Mailing List Archive: SpamAssassin: users

Low Score - {Brazillian Host} Lottery Spam

Index | Next | Previous | View Threaded

richard at buzzhost

Oct 27, 2009, 9:46 AM

Post #1 of 5 (408 views)
Permalink

Low Score - {Brazillian Host} Lottery Spam

Anyone else seeing these today? Or seen them recently?

http://pastebin.com/m4e25954f

score=0.1

Subject was real neat:
Subject: =?ISO-8859-1?B?WW91IFdvbiCjMQ==?=,750,000.00 GBP

You Won ВЈ750,000.00 GBP {surprised this did not bite}

End of the message is missing on the five of them that I've had (not a
paste error).

antispam at khopis

Oct 27, 2009, 10:08 AM

Post #2 of 5 (374 views)
Permalink

Re: Low Score - {Brazillian Host} Lottery Spam [In reply to]

richard [at] buzzhost wrote:
> Anyone else seeing these today? Or seen them recently?
>
> http://pastebin.com/m4e25954f
>
> score=0.1
>
> Subject was real neat:
> Subject: =?ISO-8859-1?B?WW91IFdvbiCjMQ==?=,750,000.00 GBP
>
> You Won Ј750,000.00 GBP {surprised this did not bite}
>
>
> End of the message is missing on the five of them that I've had
> (not a paste error).

Interesting. I'm also surprised that doesn't hit one of the many
large-sum money checks. Scored 5.2 for me (bayes_99 plus a few custom
rules of questionable utility).

Content analysis details: (5.2 points, 5.0 required)

pts rule name description
---- ------------------ -------------------------------------
3.9 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 0.9998]
0.6 KHOP_SC_TOP_CIDR8 Relay listed in SpamCop top 4 IP/8 CIDRs
-0.0 SPF_PASS SPF: sender matches SPF record
0.8 FROM_NOT_REPLY From: and Reply-To: have different domains
0.0 KHOP_NO_FULL_NAME Sender does not have both First and Last names
0.0 KHOP_NEW_TO_ME New sender in new thread

Note that FROM_NOT_REPLY and KHOP_NEW_TO_ME are non-published rules.
The former requires a plugin. KHOP_NO_FULL_NAME (now in khop-lists)
is zeroed and KHOP_SC_TOP_CIDR8 (from khop-sc-neighbors) is arguably
unfair given its broad range (though it certainly did its work here).

jhardin at impsec

Oct 27, 2009, 10:27 AM

Post #3 of 5 (371 views)
Permalink

Re: Low Score - {Brazillian Host} Lottery Spam [In reply to]

On Tue, 27 Oct 2009, richard [at] buzzhost wrote:

> Anyone else seeing these today? Or seen them recently?
>
> http://pastebin.com/m4e25954f

I get lots like them. I'm working on updating the Advance Fee rules, but
they won't be released until 3.3.1

In my testbed with sandbox rules, that got:

pts rule name description
---- ---------------------- --------------------------------------------------
0.5 LOTTO_AGENT BODY: Claims Agent
1.0 FILL_THIS_FORM_LONG BODY: Fill in a form with personal information
1.0 LOTTO_YOU_WON You won!
0.0 LOTS_OF_MONEY Huge... sums of money
1.0 FILL_THIS_FORM Fill in a form with personal information
0.5 FILL_THIS_FORM_LOAN Answer loan question(s)
1.0 ADVANCE_FEE_2_NEW Appears to be advance fee fraud (Nigerian 419)
3.0 MONEY_FORM Lots of money if you fill out a form
1.0 ADVANCE_FEE_3_NEW Appears to be advance fee fraud (Nigerian 419)
1.5 MONEY_LOTTERY Lots of money from a lottery
0.2 MONEY_FRAUD Lots of money and any of the fraud rules
1.0 ADVANCE_FEE_2_NEW_MONEY Advance Fee fraud and lots of money
1.0 ADVANCE_FEE_3_NEW_FORM Advance Fee fraud and a form
1.0 ADVANCE_FEE_3_NEW_MONEY Advance Fee fraud and lots of money
1.0 ADVANCE_FEE_2_NEW_FORM Advance Fee fraud and a form
1.0 ADVANCE_FEE_2_NEW_FRM_MNY Advance Fee fraud and lots of money
1.0 ADVANCE_FEE_3_NEW_FRM_MNY Advance Fee fraud and lots of money
0.2 FORM_FRAUD Fill a form and any of the fraud rules

Yes, there's some overlap; these _are_ testing rules, after all...

Contact me offlist if you want to install the sandbox rules for them, I'll
give you instructions.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
4 days until Halloween

jhardin at impsec

Oct 27, 2009, 10:29 AM

Post #4 of 5 (368 views)
Permalink

Re: Low Score - {Brazillian Host} Lottery Spam [In reply to]

On Tue, 27 Oct 2009, Adam Katz wrote:

> richard [at] buzzhost wrote:
>>
>> You Won Ј750,000.00 GBP {surprised this did not bite}
>
> Interesting. I'm also surprised that doesn't hit one of the many
> large-sum money checks.

The existing ones are weak w/r/t non-USD currencies. That's one reason I
started on the lotsa_money stuff.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
4 days until Halloween

me at junc

Oct 27, 2009, 9:18 PM

Post #5 of 5 (364 views)
Permalink

Re: Low Score - {Brazillian Host} Lottery Spam [In reply to]

On tir 27 okt 2009 18:27:24 CET, John Hardin wrote

> Contact me offlist if you want to install the sandbox rules for
> them, I'll give you instructions.

undisclosed recipient with a freemail body hit

if i won why would i not be in the to:

:)

--
xpoint

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads