RE: [AMaViS-user] User complaints of spam

I'm no expert but this is what I use. It looks for progressively worst use
of this_sort.of_stuff.in.messages and the scores sum up.

Quest_equals being the least specific and spam_uri the worst. Many of my
users have 6.0 as their cut-off so a fairy vague spam gets 5.5 and other
rules take care of the rest. If its bad it gets a total of 10.5. If you
don't like the set use quest_equals and up the score.

Mike

Experts, please improve the regex.

uri TIO_UK_GEO_SPAM_URI
m'^https?://uk\.geocities\.com.*([a-z]*(\?|=|\.|_)[a-z]*(\?|\.|_)[a-z]*(\.|_
)[a-z]*)'i
describe TIO_UK_GEO_SPAM_URI Geocities Spammer URL
score TIO_UK_GEO_SPAM_URI 5.0

uri TIO_UK_URI_GEO_DOT_OR_USCORE
m'^https?://uk\.geocities\.com.*([a-z]*(\?|=|\.|_)[a-z]*(\?|=|\.|_)[a-z]*)'i
describe TIO_UK_URI_GEO_DOT_OR_USCORE Geocities URL with several dots or
underscores
score TIO_UK_URI_GEO_DOT_OR_USCORE 2.5

uri TIO_UK_URI_GEO_QUEST_EQUALS
m'^https?://uk\.geocities\.com.*([a-z]*(\?|=|\.|_)[a-z]*)'i
describe TIO_UK_URI_GEO_QUEST_EQUALS Short Geocities URL
score TIO_UK_URI_GEO_QUEST_EQUALS 3.0

uri TIO_SPC_MSN_SPAM_URI
m'^https?://spaces\.msn\.com.*([a-z]*(\?|=|\.|_)[a-z]*(\?|\.|_)[a-z]*(\.|_)[
a-z]*)'i
describe TIO_SPC_MSN_SPAM_URI Geocities Spammer URL
score TIO_SPC_MSN_SPAM_URI 5.0

uri TIO_SPC_MSN_DOT_OR_USCORE_URI
m'^https?://spaces\.msn\.com.*([a-z]*(\?|=|\.|_)[a-z]*(\?|=|\.|_)[a-z]*)'i
describe TIO_SPC_MSN_DOT_OR_USCORE_URI Geocities URL with several dots or
underscores
score TIO_SPC_MSN_DOT_OR_USCORE_URI 2.5

uri TIO_SPC_MSN_QUEST_EQUALS_URI
m'^https?://spaces\.msn\.com.*([a-z]*(\?|=|\.|_)[a-z]*)'i
describe TIO_SPC_MSN_QUEST_EQUALS_URI Short Geocities URL
score TIO_SPC_MSN_QUEST_EQUALS_URI 3.0



-----Original Message-----
From: amavis-user-admin@lists.sourceforge.net
[mailto:amavis-user-admin@lists.sourceforge.net] On Behalf Of Mike Cisar
Sent: 18 August 2005 17:45
To: amavis-user@lists.sourceforge.net
Subject: RE: [AMaViS-user] User complaints of spam

For what it's worth it looks like they may have "moved"... just got the
first batch of...

http://spaces.msn.com/members/Guadal...ings.coming!_T

So everybody may want to get a jump on adding a regex for that to your
rulesets :-)

Based on the general format of these URLs, how could you craft a regex that
would catch these specific ones, without penalizing people who legitimately
are emailing a uk.geocities or spaces.msn.com URL to someone.

they would seem to be in the format of
http://spaces.msn.com/members/<RANDOM NAME>/?<2 or 3 CHARACTERS>=<MORE
CHARACTERS>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^ ^

http://uk.geocities.com/<RANDOM NAME>/?<2 or 3 CHARACTERS>=<MORE CHARACTERS>
^^^^^^^^^^^^^^^^^^^^^^^^ ^^ ^

So it would seem that regex to match the "caret'ed" bits above would be the
most likely means to that end? Any regex geniuses out there? :)

