Mailing List Archive: SpamAssassin: users

Elite Pron

Index | Next | Previous | View Threaded

mynabble at live

Nov 2, 2011, 3:57 AM

Post #1 of 6 (388 views)
Permalink

Elite Pron

Nice one:

header MN_ELITEPRON Subject =~ /^FW: .{5,40}
(?:Elite|Instant|Extreme|Guaranteed|Infinite|Multi|Approved|Unreal)
(?:Collection|Access|Gallery).{0,2}$/
describe MN_ELITEPRON Elite Gallery pron spam
score MN_ELITEPRON 18

... enjoy!
--
View this message in context: http://old.nabble.com/Elite-Pron-tp32764834p32764834.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

axb.lists at gmail

Nov 2, 2011, 4:05 AM

Post #2 of 6 (378 views)
Permalink

Re: Elite Pron [In reply to]

On 2011-11-02 11:57, Mynabbler wrote:
>
> Nice one:
>
> header MN_ELITEPRON Subject =~ /^FW: .{5,40}
> (?:Elite|Instant|Extreme|Guaranteed|Infinite|Multi|Approved|Unreal)
> (?:Collection|Access|Gallery).{0,2}$/
> describe MN_ELITEPRON Elite Gallery pron spam
> score MN_ELITEPRON 18
>
> ... enjoy!

Could you pastebin a sample?

mynabble at live

Nov 3, 2011, 3:29 AM

Post #3 of 6 (366 views)
Permalink

Re: Elite Pron [In reply to]

Axb wrote:
>
> Could you pastebin a sample?
>
Sure, if you insist...

http://pastebin.com/s6CTZM2T
--
View this message in context: http://old.nabble.com/Elite-Pron-tp32764834p32771766.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

axb.lists at gmail

Nov 3, 2011, 4:24 AM

Post #4 of 6 (367 views)
Permalink

Re: Elite Pron [In reply to]

On 2011-11-03 11:29, Mynabbler wrote:
>
>
> Axb wrote:
>>
>> Could you pastebin a sample?
>>
> Sure, if you insist...
>
> http://pastebin.com/s6CTZM2T

this is part of the hacked Wordpress series

for safetly you may want to add a uri condition for /wp-content/ to your
meta

Axb

mynabble at live

Nov 3, 2011, 5:25 AM

Post #5 of 6 (369 views)
Permalink

Re: Elite Pron [In reply to]

> this is part of the hacked Wordpress series
> for safetly you may want to add a uri condition for /wp-content/ to
> your meta

Nope. Since they also arrive as

###.ro/cache/rgk40/nse/xwv/
###.com/images/stories/rol76/cly/uzj/
###.com/admin/rxr82/owt/bpz/
###.com/rda67/pyi/wom/
###.com/modules/mod_wdbanners/rvs84/

So, in some cases they are using Joomla hacked sites, in others somewhat
randomly hacked crap. The subject ruleset is failsafe and I did not
encounter one false positive as of yet. Mind you, the "^FW: "part at the
beginning of the ruleset is rather specfic in combination with the rest of
the subject.

--
View this message in context: http://old.nabble.com/Elite-Pron-tp32764834p32772338.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

rwmaillists at googlemail

Nov 3, 2011, 8:05 AM

Post #6 of 6 (363 views)
Permalink

Re: Elite Pron [In reply to]

On Thu, 3 Nov 2011 05:25:30 -0700 (PDT)
Mynabbler wrote:

>
> So, in some cases they are using Joomla hacked sites, in others
> somewhat randomly hacked crap. The subject ruleset is failsafe and I
> did not encounter one false positive as of yet. Mind you, the "^FW:
> "part at the beginning of the ruleset is rather specfic in
> combination with the rest of the subject.

I have a similar rule, but it doesn't require "^FW:" since I've found
that comes and goes.

Personally I wouldn't score a rule like this at anywhere near 18,
mine's still scored at 1.0. I find that with training they all hit
BAYES_99, so it doesn't take much to catch them.

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads