« Return to Thread: "KAUF-TIPP DER WOCHE" spam getting through
Re: "KAUF-TIPP DER WOCHE" spam getting through
by Panagiotis Christias
::
Rate this Message:
On 3/28/07, kshatriyak@... <kshatriyak@...> wrote:
> On Wed, 28 Mar 2007, Panagiotis Christias wrote:
>
> > the last days we get a lot of spam like this:
> >
> > KAUF-TIPP DER WOCHE
>
> I wrote a few of my own rules especially to catch those stocks scams
> together with bayes. If you don't have any people who should write you in
> German you can also use the X-Languages tag to boost the score if the mail
> is written in German.
>
> Here are my current rules, which should also catch the German stocks.
> Maybe there are some false positives in a real stock environment, but for
> me they work fine:
>
> body __HILO_STOCKS1 /(High|Low|Curr[e3]nt|Cur(r|\r.|r[e3]nt|\.)\
> P(ric[e3])?|Pric[e3]|Last)[\:\ \t]+\$[\d\
> ]+?(.*)(Last|Low|Growth|Grow||High|Sale|Pric[e3]|Vol|[E3]xp)[\:\ \t]+/i
> body __HILO_STOCKS2 /curr[e3]n[t7](ly)?[\ \t\_]+?\:[\ \t\_\$]+?\d/i
> body __HILO_STOCKS2 /[e3](x|ks)p[e3]ct[e3]d?[\ \t\_]+?\:[\
> \t\_\$]+?\d/i
> body __HILO_STOCKS3 /our[\ \t\_]+?(last[\ ]+?)?pick[\:\
> \t\_\;\=\,]/i
> body __HILO_STOCKS4 /\d[\
> \t\_]+?(c[e3]nt|dollar|[e3]ur|p[e3]nc[e3])/i
> body __HILO_STOCKS5 /(c[e3]nt|dollar|[e3]ur[o]?|p[e3]nc[e3])[\
> \t\_]+?\d/ibody __HILO_STOCKS9 /(hot[\
> \t\_]+?list|r[e3]cord|publicity\ |n[e3]ws\
> |invest|incr[e3]as[e3]|[e3]xplosion|high\
> |pr[e3]mium|mark[e3]t|al[e3]rt|sym[b8]ol|the\ rush|your\ radar|g[e3]t\
> [i1]n|schluss\-?stand|prognose|kauf\-?tip)/i
>
> meta HILO_STOCKS ( ( __HILO_STOCKS1 || __HILO_STOCKS2 ||
> __HILO_STOCKS3 || __HILO_STOCKS4 || __HILO_STOCKS5 ) && __HILO_STOCKS9 )
> describe HILO_STOCKS Looks like stocks scam
> score HILO_STOCKS 3.0
>
>
>
my custom rule is just:
# KAUF_TIPP custom rule - christia Wed Mar 28 11:51:05 EEST 2007
body KAUF_TIPP /^KAUF-TIPP DER WOCHE$/
describe KAUF_TIPP German pump and dump stock spam with extremely
low scores
score KAUF_TIPP 4.0
a bit rough may be..
> On Wed, 28 Mar 2007, Panagiotis Christias wrote:
>
> > the last days we get a lot of spam like this:
> >
> > KAUF-TIPP DER WOCHE
>
> I wrote a few of my own rules especially to catch those stocks scams
> together with bayes. If you don't have any people who should write you in
> German you can also use the X-Languages tag to boost the score if the mail
> is written in German.
>
> Here are my current rules, which should also catch the German stocks.
> Maybe there are some false positives in a real stock environment, but for
> me they work fine:
>
> body __HILO_STOCKS1 /(High|Low|Curr[e3]nt|Cur(r|\r.|r[e3]nt|\.)\
> P(ric[e3])?|Pric[e3]|Last)[\:\ \t]+\$[\d\
> ]+?(.*)(Last|Low|Growth|Grow||High|Sale|Pric[e3]|Vol|[E3]xp)[\:\ \t]+/i
> body __HILO_STOCKS2 /curr[e3]n[t7](ly)?[\ \t\_]+?\:[\ \t\_\$]+?\d/i
> body __HILO_STOCKS2 /[e3](x|ks)p[e3]ct[e3]d?[\ \t\_]+?\:[\
> \t\_\$]+?\d/i
> body __HILO_STOCKS3 /our[\ \t\_]+?(last[\ ]+?)?pick[\:\
> \t\_\;\=\,]/i
> body __HILO_STOCKS4 /\d[\
> \t\_]+?(c[e3]nt|dollar|[e3]ur|p[e3]nc[e3])/i
> body __HILO_STOCKS5 /(c[e3]nt|dollar|[e3]ur[o]?|p[e3]nc[e3])[\
> \t\_]+?\d/ibody __HILO_STOCKS9 /(hot[\
> \t\_]+?list|r[e3]cord|publicity\ |n[e3]ws\
> |invest|incr[e3]as[e3]|[e3]xplosion|high\
> |pr[e3]mium|mark[e3]t|al[e3]rt|sym[b8]ol|the\ rush|your\ radar|g[e3]t\
> [i1]n|schluss\-?stand|prognose|kauf\-?tip)/i
>
> meta HILO_STOCKS ( ( __HILO_STOCKS1 || __HILO_STOCKS2 ||
> __HILO_STOCKS3 || __HILO_STOCKS4 || __HILO_STOCKS5 ) && __HILO_STOCKS9 )
> describe HILO_STOCKS Looks like stocks scam
> score HILO_STOCKS 3.0
>
>
>
my custom rule is just:
# KAUF_TIPP custom rule - christia Wed Mar 28 11:51:05 EEST 2007
body KAUF_TIPP /^KAUF-TIPP DER WOCHE$/
describe KAUF_TIPP German pump and dump stock spam with extremely
low scores
score KAUF_TIPP 4.0
a bit rough may be..
« Return to Thread: "KAUF-TIPP DER WOCHE" spam getting through
| Free embeddable forum powered by Nabble | Forum Help |
