So I have been getting a lot of spam recently about stocks for some
reason. They all have a line that has "Current Price:" in them. I
set up this recipe:
:0B
* .*Current\ Price\:
spam
Why is it not getting matched?
Thanks.
-Ken
Ken wrote:
> So I have been getting a lot of spam recently about stocks for some
> reason. They all have a line that has "Current Price:" in them. I
> set up this recipe:
>
> :0B
> * .*Current\ Price\:
> spam
>
>
> Why is it not getting matched?
>
> Thanks.
>
>
> -Ken
>
>
Why are you escaping the space and the colon?
Does the content of the message match the check you have "Current Price:"?
While the item appears as Current Price:, the email could be in HTML and
thus has a difference.
The recipe is one thing, the email message is another in recustructing
what is going on.
Escaping the colon might be what breaks this. Try only looking for
Current Price. i.e.
:0B
* .*Current Price
spam
AK
On Wed, 19 Oct 2005 20:24:54 +0000 (UTC), Ken wrote:
>
> So I have been getting a lot of spam recently about stocks for some
> reason. They all have a line that has "Current Price:" in them. I
> set up this recipe:
Of course, now that the spammers have read your posting, they will now
use: "Currnet Price:", or "Cµrrent Price:", or "Currént Price:", or
"Current Príce:", or "Çurrent Price:", or "Cürrënt Prïcê:", or, or, ....
Version 44 of my feeble attempt in body checking for (penny) stock spam:
________________
# 22-Jul-05 implemntation converted to scoring....
# Penny stock spam
# I.
# "forward looking statements" , also
# "for wardlooking stateme nts" ,
# "Forwa rdlooking state ments" ,
# "f0rward_l00king_st4tements" , <-- 11-Oct-05
# "Forward look ing stat ements" , etc.
# II.
# "Savvy Investor"
# "Emerging Equity Alert"
# "Investor Alert"
# III.
# "investment advice"
# "solicitation to buy"
# "st0ck"
# "SYMBOL" ... in col. 1
# "trade" -or- "trading"
:0B
* -2^0
* 1^1 (f.?(o|0).?r.?w.?a.?r.?d.?l.?(o|0).?(o|0).?k.?i.?n.?g.?s.?t. ?(a|4).?t.?e.?m.?e.?n.?t.?s)
* 1^1 ()\<(investment advice|solicitation to buy|st(o|0)ck)
* 1^1 ((Equity|investor) Alert|Savvy Investor)
* 1^1 ()\<(trad(e|ing))\>
* 1^1 $SYMBOL\>
{
X="$="
LOG=">>>> DELETED - Body: (2+$X) Penny stock wurdz $TOJONZ $NL"
:0 fwh
| formail -I"X-DELETED-SPAM: Body: (2+$X) Penny stock wurdz ${TOJONZ}"
:0:
$DELETE
}
_____________
This, of course, is in my "rc.finale" - after all whitelist checking
("rc.whitelist"), all greylist checking ("rc.whitelist" also), all
blacklist checking ("rc.blacklist"), and after all header tests in
"rc.finale". Body checking can eat up A LOT of CPU cycles.
Jonesy
--
Marvin L Jones | jonz | W3DHJ | linux
Pueblo, Colorado | @ | Jonesy | OS/2 __
38.24N 104.55W | config.com | DM78rf | SK
Allodoxaphobia
> On Wed, 19 Oct 2005 20:24:54 +0000 (UTC), Ken wrote:
> >
> > So I have been getting a lot of spam recently about stocks for some
> > reason. They all have a line that has "Current Price:" in them. I
> > set up this recipe:
> Of course, now that the spammers have read your posting, they will now
> use: "Currnet Price:", or "C?rrent Price:", or "Curr?nt Price:", or
> "Current Pr?ce:", or "?urrent Price:", or "C?rr?nt Pr?c?:", or, or, ....
Thanks. I'll try that out.
Btw, anyone know if there is some site that has procmail recipes for
some of this sort of spam? Spamassassin just doesn't get some of this
stuff. And some of it makes it hard to tweak the rules.
-Ken
AK
> Why are you escaping the space and the colon?
> Does the content of the message match the check you have "Current Price:"?
> While the item appears as Current Price:, the email could be in HTML and
> thus has a difference.
> The recipe is one thing, the email message is another in recustructing
> what is going on.
> Escaping the colon might be what breaks this. Try only looking for
> Current Price. i.e.
> :0B
> * .*Current Price
> spam
Thanks, I'll try that. I thought you needed to escape a space, and
thought that to play it safe I would escape the colon as well.
-Ken
On Thu, 20 Oct 2005 14:10:17 +0000 (UTC), Ken wrote:
> Allodoxaphobia
>> On Wed, 19 Oct 2005 20:24:54 +0000 (UTC), Ken wrote:
>> >
>> > So I have been getting a lot of spam recently about stocks for some
>> > reason. They all have a line that has "Current Price:" in them. I
>> > set up this recipe:
>
>> Of course, now that the spammers have read your posting, they will now
>> use: "Currnet Price:", or "C?rrent Price:", or "Curr?nt Price:", or
>> "Current Pr?ce:", or "?urrent Price:", or "C?rr?nt Pr?c?:", or, or, ....
>
> Thanks. I'll try that out.
UPDATE:
Whilst staring at my own posting I spotted a Most Obvious error:
* 1^1 $SYMBOL\>
.... should be:
* 1^1 ^SYMBOL\>
I have never been able to proof my own copy on a screen. sigh...
Jonesy
--
Marvin L Jones | jonz | W3DHJ | linux
Pueblo, Colorado | @ | Jonesy | OS/2 __
38.24N 104.55W | config.com | DM78rf | SK
Ken wrote:
> Allodoxaphobia
>
>>On Wed, 19 Oct 2005 20:24:54 +0000 (UTC), Ken wrote:
>>
>>>So I have been getting a lot of spam recently about stocks for some
>>>reason. They all have a line that has "Current Price:" in them. I
>>>set up this recipe:
>
>
>>Of course, now that the spammers have read your posting, they will now
>>use: "Currnet Price:", or "C?rrent Price:", or "Curr?nt Price:", or
>>"Current Pr?ce:", or "?urrent Price:", or "C?rr?nt Pr?c?:", or, or, ....
>
>
> Thanks. I'll try that out.
>
> Btw, anyone know if there is some site that has procmail recipes for
> some of this sort of spam? Spamassassin just doesn't get some of this
> stuff. And some of it makes it hard to tweak the rules.
>
>
> -Ken
>
>
There are a monthly posting here by some the have guides to procmail
recipe. Look for the subject, "Procmail tips page pointer", "Procmail
pointers".
Here is a snipet from the Jari postings:
> Announcement: "Procmail Tips: all you wanted to know about procmail"
>
> http://pm-doc.sourceforge.net/
>
> This pointer is archived at
>
> excellent procmail resources:
>
> o Nancy McGough is veteran of procmail and knows all about
> how Internet works
> http://www.ii.com/internet/robots/procmail/qs/
> http://www.ii.com/internet/faqs/launchers/mail/filtering-faq /
> o Era's Ericson's legendary procmail material
> http://www.iki.fi/~era/procmail
> o Professor Timo Salmi's recipe page contains
> solutions to every problem
> http://www.uwasa.fi/~ts/info/proctips.html
Have you looked at bogofilter.org?
It uses a baysean filtering scheme. Once you teach it with several
messages what is spam and with a few messages what is not, it will help
you reduce the amount of spam.
AK