So, I was getting sick of getting hammered by a couple specific types of spam (might be the same spammer… sort of smells like the same spam software, anyway), to both of my “home” email addresses that are out there. (The fact that they've got gr@grappa implies that they're looting email addresses not just from the various mailing list logs where my regular address can be found, but specifically from the NetBSD pr database from problem reports I've submitted from that machine; I don't think it's floating around anywhere but there.)
Turns out I pretty much never write a SpamAssassin rule these days but that it's a meta, and even the simple one below (for drillclub.com–don't load that if you're at work–spam) got all meta on my ass here.
Here are the new rules:
header DRILLCLUB_SUBJECT Subject =~ /^SEXUALLY-EXPLICIT: /
describe DRILLCLUB_SUBJECT Subject for drillclub.com pr0n spam.
score DRILLCLUB_SUBJECT 2
body DRILLCLUB_URL /http:\/\/www.drillclub.com\/gen_ads\/gen_mail.php/
describe DRILLCLUB_URL URL in drillclub.com pr0n spam.
score DRILLCLUB_URL 2
# We'll ding them on the RO if either of the other two matched.
meta DRILLCLUB_RO (__DRILLCLUB_AND_SIXFIGURE_RO && (DRILLCLUB_SUBJECT + DRILLCLUB_URL) > 0)
describe DRILLCLUB_RO drillclub.com sets Status: RO
score DRILLCLUB_RO 1
# Appears both in the above AND in the below! Same software?
header __DRILLCLUB_AND_SIXFIGURE_RO Status =~ /^RO$/
# "six figure income" work at home spam
#
# Does some anti-bayes stuff (bits of fiction--maybe copyright
# infringement?) so we need to bump the under-Bayes scores way up.
#
# Subject: A Business which Earns Substantial Income
# Subject: Unbelievable 100% Automated System! can earn you 6 Figure Income Online!
#
# Message-ID: <5754DFE7.680D148@mail.bulgaria.com>
# Message-ID: <6FEABD28.4EF47D2@girl-punk.net>
#
# URLs:
# http://aMWP.bgv.yourproductweapon.com/bl/
# http://p.pcsd.productadvancespro.com/bl/
#
# uniform body snippits:
# or to see our address.
# automatic marketing system
#
# Similar text:
# Your financial fitness is in your hands.
# Your financial independence is\nwithin your grasp.
#
# Modeling this off the NIGERIAN stuff
header SIXFIGURE_SUBJECT Subject =~ /\b[eE]arn(s)?\b.*\bIncome\b/
describe SIXFIGURE_SUBJECT 6 Figure Income spam subject
score SIXFIGURE_SUBJECT .5 .5 1.5 1.5
# Being cautious with the scoring since the match is pretty fuzzy.
header SIXFIGURE_MESSAGEID MESSAGEID =~ /< [A-Z0-9]{8}\.[A-Z0-9]{7}@.*>/
describe SIXFIGURE_MESSAGEID 6 Figure Income spam Message-ID
score SIXFIGURE_SUBJECT 1 1 2.5 2.5
body __SIXFIGURE_BODY_1 /or to see our address./
body __SIXFIGURE_BODY_2 /automatic marketing system/
body __SIXFIGURE_BODY_3 /Your financial (fitness|independence) is/
body __SIXFIGURE_BODY_4 /http:\/\/[a-zA-Z]*.[a-zA-Z]*\..*product.*\.com\/bl\//
meta SIXFIGURE_BODY1 (__SIXFIGURE_BODY_1 + __SIXFIGURE_BODY_2 + __SIXFIGURE_BODY_3 + __SIXFIGURE_BODY_4) > 0
meta SIXFIGURE_BODY2 (__SIXFIGURE_BODY_1 + __SIXFIGURE_BODY_2 + __SIXFIGURE_BODY_3 + __SIXFIGURE_BODY_4) > 1
meta SIXFIGURE_BODY3 (__SIXFIGURE_BODY_1 + __SIXFIGURE_BODY_2 + __SIXFIGURE_BODY_3 + __SIXFIGURE_BODY_4) > 2
meta SIXFIGURE_BODY4 (__SIXFIGURE_BODY_1 + __SIXFIGURE_BODY_2 + __SIXFIGURE_BODY_3 + __SIXFIGURE_BODY_4) > 3
describe SIXFIGURE_BODY1 6 Figure Income spam, 1+ body hits
describe SIXFIGURE_BODY2 6 Figure Income spam, 2+ body hits
describe SIXFIGURE_BODY3 6 Figure Income spam, 3+ body hits
describe SIXFIGURE_BODY4 6 Figure Income spam, 4+ body hits
score SIXFIGURE_BODY1 1.5 1 3 2.5
score SIXFIGURE_BODY2 .5 .4 1.5 1.25
score SIXFIGURE_BODY3 .5 .4 1.5 1.25
score SIXFIGURE_BODY4 .5 .4 1.5 1.25
# We'll ding them on the RO if there are any two of:
# - two or more body matches
# - subject
# - message-id
meta SIXFIGURE_RO (__DRILLCLUB_AND_SIXFIGURE_RO && (SIXFIGURE_BODY2 + SIXFIGURE_SUBJECT + SIXFIGURE_MESSAGEID) > 1)
describe SIXFIGURE_RO 6 Figure Income sets Status: RO
score SIXFIGURE_RO .25 .25 .75 .75
You can also grab them here. (Unix line-breaks, so wget -O - >> /path/to/spamassassin/local.cf should Just Work.)
