Lots of spam with the following snip

<p>God dag,<strong>   </strong></p><span> </span>
<a name="#qppp">
</a><br><br>***<br>
Warning!<br>
This letter contains a virus which has been<br>
successfully detected and cured.
<br>***<br>

The part that's noteworthy is this:


<br>***<br>
Warning!<br>
This letter contains a virus which has been<br>
successfully detected and cured.
<br>***<br>

Does someone have rule for this ready made?

Thanks

--
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net

On Monday 30 June 2008 6:04 pm, Steven W. Orr wrote: scored well too. The 'virus' that was detected is a sanesecurity sig:

X-Spam-Virus: Yes (Email.Spam.Gen3531.Sanesecurity.08062603)

Content analysis details:   (23.0 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
               [Blocked - see <http://www.spamcop.net/bl.shtml?79.86.225.100>]
 0.9 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
                            [79.86.225.100 listed in zen.spamhaus.org]
 3.0 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
 1.0 RELAYED_BY_DIALUP      Sent directly from dynamic IP address
 0.0 HTML_MESSAGE           BODY: HTML included in message
 1.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
                            [score: 0.5844]
-0.0 DCC_CHECK_NEGATIVE     Not listed in DCC
                            [cpollock 1117; Body=1 Fuz1=5 Fuz2=5]
  10 CLAMAV                 Clam AntiVirus detected a virus
 0.1 RDNS_DYNAMIC           Delivered to trusted network by host with
                            dynamic-looking rDNS
 4.0 JM_SOUGHT_1            JM_SOUGHT_1
 1.0 SAGREY                 Adds 1.0 to spam from first-time senders

--
Chris
KeyID 0xE372A7DA98E6705C

On Monday 30 June 2008 6:04 pm, Steven W. Orr wrote: scored well too. The 'virus' that was detected is a sanesecurity sig:

X-Spam-Virus: Yes (Email.Spam.Gen3531.Sanesecurity.08062603)

Content analysis details:   (23.0 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
               [Blocked - see <http://www.spamcop.net/bl.shtml?79.86.xxx.xxx>]
 0.9 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
                            [79.86.225.100 listed in zen.spamhaus.org]
 3.0 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
 1.0 RELAYED_BY_DIALUP      Sent directly from dynamic IP address
 0.0 HTML_MESSAGE           BODY: HTML included in message
 1.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
                            [score: 0.5844]
-0.0 DCC_CHECK_NEGATIVE     Not listed in DCC
                            [cpollock 1117; Body=1 Fuz1=5 Fuz2=5]
  10 CLAMAV                 Clam AntiVirus detected a virus
 0.1 RDNS_DYNAMIC           Delivered to trusted network by host with
                            dynamic-looking rDNS
 4.0 JM_SOUGHT_1            JM_SOUGHT_1
 1.0 SAGREY                 Adds 1.0 to spam from first-time senders

And here's another I just received:

Content analysis details:   (27.8 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
              [Blocked - see <http://www.spamcop.net/bl.shtml?190.46.xxx.xxx>]
 0.9 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
                            [190.46.180.155 listed in zen.spamhaus.org]
 0.7 SPF_NEUTRAL            SPF: sender does not match SPF record (neutral)
 5.0 BOTNET                 Relay might be a spambot or virusbot
[botnet0.8,ip=190.46.xxx.xxx,rdns=pc-155-180-xx-xxx.cm.vtr.net,maildomain=lodos.com.tr,client,ipinhostname]
 1.0 RELAYED_BY_DIALUP      Sent directly from dynamic IP address
 0.0 HTML_MESSAGE           BODY: HTML included in message
 1.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
                            [score: 0.4671]
 2.2 DCC_CHECK              listed in DCC (http://rhyolite.com/anti-spam/dcc/)
                            [cpollock 102; Body=1 Fuz1=many]
                            [Fuz2=many]
  10 CLAMAV                 Clam AntiVirus detected a virus
 0.1 RDNS_NONE              Delivered to trusted network by a host with no
rDNS
 4.0 JM_SOUGHT_1            JM_SOUGHT_1
 1.0 SAGREY                 Adds 1.0 to spam from first-time senders

NOTE: I've sent an earlier post with just the first spam scores, however, my
ISP, Embarq sometimes has a tendency to block my posts even with IP's in the
body such as above. They're using CMAE so I don't know if that's something it
does or not. I've Bcc'd myself on the first post and it went through to me
but then I have no idea what the CMAE hashes mean.

--
Chris
KeyID 0xE372A7DA98E6705C

Many of our clients started to have problem sending emails to us after I
inserted more strict
SA rules . Previously our system was flooded with spams. So I decided to
inserted them to the
Existing emails. After this the spams had reduced significantly. But I know
more worry about false
Positive and rejected (or sometimes disappeared emails) .

