« Return to Thread: "KAUF-TIPP DER WOCHE" spam getting through
Re: "KAUF-TIPP DER WOCHE" spam getting through
by Nigel Frankcom
::
Rate this Message:
On Wed, 28 Mar 2007 11:40:53 +0300, "Panagiotis Christias"
<christias@...> wrote:
>Hello,
>
>the last days we get a lot of spam like this:
>
>---- spam body begins here ----
>Words disputed interview galli provisions raise, eyebrows dead holders!
>
>KAUF-TIPP DER WOCHE
>
>LESEN SIE DIE NACHRICTEN
>STONEBRIDGE RES EXP Frankfurt: S3C.F
>
>Name : STONEBRIDGE RES EXP
>Kurzel : S3C.F
>WKN : A0HHEB
>Borsenplatz : Frankfurt
>Schluss-Stand 23.03.2007 : Euro 0.10
>Prognose bis 02.04.2007 : Euro 0.21
>
>Freedom hampton radical illich ivan, fontana ishiguro kazuo.
>Austerlitz natural history semprun. Scrfrk tue am foudy fans.
>Newsgroup msdn chappell app? Remote locations talk improving, access
>ballmer gets intense. Inert numb sensuality touch. Sum timetolive gmt
>indicate. Required preserve specify references interested.
>Brutes granta nadezhda hope, hopehope abandoned collins, harvill.
>Example unicode character exact numeric without decimal such numbers.
>Cedega natively lowlevel emulators binary gaming opengl.
>Investors press privacy, statement mypoints mysite, juno, photosite registered.
>End, dialogues spiritual renewal thames hudson chorus stones.
>Effective auditing procedures handy records kept propertys examined.
>Money resources time others, worse than no so why? Setupmore botts
>george ou real world wireless lan myths! Red hats expense technology,
>announced last year helping.
>Guzman writings, osip natasha mandelstam susan, griffin.
>---- spam body ends here ----
>
>We use rbls on our border mail servers, SA 3.1.8, sa-update and
>rules_du_jour to update our rule set from spamassassin and
>rulesemporium sites and various plugins like DCC, Razor, URIDNSBL,
>SPF, RelayChecker etc. Still many of those spam messages get low
>scores and slip through. Scores as low as -1.2 (!) like the message
>above which triggered the following rules:
>
>X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,
> MSGID_FROM_MTA_HEADER,MSGID_FROM_MTA_ID autolearn=no version=3.1.8
>
>Ideas and suggestions are welcome.
>
>Regards,
>Panagiotis
>
>ps. I understand that a simple rule matching something /^KAUF-TIPP DER
>WOCHE$/ would wipe out all of them but I am interested in a more
>generic/efficient way.
>
>ps2. both messages marked as spam or ham are available here:
> http://noc.ntua.gr/~christia/tmp/KAUF-TIPP_DER_WOCHE.gz
I get a few similar ones here, it may be the start of a spam run or
the fact that the stock spams morph so quickly. I haven't seen an
update from RDJ for stock spam in a while; I guess the authors have
real lives too so can't spend every waking hour fine tuning the rules
to catch each new iteration.
If I get persistent spam getting through with common features I write
my own rule and drop it in. It's often redundant within a few days so
gets morphed to catch the next ones that get through.
Perhaps you should go with your own rule and edit it as needed?
Looking at the other post on this thread you might want to check your
network tests.
KR
Nigel
<christias@...> wrote:
>Hello,
>
>the last days we get a lot of spam like this:
>
>---- spam body begins here ----
>Words disputed interview galli provisions raise, eyebrows dead holders!
>
>KAUF-TIPP DER WOCHE
>
>LESEN SIE DIE NACHRICTEN
>STONEBRIDGE RES EXP Frankfurt: S3C.F
>
>Name : STONEBRIDGE RES EXP
>Kurzel : S3C.F
>WKN : A0HHEB
>Borsenplatz : Frankfurt
>Schluss-Stand 23.03.2007 : Euro 0.10
>Prognose bis 02.04.2007 : Euro 0.21
>
>Freedom hampton radical illich ivan, fontana ishiguro kazuo.
>Austerlitz natural history semprun. Scrfrk tue am foudy fans.
>Newsgroup msdn chappell app? Remote locations talk improving, access
>ballmer gets intense. Inert numb sensuality touch. Sum timetolive gmt
>indicate. Required preserve specify references interested.
>Brutes granta nadezhda hope, hopehope abandoned collins, harvill.
>Example unicode character exact numeric without decimal such numbers.
>Cedega natively lowlevel emulators binary gaming opengl.
>Investors press privacy, statement mypoints mysite, juno, photosite registered.
>End, dialogues spiritual renewal thames hudson chorus stones.
>Effective auditing procedures handy records kept propertys examined.
>Money resources time others, worse than no so why? Setupmore botts
>george ou real world wireless lan myths! Red hats expense technology,
>announced last year helping.
>Guzman writings, osip natasha mandelstam susan, griffin.
>---- spam body ends here ----
>
>We use rbls on our border mail servers, SA 3.1.8, sa-update and
>rules_du_jour to update our rule set from spamassassin and
>rulesemporium sites and various plugins like DCC, Razor, URIDNSBL,
>SPF, RelayChecker etc. Still many of those spam messages get low
>scores and slip through. Scores as low as -1.2 (!) like the message
>above which triggered the following rules:
>
>X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,
> MSGID_FROM_MTA_HEADER,MSGID_FROM_MTA_ID autolearn=no version=3.1.8
>
>Ideas and suggestions are welcome.
>
>Regards,
>Panagiotis
>
>ps. I understand that a simple rule matching something /^KAUF-TIPP DER
>WOCHE$/ would wipe out all of them but I am interested in a more
>generic/efficient way.
>
>ps2. both messages marked as spam or ham are available here:
> http://noc.ntua.gr/~christia/tmp/KAUF-TIPP_DER_WOCHE.gz
I get a few similar ones here, it may be the start of a spam run or
the fact that the stock spams morph so quickly. I haven't seen an
update from RDJ for stock spam in a while; I guess the authors have
real lives too so can't spend every waking hour fine tuning the rules
to catch each new iteration.
If I get persistent spam getting through with common features I write
my own rule and drop it in. It's often redundant within a few days so
gets morphed to catch the next ones that get through.
Perhaps you should go with your own rule and edit it as needed?
Looking at the other post on this thread you might want to check your
network tests.
KR
Nigel
« Return to Thread: "KAUF-TIPP DER WOCHE" spam getting through
| Free embeddable forum powered by Nabble | Forum Help |