The drillclub bit isn't very exciting. Match their subject, match their URL, tack on an extra hit for a weirdo thing (Who the hell ever sends email “read-only”? Like that would stop me… what, does that make Outlook not let you forward it, say to Pyzor or something? Maybe not let the in-Outlook Bayesian plugins modify the message?) their spam software does.
Here are a couple of samples of the Six Figure Income spam. This is the one that got me bothering to edit local.cf today. They've got mutating copy that says the same thing with significantly different words (for the most part, see the similarities I picked out in the rules), with varying sentence structure. Classy. They still lose, but one does have to admire a skilled opponent.
The more traditional anti-Bayes stuff in the Six Figure Income spam isn't a new idea, just one I haven't paid much attention to before. If that's copyrighted text they're tacking on the end, they can be sued on even better grounds than that silly haiku crap. (I've turned off the SA rule on that one, incidentally because, unshockingly, spammers use it all the time, with impunity, sending through zombie machines. Nice try, guys, really. But not.)
Fwiw, here's what spamassassin -t has to say about each of those 6 Figure samples:
Content preview: High Profit margins and earnings in the six figures are
yours with our automatic marketing system. No need to go into a stuffy
office; you can base your business from home and have this system
working for you automatically. [...]
Content analysis details: (8.7 points, 4.1 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.0 SIXFIGURE_MESSAGEID 6 Figure Income spam Message-ID
2.5 SIXFIGURE_SUBJECT 6 Figure Income spam subject
-4.9 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.0019]
1.5 SPAMHAUS_SBL_XBL RBL: listed in sbl-xbl.spamhaus.org's blackhole lists
[218.81.198.154 listed in sbl-xbl.spamhaus.org]
2.5 SIXFIGURE_BODY1 6 Figure Income spam, 1+ body hits
1.2 SIXFIGURE_BODY2 6 Figure Income spam, 2+ body hits
1.2 SIXFIGURE_BODY3 6 Figure Income spam, 3+ body hits
1.2 SIXFIGURE_BODY4 6 Figure Income spam, 4+ body hits
0.8 MANY_EXCLAMATIONS Subject has many exclamations
1.5 SIXFIGURE_RO 6 Figure Income sets Status: RO
Content preview: We show you how you can secure a six figure income by
using our completely automatic marketing system. You can attain
100,000US this year. This is the most profitable program for running a
business from home; we have fully automated our marketing system to
allow you to take advantage of all 24 hours of the day. [...]
Content analysis details: (10.5 points, 4.1 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.0 SIXFIGURE_MESSAGEID 6 Figure Income spam Message-ID
2.5 SIXFIGURE_SUBJECT 6 Figure Income spam subject
-0.0 BAYES_44 BODY: Bayesian spam probability is 44 to 50%
[score: 0.4816]
2.5 SIXFIGURE_BODY1 6 Figure Income spam, 1+ body hits
1.2 SIXFIGURE_BODY2 6 Figure Income spam, 2+ body hits
1.2 SIXFIGURE_BODY3 6 Figure Income spam, 3+ body hits
1.2 SIXFIGURE_BODY4 6 Figure Income spam, 4+ body hits
0.8 SIXFIGURE_RO 6 Figure Income sets Status: RO
Post a Comment