Return-Path: X-Original-To: apmail-spamassassin-users-archive@www.apache.org Delivered-To: apmail-spamassassin-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 42FC7EAD0 for ; Sun, 10 Mar 2013 19:37:58 +0000 (UTC) Received: (qmail 93036 invoked by uid 500); 10 Mar 2013 19:37:55 -0000 Delivered-To: apmail-spamassassin-users-archive@spamassassin.apache.org Received: (qmail 92987 invoked by uid 500); 10 Mar 2013 19:37:55 -0000 Mailing-List: contact users-help@spamassassin.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@spamassassin.apache.org Received: (qmail 92971 invoked by uid 99); 10 Mar 2013 19:37:55 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 10 Mar 2013 19:37:55 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=10.0 tests=RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of danm@prime.gushi.org designates 149.20.61.42 as permitted sender) Received: from [149.20.61.42] (HELO prime.gushi.org) (149.20.61.42) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 10 Mar 2013 19:37:49 +0000 Received: from prime.gushi.org (localhost [127.0.0.1]) by prime.gushi.org (8.14.5/8.14.5) with ESMTP id r2AJbHFj093109 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 10 Mar 2013 12:37:19 -0700 (PDT) (envelope-from danm@prime.gushi.org) X-DomainKeys: Sendmail DomainKeys Filter v1.0.2 prime.gushi.org r2AJbHFj093109 DomainKey-Signature: a=rsa-sha1; s=primegushiorg; d=prime.gushi.org; c=nofws; q=dns; h=received:date:from:to:cc:subject:in-reply-to:message-id: references:user-agent:x-openpgp-key-id:mime-version:content-type; b=lGjdt1C5/FszxPQnPV2hvXavirV+qVkGV3I/b2FvPiz/OUkjZYtPOZbTTQ+KPSLZz 1GcHqm5aIWAnFkfk/ZrKQ== Received: (from danm@localhost) by prime.gushi.org (8.14.5/8.14.5/Submit) id r2AJbGau093105; Sun, 10 Mar 2013 12:37:16 -0700 (PDT) (envelope-from danm) Date: Sun, 10 Mar 2013 12:37:14 -0700 (PDT) From: "Dan Mahoney, System Admin" To: "Kevin A. McGrail" cc: "David F. Skoll" , SpamAssassin Users List Subject: Re: [sa-list] Re: Yahoo single link spam In-Reply-To: <5127DB86.8060008@PCCC.com> Message-ID: References: <5127D306.9060107@junkemailfilter.com> <20130222152727.0db4d2b3@hydrogen.roaringpenguin.com> <5127DB86.8060008@PCCC.com> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-OpenPGP-Key-ID: 0x624BB249 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (prime.gushi.org [127.0.0.1]); Sun, 10 Mar 2013 19:37:18 +0000 (UTC) X-Virus-Checked: Checked by ClamAV on apache.org On Fri, 22 Feb 2013, Kevin A. McGrail wrote: > On 2/22/2013 3:27 PM, David F. Skoll wrote: >> On Fri, 22 Feb 2013 12:20:22 -0800 >> Marc Perkel wrote: >> >>> We need a rule to catch this. It looks like more data than it is but >>> it's really little more than a single link. Like to see a rule that >>> identifies it. >> Our product lets you make compound rules. It should not be very hard >> to translate this to SpamAssassin: >> >> Header Matches RegExp ^To:(.*?@.*?){5} AND >> Envelope Sender Ends with @yahoo.com AND >> MessageSize < 6000 >> >> Well, ok... the MessageSize condition is tricky. And this rule does >> kick up some false-positives, but overall it works pretty well for us. > > Here's the current version I'm using based on 3.4.0 trunk: > > #YAHOO COMPROMISED ACCOUNT SPAMS - SCORED HIGH BECAUSE THESE ARE COMPROMISED > ACCOUNTS WHICH MAKES ALL OF YAHOO!'s PROCEDURES QUESTIONABLE > header __KAM_YAHOO1 From =~ > /\@(yahoo.com|yahoo.com.id|rocketmail.com)/i > header __KAM_YAHOO2 Subject =~ /^(FOR |Hey$|hi$|look at > this$|great!?$|amazing!?|the best!?$|excellent!?$|very good!?$|great!?$)/ > body __KAM_YAHOO3 /\d{1,2}[\\\/]\d{1,2}[\\\/]\d{2,4} > \d{1,2}\:\d{1,2}\:\d{1,2} (AM|PM)/ > header __KAM_YAHOO4 From:name =~ /Connor Hopkins/i > > meta KAM_YAHOO (__KAM_YAHOO1 + __KAM_YAHOO2 + __KAM_YAHOO3 + > __KAM_YAHOO4 + __KAM_BODY_LENGTH_LT_128 + MISSING_SUBJECT >= 3) > describe KAM_YAHOO Compromised Yahoo! Accounts Sending Spam > score KAM_YAHOO 9.0 Just to add a late reply to the game, I'm still getting these. Kevin, it looks like your rules YAHOO1 and YAHOO3 are still appropriate, but neither of the others. I think there's a few other things I've noticed that I don't know how to match: the body doesn't "contain" the link, it pretty much "IS" the link. However, I don't know how to write a rule that says "contains a link and NOTHING ELSE". I also don't know how to write rules that say "the text/plain portion contains a link, and the text/html portion contains more". I'm not aware of how "body" gets interpreted in multipart/alternative messages. Kevin, if you're able to tell me more about this, I'm happy to learn. Writing rules is easy for some, but I'm more about solving the problem. The answer isn't "many people write many custom rulesets", it's "surbl catches up faster" or "yahoo acknowledges the problem." While yahoo's abuse reporting procedures leave much to be desired, this is actually one of the reasons I was asking about a channel to autoreport mail to spamcop (and yahoo, if they were willing to take it, but they don't seem to be -- blog post coming on that, soon). -Dan -- "One...plus two...plus one...plus one." -Tim Curry, Clue --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------