I can't call all of them to get them to send me the bounced/error messages.
So I wonder if there is a
Way to check for the rejected emails and why they are being rejected? So at
least I know what reason
For the rejects and will be able to fine-tine it further.

On 30.06.08 19:04, Steven W. Orr wrote:
I think VBounce should catch those. But I advise to find the idiot who did
not refuse e-mail message containing virus and passed the cleaned stuff to
you...
--
Matus UHLAR - fantomas, uhlar@... ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"To Boot or not to Boot, that's the question." [WD1270 Caviar]

Please teach your mailer to wrap lines in a sane way...

On 01.07.08 11:46, NGSS wrote:
> Many of our clients started to have problem sending emails to us after I
> inserted more strict
> SA rules . Previously our system was flooded with spams. So I decided to
> inserted them to the
> Existing emails. After this the spams had reduced significantly. But I know
> more worry about false
> Positive and rejected (or sometimes disappeared emails) .

> I can't call all of them to get them to send me the bounced/error messages.
> So I wonder if there is a
> Way to check for the rejected emails and why they are being rejected? So at
> least I know what reason
> For the rejects and will be able to fine-tine it further.

Seems you set up your MTA too agressively - probably reject mail with too
low score. However you did not provide enough informations for us to help
you.

What's "existing emails"? Did you train global BAYES filter on received spam?
Did you feed it enough of hams to avoid FPs? Did you play with scores? What
did you set required_score to?
Did you fiddle with other settings like trusted_networks and
internal_networks to set up proper trust path? Did you turn on all possible
network rules?

--
Matus UHLAR - fantomas, uhlar@... ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...

Matus UHLAR - fantomas writes:
no -- this is real spam, not a bounce in any way.

--j.

> Matus UHLAR - fantomas writes:
> > I think VBounce should catch those. But I advise to find the idiot who did
> > not refuse e-mail message containing virus and passed the cleaned stuff to
> > you...

On 01.07.08 10:50, Justin Mason wrote:
> no -- this is real spam, not a bounce in any way.

Are you sure it's not just virus message sent by someone and cured by
intermediate relay?

--
Matus UHLAR - fantomas, uhlar@... ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer

Matus UHLAR - fantomas writes:
Yes, seeing lots of this exact wording, in high volume, throughout our
traps.

--j.

Justin Mason wrote:
> [snip]
>> On 01.07.08 10:50, Justin Mason wrote:
>>    
>>> no -- this is real spam, not a bounce in any way.
>>>      

same here. not a bounce in any way.

>> Are you sure it's not just virus message sent by someone and cured by
>> intermediate relay?
>>    
>
> Yes, seeing lots of this exact wording, in high volume, throughout our
> traps.
>  

the few ones I checked only contain the cited text followed by noise
(random text to poison bayes or whatever).

The following catches them, but JM_SOUGHT, RAZOR and Bayes should catch
them already.

body   __FAKE_VIR_1      /This letter contains a virus/
body   __FAKE_VIR_2      /successfully detected and cured/
header __FAKE_VIR_SUBJ     Subject =~ /^\S{1,20}\s+\S{1,20}$/
header __FAKE_VIR_MUA     X-Mailer =~ /^The Bat/
header __FAKE_VIR_REPLYTO     Reply-To =~ /\S/

score __FAKE_VIR_1 0.01
score __FAKE_VIR_2 0.01
score __FAKE_VIR_SUBJ 0.01
score __FAKE_VIR_MUA 0.01
score __FAKE_VIR_REPLYTO 0.01

meta FAKE_VIR_LETTER  (__FAKE_VIR_1 &&  __FAKE_VIR_2 && __FAKE_VIR_SUBJ
&& __FAKE_VIR_MUA && __FAKE_VIR_REPLYTO)
score FAKE_VIR_LETTER  5.0
describe FAKE_VIR_LETTER  Fake detected and cured virus letter

Thanks for the response.
Yah I think it is just too aggressive, I included a handful of rules
Is there any forum or website that discuss about (lists of ) rules that is
likely to result in more false positives ?

-----Original Message-----
From: Matus UHLAR - fantomas [mailto:uhlar@...]
Sent: Tuesday, July 01, 2008 3:35 PM
To: users@...
Subject: Re: ways to check reason/error of rejected/bounced emails with
calling customers

Please teach your mailer to wrap lines in a sane way...

On 01.07.08 11:46, NGSS wrote:
> Many of our clients started to have problem sending emails to us after I
> inserted more strict
> SA rules . Previously our system was flooded with spams. So I decided to
> inserted them to the
> Existing emails. After this the spams had reduced significantly. But I
know
> more worry about false
> Positive and rejected (or sometimes disappeared emails) .

