spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dan Mahoney, System Admin" <d...@prime.gushi.org>
Subject Re: [sa-list] Re: Yahoo single link spam
Date Sun, 10 Mar 2013 19:37:14 GMT
On Fri, 22 Feb 2013, Kevin A. McGrail wrote:

> On 2/22/2013 3:27 PM, David F. Skoll wrote:
>> On Fri, 22 Feb 2013 12:20:22 -0800
>> Marc Perkel <support@junkemailfilter.com> wrote:
>> 
>>> We need a rule to catch this. It looks like more data than it is but
>>> it's really little more than a single link. Like to see a rule that
>>> identifies it.
>> Our product lets you make compound rules.  It should not be very hard
>> to translate this to SpamAssassin:
>> 
>> Header            Matches RegExp       ^To:(.*?@.*?){5}   AND
>> Envelope Sender   Ends with            @yahoo.com         AND
>> MessageSize       <                    6000
>> 
>> Well, ok... the MessageSize condition is tricky.  And this rule does
>> kick up some false-positives, but overall it works pretty well for us.
>
> Here's the current version I'm using based on 3.4.0 trunk:
>
> #YAHOO COMPROMISED ACCOUNT SPAMS - SCORED HIGH BECAUSE THESE ARE COMPROMISED 
> ACCOUNTS WHICH MAKES ALL OF YAHOO!'s PROCEDURES QUESTIONABLE
> header          __KAM_YAHOO1    From =~ 
> /\@(yahoo.com|yahoo.com.id|rocketmail.com)/i
> header          __KAM_YAHOO2    Subject =~ /^(FOR |Hey$|hi$|look at 
> this$|great!?$|amazing!?|the best!?$|excellent!?$|very good!?$|great!?$)/
> body            __KAM_YAHOO3    /\d{1,2}[\\\/]\d{1,2}[\\\/]\d{2,4} 
> \d{1,2}\:\d{1,2}\:\d{1,2} (AM|PM)/
> header          __KAM_YAHOO4    From:name =~ /Connor Hopkins/i
>
> meta            KAM_YAHOO       (__KAM_YAHOO1 + __KAM_YAHOO2 + __KAM_YAHOO3 + 
> __KAM_YAHOO4 + __KAM_BODY_LENGTH_LT_128 + MISSING_SUBJECT >= 3)
> describe        KAM_YAHOO       Compromised Yahoo! Accounts Sending Spam
> score           KAM_YAHOO       9.0

Just to add a late reply to the game, I'm still getting these.  Kevin, it 
looks like your rules YAHOO1 and YAHOO3 are still appropriate, but neither 
of the others.  I think there's a few other things I've noticed that I 
don't know how to match:

the body doesn't "contain" the link, it pretty much "IS" the link. 
However, I don't know how to write a rule that says "contains a link and 
NOTHING ELSE".  I also don't know how to write rules that say "the 
text/plain portion contains a link, and the text/html portion contains 
more".  I'm not aware of how "body" gets interpreted in 
multipart/alternative messages.  Kevin, if you're able to tell me more 
about this, I'm happy to learn.

Writing rules is easy for some, but I'm more about solving the problem. 
The answer isn't "many people write many custom rulesets", it's "surbl 
catches up faster" or "yahoo acknowledges the problem."

While yahoo's abuse reporting procedures leave much to be desired, this is 
actually one of the reasons I was asking about a channel to autoreport 
mail to spamcop (and yahoo, if they were willing to take it, but they 
don't seem to be -- blog post coming on that, soon).

-Dan

-- 

"One...plus two...plus one...plus one."

-Tim Curry, Clue

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------


Mime
View raw message