« Return to Thread: "KAUF-TIPP DER WOCHE" spam getting through
Re: "KAUF-TIPP DER WOCHE" spam getting through
by Loren Wilton
::
Rate this Message:
My goodness. That are sending that new format in German too!
Could you send me a few of these AS ATTACHMENTS, WITH FULL HEADERS? I'm
going to try to get time to write up some rules for the English-language
version in the next few days, and if I have some German examples I may be
able to write some rules for them too.
Loren
----- Original Message -----
From: "Panagiotis Christias" <christias@...>
To: <users@...>
Sent: Wednesday, March 28, 2007 1:40 AM
Subject: "KAUF-TIPP DER WOCHE" spam getting through
> Hello,
>
> the last days we get a lot of spam like this:
>
> ---- spam body begins here ----
> Words disputed interview galli provisions raise, eyebrows dead holders!
>
> KAUF-TIPP DER WOCHE
>
> LESEN SIE DIE NACHRICTEN
> STONEBRIDGE RES EXP Frankfurt: S3C.F
>
> Name : STONEBRIDGE RES EXP
> Kurzel : S3C.F
> WKN : A0HHEB
> Borsenplatz : Frankfurt
> Schluss-Stand 23.03.2007 : Euro 0.10
> Prognose bis 02.04.2007 : Euro 0.21
>
> Freedom hampton radical illich ivan, fontana ishiguro kazuo.
> Austerlitz natural history semprun. Scrfrk tue am foudy fans.
> Newsgroup msdn chappell app? Remote locations talk improving, access
> ballmer gets intense. Inert numb sensuality touch. Sum timetolive gmt
> indicate. Required preserve specify references interested.
> Brutes granta nadezhda hope, hopehope abandoned collins, harvill.
> Example unicode character exact numeric without decimal such numbers.
> Cedega natively lowlevel emulators binary gaming opengl.
> Investors press privacy, statement mypoints mysite, juno, photosite
> registered.
> End, dialogues spiritual renewal thames hudson chorus stones.
> Effective auditing procedures handy records kept propertys examined.
> Money resources time others, worse than no so why? Setupmore botts
> george ou real world wireless lan myths! Red hats expense technology,
> announced last year helping.
> Guzman writings, osip natasha mandelstam susan, griffin.
> ---- spam body ends here ----
>
> We use rbls on our border mail servers, SA 3.1.8, sa-update and
> rules_du_jour to update our rule set from spamassassin and
> rulesemporium sites and various plugins like DCC, Razor, URIDNSBL,
> SPF, RelayChecker etc. Still many of those spam messages get low
> scores and slip through. Scores as low as -1.2 (!) like the message
> above which triggered the following rules:
>
> X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,
> MSGID_FROM_MTA_HEADER,MSGID_FROM_MTA_ID autolearn=no version=3.1.8
>
> Ideas and suggestions are welcome.
>
> Regards,
> Panagiotis
>
> ps. I understand that a simple rule matching something /^KAUF-TIPP DER
> WOCHE$/ would wipe out all of them but I am interested in a more
> generic/efficient way.
>
> ps2. both messages marked as spam or ham are available here:
> http://noc.ntua.gr/~christia/tmp/KAUF-TIPP_DER_WOCHE.gz
Could you send me a few of these AS ATTACHMENTS, WITH FULL HEADERS? I'm
going to try to get time to write up some rules for the English-language
version in the next few days, and if I have some German examples I may be
able to write some rules for them too.
Loren
----- Original Message -----
From: "Panagiotis Christias" <christias@...>
To: <users@...>
Sent: Wednesday, March 28, 2007 1:40 AM
Subject: "KAUF-TIPP DER WOCHE" spam getting through
> Hello,
>
> the last days we get a lot of spam like this:
>
> ---- spam body begins here ----
> Words disputed interview galli provisions raise, eyebrows dead holders!
>
> KAUF-TIPP DER WOCHE
>
> LESEN SIE DIE NACHRICTEN
> STONEBRIDGE RES EXP Frankfurt: S3C.F
>
> Name : STONEBRIDGE RES EXP
> Kurzel : S3C.F
> WKN : A0HHEB
> Borsenplatz : Frankfurt
> Schluss-Stand 23.03.2007 : Euro 0.10
> Prognose bis 02.04.2007 : Euro 0.21
>
> Freedom hampton radical illich ivan, fontana ishiguro kazuo.
> Austerlitz natural history semprun. Scrfrk tue am foudy fans.
> Newsgroup msdn chappell app? Remote locations talk improving, access
> ballmer gets intense. Inert numb sensuality touch. Sum timetolive gmt
> indicate. Required preserve specify references interested.
> Brutes granta nadezhda hope, hopehope abandoned collins, harvill.
> Example unicode character exact numeric without decimal such numbers.
> Cedega natively lowlevel emulators binary gaming opengl.
> Investors press privacy, statement mypoints mysite, juno, photosite
> registered.
> End, dialogues spiritual renewal thames hudson chorus stones.
> Effective auditing procedures handy records kept propertys examined.
> Money resources time others, worse than no so why? Setupmore botts
> george ou real world wireless lan myths! Red hats expense technology,
> announced last year helping.
> Guzman writings, osip natasha mandelstam susan, griffin.
> ---- spam body ends here ----
>
> We use rbls on our border mail servers, SA 3.1.8, sa-update and
> rules_du_jour to update our rule set from spamassassin and
> rulesemporium sites and various plugins like DCC, Razor, URIDNSBL,
> SPF, RelayChecker etc. Still many of those spam messages get low
> scores and slip through. Scores as low as -1.2 (!) like the message
> above which triggered the following rules:
>
> X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,
> MSGID_FROM_MTA_HEADER,MSGID_FROM_MTA_ID autolearn=no version=3.1.8
>
> Ideas and suggestions are welcome.
>
> Regards,
> Panagiotis
>
> ps. I understand that a simple rule matching something /^KAUF-TIPP DER
> WOCHE$/ would wipe out all of them but I am interested in a more
> generic/efficient way.
>
> ps2. both messages marked as spam or ham are available here:
> http://noc.ntua.gr/~christia/tmp/KAUF-TIPP_DER_WOCHE.gz
« Return to Thread: "KAUF-TIPP DER WOCHE" spam getting through
| Free Forum Powered by Nabble | Forum Help |