> I can't call all of them to get them to send me the bounced/error
messages.
> So I wonder if there is a
> Way to check for the rejected emails and why they are being rejected? So
at
> least I know what reason
> For the rejects and will be able to fine-tine it further.

Seems you set up your MTA too agressively - probably reject mail with too
low score. However you did not provide enough informations for us to help
you.

What's "existing emails"? Did you train global BAYES filter on received
spam?
Did you feed it enough of hams to avoid FPs? Did you play with scores? What
did you set required_score to?
Did you fiddle with other settings like trusted_networks and
internal_networks to set up proper trust path? Did you turn on all possible
network rules?

--
Matus UHLAR - fantomas, uhlar@... ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...

On 02.07.08 13:55, NGSS wrote:
> To: 'Matus UHLAR - fantomas' <uhlar@...>,
> users@...

Please, don't send private replies, I did not ask for them.

> Yah I think it is just too aggressive, I included a handful of rules
> Is there any forum or website that discuss about (lists of ) rules that is
> likely to result in more false positives ?

ANY rules could lead to false positives. That's why it's better to have more
rules with lower scores. See:
http://wiki.apache.org/spamassassin/ContributingNewRules
http://wiki.apache.org/spamassassin/WritingRules

--
Matus UHLAR - fantomas, uhlar@... ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Due to unexpected conditions Windows 2000 will be released
in first quarter of year 1901

----- Original Message -----
From: "mouss" <mouss@...>
Cc: <users@...>
Sent: Tuesday, July 01, 2008 12:27 PM
Subject: Re: Lots of spam with the following snip

<snip>

I am receiving this type of spam also.
What I noticed was that the website in the body was entered with a pound
sign instead of a period at the domain part.
The ones I am getting have http://www.tldmls#com/string_of_characters
In my version of firefox (2.0.0.14), this will resolve correctly to the
domain name as long as it is a .com.
Is this form of url picked up by the URI black lists or does this require a
body rule?

Thanks,
Gene Lindsey

> On 02.07.08 13:55, NGSS wrote:
>> To: 'Matus UHLAR - fantomas' <uhlar@...>,
>> users@...
>
> Please, don't send private replies, I did not ask for
> them.
>

Its impossible to know who wants them, and who does not. Someone who does not sit here and read all messages thru may be very greatful of a reply to his email address.

Hi Steven,

It is realy worth, to filter this with spamassassin?
I get per day over 40000 of them... and filter it easyly  from  procmail
since the messages are always generated by the same software.

    :0B
    * contains a virus which has
    .ATTENTION.Anti_Virus_Spam/

Thanks, Greetings and nice Day/Evening
    Michelle Konzack
    Systemadministrator
    24V Electronic Engineer
    Tamay Dogan Network
    Debian GNU/Linux Consultant


--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack   Apt. 917                  ICQ #328449886
+49/177/9351947    50, rue de Soultz         MSN LinuxMichi
+33/6/61925193     67100 Strasbourg/France   IRC #Debian (irc.icq.com)

> > On 02.07.08 13:55, NGSS wrote:
> >> To: 'Matus UHLAR - fantomas' <uhlar@...>,
> >> users@...
> >
> > Please, don't send private replies, I did not ask for
> > them.

On 02.07.08 21:32, Jari Fredriksson wrote:
> Its impossible to know who wants them, and who does not.

my mail headers contain Mail-Followup-To: header that is only sent to the
list. That means that replies should be sent to the list.

> Someone who does
> not sit here and read all messages thru may be very greatful of a reply to
> his email address.

If anyone wants private copies, (s)he should ask for them. This is a mailing
lists and all members receive all mail posted to it. Even non-members can
read it all in archives.

--
Matus UHLAR - fantomas, uhlar@... ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
99 percent of lawyers give the rest a bad name.

On Jul 3, 2008, at 12:14 AM, Matus UHLAR - fantomas wrote:
>>> Please, don't send private replies, I did not ask for
>>> them.
>
> On 02.07.08 21:32, Jari Fredriksson wrote:
>> Its impossible to know who wants them, and who does not.
>
> my mail headers contain Mail-Followup-To: header that is only sent  
> to the
> list. That means that replies should be sent to the list.

I'm sorry, but what MUA recognizes those?   Why don' t you set Reply-
To: which will be honored by all MUAs?

> If anyone wants private copies, (s)he should ask for them. This is a  
> mailing
> lists and all members receive all mail posted to it. Even non-
> members can
> read it all in archives.


He is acted as is common and expected.  Others who, like you, don't  
want private copies set Reply-To.

--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source  
and other randomness

Jo Rhett <jrhett@...> wrote:

Bingo! :)  Maybe Matus and Benny will get it now.

--
Sahil Tandon <sahil@...>