[SA Rule] meds, pill and shop spams

Le
Michelle Konzack
This is a MIME-formatted message. If you see this text it means that your
E-mail software does not support MIME-formatted messages.

--=_samba3-3453-1246044690-0001-2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hello,

because I am currently hit by several 10.000 new type of spam using
domains like www.(meds|pill|shop)XX.(net|com|org) I sugest you to put
the following in your spamassassin config:

-[ '~/.spamassassin/user_prefs' ]
body AE_MEDS35 /(s?w{2,4}s(?:meds|pill|shop)d{1,4}s(?=
:net|com|org)s?)/
describe AE_MEDS35 obfuscated domain seen in spam
score AE_MEDS35 3.00


Works perfectly and has today catched over 63.000 spams on my server.

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
25.9V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant

--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
<http://www.tamay-dogan.net/> Michelle Konzack
<http://www.can4linux.org/> c/o Vertriebsp. KabelBW
<http://www.flexray4linux.org/> Blumenstrasse 2
Jabber linux4michelle@jabber.ccc.de 77694 Kehl/Germany
IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947
ICQ #328449886 Tel. FR: +33 6 61925193

--=_samba3-3453-1246044690-0001-2
Content-Type: application/pgp-signature; name="signature.pgp"
Content-Transfer-Encoding: 7bit
Content-Description: Digital signature
Content-Disposition: inline

--BEGIN PGP SIGNATURE--
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKRSLsC0FPBMSS+BIRAiYUAJ9hwjYiAndWkB4YELD/aQ5t6RmvRwCfa4OZ
E/nJLtN0Ei2X52LE/Svbtbs=
=Tq8/
--END PGP SIGNATURE--

--=_samba3-3453-1246044690-0001-2--


--
Haeufig gestellte Fragen und Antworten (FAQ):
http://www.de.debian.org/debian-user-german-FAQ/

Zum AUSTRAGEN schicken Sie eine Mail an debian-user-german-REQUEST@lists.debian.org
mit dem Subject "unsubscribe". Probleme? Mail an listmaster@lists.debian.org (engl)
Vidéos High-Tech et Jeu Vidéo
Téléchargements
Vos réponses
Gagnez chaque mois un abonnement Premium avec GNT : Inscrivez-vous !
Trier par : date / pertinence
Maximiliano Marin Bustos
Le #19646841
On Fri, Jun 26, 2009 at 3:35 PM, Michelle
Konzack
Hello,

because I am currently hit by several 10.000  new  type  of  spam  using
domains like www.(meds|pill|shop)XX.(net|com|org) I sugest  you  to  put
the following in your spamassassin config:

----[ '~/.spamassassin/user_prefs' ]------------------------------------
body            AE_MEDS35       /(s?w{2,4}s(?:meds|p ill|shop)d{1,4}s(?:net|com|org)s?)/
describe        AE_MEDS35       obfuscated domain seen in s pam
score           AE_MEDS35       3.00
------------------------------------------------------------------------

Works perfectly and has today catched over 63.000 spams on my server.

Thanks, Greetings and nice Day/Evening
   Michelle Konzack
   Systemadministrator
   25.9V Electronic Engineer
   Tamay Dogan Network
   Debian GNU/Linux Consultant

--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Jabber           77694 Kehl/German y
IRC #Debian (irc.icq.com)                     Tel. DE : +49 177 9351947
ICQ #328449886                                Tel. FR: +33  6  61925193




Michelle: Thank you for your advice!

--
Atte,
Maximiliano Marin
http://blog.maximilianomarin.com


--
Haeufig gestellte Fragen und Antworten (FAQ):
http://www.de.debian.org/debian-user-german-FAQ/

Zum AUSTRAGEN schicken Sie eine Mail an
mit dem Subject "unsubscribe". Probleme? Mail an (engl)
Michelle Konzack
Le #19646871
This is a MIME-formatted message. If you see this text it means that your
E-mail software does not support MIME-formatted messages.

--=_samba3-28208-1246062900-0001-2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi back,

Now we have a problem because the spam is something like

www meds88 com
www . meds88 . com

and the rule is working fine, and now it stoped at:

www. meds88. com

Can you try now:

body AE_MEDS35 /bwww(?:sW?s?|Ws)w{3,6}d{2,6}(?:s W?s?|Ws)(?:cs?os?m|ns?es?t|os?rs?g)b/i
describe AE_MEDS35 obfuscated domain seen in spam
score AE_MEDS35 3.00

which should catch it...

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant

--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Jabber 77694 Kehl/Germany
IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947
ICQ #328449886 Tel. FR: +33 6 61925193

--=_samba3-28208-1246062900-0001-2
Content-Type: application/pgp-signature; name="signature.pgp"
Content-Transfer-Encoding: 7bit
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKRWoPC0FPBMSS+BIRAvXNAJ9xxKN38d47HiPrNK4raEPP166VUwCfb4bo
Gzm17SoyPBn4Tiv02Al/PE0 =Ryvt
-----END PGP SIGNATURE-----

--=_samba3-28208-1246062900-0001-2--


--
Haeufig gestellte Fragen und Antworten (FAQ):
http://www.de.debian.org/debian-user-german-FAQ/

Zum AUSTRAGEN schicken Sie eine Mail an
mit dem Subject "unsubscribe". Probleme? Mail an (engl)
Publicité
Poster une réponse
Anonyme