Cheers,
>>>>> Mike <<<<<

> -----Original Message-----
> From: amavis-user-admin@lists.sourceforge.net
> [mailto:amavis-user-admin@lists.sourceforge.net] On Behalf Of Gary V
> Sent: Monday, August 15, 2005 11:57 AM
> To: Matt Juszczak
> Cc: amavis-user@lists.sourceforge.net
> Subject: Re: [AMaViS-user] User complaints of spam
>
> Matt wrote:
>
> > Hi all,
>
> > We're getting some user complaints of spam and they all
> seem to follow
> > the same general template.
>
> > Something like this:
>
> > ---snip---
> > nicky
>
> >
> http://uk.geocities.com/Hyman_Barrie....and_effective.
> > cures
> > ---snip---
>
> > After which they have some random words at the end (random english
> > dictionary words). Some of them don't.
>
> > A lot of these are making it to the quarantine but some of
> them aren't
> > even getting a positive score. Is there a rule out there I
> can find,
> > or possibly an additional blacklist I can add on top of the
> default (razor)?
> > I'm not a big fan of blacklists but as long as we're only
> just "tagging"
> > spam (and not deleting it) and the blacklist is fairly
> conservative, I
> > wouldn't mind allowing it to add some points to messages.
>
> > Thanks,
> > Matt
>
> Make sure you set:
> $sa_local_tests_only = 0; in amavisd.conf. Otherwise SpamAssassin will
> not perform network tests (Razor included).
> I think you are using FreeBSD, so there should be a
> /usr/local/etc/mail/spamassassin/init.pre
> file. This file normally will contain:
> loadplugin Mail::SpamAssassin::Plugin::URIDNSBL
> loadplugin Mail::SpamAssassin::Plugin::Hashcash
> loadplugin Mail::SpamAssassin::Plugin::SPF
>
> If you did not install from ports, then it might be in
> /etc/mail/spamassassin
>
> Verify that init.pre exists in the same place you have local.cf and at
> the very least 'loadplugin Mail::SpamAssassin::Plugin::URIDNSBL' is
> there.
>
> You might consider using Pyzor. It is slower than some of the other
> tests (only one server) and it has made a bit of a mess on some
> machines when the Pyzor server was unavailable. The author will change
> the server on occasion, so it may be a good idea to make sure the
> server is up by maybe doing a 'pyzor ping' in a cron job, with the
> result mailed to you.
>
> If you use ports, it should be there: /usr/ports/mail/pyzor
>
> install, then run both:
> pyzor discover
> and
> su vscan -c 'pyzor discover'
> (pyzor discover provides pyzor the IP address of the Pyzor server)
>
> then 'pyzor ping' to see if the Pyzor server is up
>
> run
> su vscan -c 'spamassassin --lint -D'
> and you should see
> debug: Pyzor: got response: 66.250.40.33:24441 (200, 'OK')
> 0 0
> if all is working well.
> I don't think you even need to reload amavisd-new.
>
> DCC is very good, but as an ISP, and due to the volume of mail you
> receive, and due to the license, I believe you would need to run the
> DCC server (dccd I think) on one of your machines and then provide
> your data (flood your data) to the main servers. At least something to
> that effect, I think. You would have to study how to set this up.
>
> If you don't have $sa_local_tests_only = 0; set, then this would be
> the main problem. An email like this should hit on a couple of the
> networks tests, with URIDNSBL the most likely to help. There is not
> much for SpamAssassin to key on if network test are not performed.
>
> Gary V
>
>
>
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle
> Practices Agile & Plan-Driven Development * Managing Projects & Teams
> * Testing & QA Security * Process Improvement & Measurement *
> http://www.sqe.com/bsce5sf
> _______________________________________________
> AMaViS-user mailing list
> AMaViS-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/...fo/amavis-user
> AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
> AMaViS-HowTos:http://www.amavis.org/howto/
>



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO September
19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile &
Plan-Driven Development * Managing Projects & Teams * Testing & QA Security
* Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/...fo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/...fo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/