------------

and this sound not realy funny to me...

I had to set score for AE_MEDS35 to 6.0 because the RCVD_IN_DNSWL_LOW
but the BAYES_05 sounds weird...

However, less then 1% of the new spam go into my box, because I  have  a
procmail recipe which catch special words in the subject...

[michelle.konzack@samba3:~] ls /Maildirs/michelle.konzack/Maildir/.ATTENTION.2009-27.BTS_debian.FLT_subject/cur/* |wc -l
37155

:-P

Hehe, no one should tell me something about Viigra, Cialiis, better  sex
or PE in the subject line.

My sexe is hermaphrodite and they can not beat it.  :-D

Have nice night (I don't, because we have currently 34.5°C here  and  in
the last 6 hours I was 3 times under the shower)
 
Thanks, Greetings and nice Day/Evening
    Michelle Konzack
    Systemadministrator
    Tamay Dogan Network
    Debian GNU/Linux Consultant

--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
<http://www.tamay-dogan.net/>                 Michelle Konzack
<http://www.can4linux.org/>                   c/o Vertriebsp. KabelBW
<http://www.flexray4linux.org/>               Blumenstrasse 2
Jabber linux4michelle@...           77694 Kehl/Germany
IRC #Debian (irc.icq.com)                     Tel. DE: +49 177 9351947
ICQ #328449886                                Tel. FR: +33  6  61925193

Hello Rawe and *,

Now with a new spam I tried it again and nothing.  I  have  now  renamed
the AE_MEDS35 to PRIVATE_MEDS01 run spamaassassin in Debug with:

    spamassassin -D <original.msg >spamassassin.msg 2>spamassassin.log

and the results are here:

<http://devel.debian.tamay-dogan.net/tmp/spamassassin/test_2/>

AE_MEDS35 and PRIVATE_MEDS01 are not even mentioned.
This problem becomes more and more bizzar.

Thanks, Greetings and nice Day/Evening
    Michelle Konzack
    Systemadministrator
    Tamay Dogan Network
    Debian GNU/Linux Consultant

--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
<http://www.tamay-dogan.net/>                 Michelle Konzack
<http://www.can4linux.org/>                   c/o Vertriebsp. KabelBW
<http://www.flexray4linux.org/>               Blumenstrasse 2
Jabber linux4michelle@...           77694 Kehl/Germany
IRC #Debian (irc.icq.com)                     Tel. DE: +49 177 9351947
ICQ #328449886                                Tel. FR: +33  6  61925193

Dnia 2009-07-03, pią o godzinie 23:38 -0400, MySQL Student pisze:
-body     LOCAL_BODY_WWW_MEDSXX_NET /\bwww(?:\s|\s\W|\W
\s)\w{3,6}\d{2,6}(?:\s|\s\W|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
+body     LOCAL_BODY_WWW_MEDSXX_NET /\bwww(?:\s|\s\W|\W
\s)\w{1,6}\d{1,6}(?:\s|\s\W|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
      ^      ^
F... spammers. They spoil my weekend ;) Now I catch also "www. ca35.
net." spam. "www. c3. net." flood should be caught in the future too.

P.

On Sat, July 4, 2009 01:31, Michelle Konzack wrote:
> Hello,
>
> In a maill which hit the score I see this:

report the ip to dnswl

> -1.0 RCVD_IN_DNSWL_LOW      RBL: Sender listed at http://www.dnswl.org/, low
>                             trust
>                             [70.103.162.29 listed in list.dnswl.org]
>  0.6 RCVD_IN_SORBS_WEB      RBL: SORBS: sender is a abuseable web server
>                             [87.24.43.52 listed in dnsbl.sorbs.net]
>  6.0 AE_MEDS35              BODY: obfuscated domain seen in spam

give 7.0

> -1.1 BAYES_05               BODY: Bayesian spam probability is 1 to 5%
>                             [score: 0.0466]

train bayes



--
xpoint

On Sat, 4 Jul 2009, Pawe�~B T�~Ycza wrote:

> Dnia 2009-07-03, pią o godzinie 23:38 -0400, MySQL Student pisze:
> +body     LOCAL_BODY_WWW_MEDSXX_NET /\bwww(?:\s|\s\W|\W
> \s)\w{1,6}\d{1,6}(?:\s|\s\W|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
>      ^      ^
> F... spammers. They spoil my weekend ;) Now I catch also "www. ca35.
> net." spam. "www. c3. net." flood should be caught in the future too.

It would probably be a good idea to extend it in the other direction a bit
as well...

   \w{1,15}\d{1,10}

--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@...    FALaholic #11174     pgpk -a jhardin@...
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Windows Genuine Advantage (WGA) means that now you use your
   computer at the sufferance of Microsoft Corporation. They can
   kill it remotely without your consent at any time for any reason;
   it also shuts down in sympathy when the servers at Microsoft crash.
-----------------------------------------------------------------------
  2 days until Robert Heinlein's 102nd birthday