Date: Thu, 13 May 2004 16:36:41 -0700 From: Benson Wong <benwong@tummytech.com> Cc: freebsd security <freebsd-security@FreeBSD.org> Subject: Re: How do fix a good solution against spam.. Message-ID: <40A40689.3010006@tummytech.com> In-Reply-To: <40A40107.1010207@xsb.com> References: <200405132039.i4DKd8Ms098147@mail.gits.dyndns.org> <40A40107.1010207@xsb.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Mine too. At my company we use the Barracuda 400 spam firewall. Which uses SpamAssassin and some custom stuff. Does spam/virus filtering. Really easy to setup, but is more expensive than free. :) It does a really great job of filtering spam vs administrative work to get it going. Ben. > hehe ... my SpamAssassin marked this as spam :-) > > Cyrille Lefevre wrote: > >> take a look here : >> >> http://www.merchantsoverseas.com/wwwroot/gorilla >> >> then let's try the attached script and patch which may not be up to >> date. >> >> PS : I don't use it since my machine is too slow and this makes >> mimedefang >> to give up (timeout) to often. >> >> Cyrille Lefevre >> >> >> ------------------------------------------------------------------------ >> >> diff -u orig/sa_body.cf sa/sa_body.cf >> --- orig/sa_body.cf Thu Feb 19 14:56:29 2004 >> +++ sa/sa_body.cf Sat Jan 31 01:57:22 2004 >> @@ -4,21 +4,20 @@ >> >> # submitted by Yorkshire Dave. >> -> "Dear Fellow Opportunist" (my favorite ;-) >> +# "Dear Fellow Opportunist" (my favorite ;-) >> >> body L_OPPORT /\bfellow.opportunist/i describe L_OPPORT fellow >> opportunist >> >> -> "You need to act now or you will miss out on a great offer" >> +# "You need to act now or you will miss out on a great offer" >> >> body L_ACTMISS /\bact.now.{1,30}or.{5,20}miss\b/i describe >> L_ACTMISS act now or miss >> >> -body L_MISSOFFER >> -/\bmiss.{1,20}(great|fantastic|unbeatable).{1.20}offer/i >> +body L_MISSOFFER >> /\bmiss.{1,20}(great|fantastic|unbeatable).{1.20}offer/i >> describe L_MISSOFFER miss great offer >> >> -> "CASH FOREVER" >> +# "CASH FOREVER" >> >> body L_CASHFOREVER /\bcash.{1,3}forever\b/ describe L_CASHFOREVER >> cash forever >> @@ -419,8 +418,7 @@ >> >> # The following rules submitted by Kai MacTane. >> >> -body HIDDEN_VIAGRA >> -/v[\s{1,5}\-\.\*_]i[\s{1,5}\-\.\*_]a[\s{1,5}\-\.\*_]g[\s{1,5}\-\.\*_]r[\s{1,5}\-\.\*_]a/i >> >> +body HIDDEN_VIAGRA >> /v[\s{1,5}\-\.\*_]i[\s{1,5}\-\.\*_]a[\s{1,5}\-\.\*_]g[\s{1,5}\-\.\*_]r[\s{1,5}\-\.\*_]a/i >> >> describe HIDDEN_VIAGRA Uses obfuscated version of "Viagra" >> score HIDDEN_VIAGRA 2.00 >> >> @@ -1011,7 +1009,7 @@ >> describe CAREER_BACK_ON_TRACK (LOCAL RULE) Talks about getting >> a career back on track >> score CAREER_BACK_ON_TRACK 3 3 3 3 >> -raw 123X456 /123x456/i >> +rawbody 123X456 /123x456/i >> describe 123X456 (LOCAL RULE) 123X456 is a marker for the SoBig.E >> worm >> score 123X456 99 99 99 99 >> >> diff -u orig/sa_header_other.cf sa/sa_header_other.cf >> --- orig/sa_header_other.cf Thu Feb 19 14:56:29 2004 >> +++ sa/sa_header_other.cf Sat Jan 31 02:18:10 2004 >> @@ -9,8 +9,8 @@ >> header HINET Received =~ /bHINET-IP/i >> describe HINET Received line contains HINET-IP (common spam >> gate from pacrim) >> >> -header TO-EVERYONE To:addr =~ /every(?:one|body)/i >> -describe TO-EVERYONE To: everyone or everybody >> +header TO_EVERYONE To:addr =~ /every(?:one|body)/i >> +describe TO_EVERYONE To: everyone or everybody >> >> >> # The following rules submitted by Daniel Bird. >> @@ -97,27 +97,27 @@ >> score L_f_Refi 0.4 >> >> # Spamsign in misc headers >> -Header L_hR_NOREPLY Return-path =~ /<>/ >> +header L_hR_NOREPLY Return-path =~ /<>/ >> describe L_hR_NOREPLY Return path is set to empty (common for >> bounces) (RM) >> score L_hR_NOREPLY 1.1 >> >> -Header L_hr_clkheremail Received =~ /clkheremail\.com/ >> +header L_hr_clkheremail Received =~ /clkheremail\.com/ >> describe L_hr_clkheremail Spam passed through clkheremail.com >> relay (RM) >> score L_hr_clkheremail 3.1 >> >> -Header L_hr_HeloIP Received =~ >> /helo=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/i >> +header L_hr_HeloIP Received =~ >> /helo=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/i >> describe L_hr_HeloIP Received has helo=IP - may be valid DSL >> router w/nat - may be spam (RM) >> score L_hr_HeloIP 0.5 >> >> -Header L_hx_PSSBulk X-Mailer =~ /PSS\ Bulk\ Mailer/ >> +header L_hx_PSSBulk X-Mailer =~ /PSS\ Bulk\ Mailer/ >> describe L_hx_PSSBulk Uses PSS Bulk Mailer (RM) >> score L_hx_PSSBulk 1.1 >> >> -Header L_hx_XaM3API exists:X-XaM3-API-Version >> +header L_hx_XaM3API exists:X-XaM3-API-Version >> describe L_hx_XaM3API X-XaM3-API-Version header found, often >> spamsign (RM) >> score L_hx_XaM3API 1.1 >> >> -Header L_hx_JLH exists:X-JLH >> +header L_hx_JLH exists:X-JLH >> describe L_hx_JLH X-JLH header found, possible spamsign (RM) >> score L_hx_JLH 1.1 >> >> diff -u orig/sa_header_subject.cf sa/sa_header_subject.cf >> --- orig/sa_header_subject.cf Thu Feb 19 14:56:29 2004 >> +++ sa/sa_header_subject.cf Sat Jan 31 02:08:47 2004 >> @@ -27,59 +27,59 @@ >> # The following rules submitted by Robert Menschel. >> >> # Spamsign subjects >> -Header L_s_casino Subject =~ /c[a\@]sin[o0]/i >> +header L_s_casino Subject =~ /c[a\@]sin[o0]/i >> describe L_s_casino Subject mentions a casino (RM) >> score L_s_casino 1.1 >> >> -Header L_s_CopyDVD Subject =~ /c[o0]py\ dvd/i >> +header L_s_CopyDVD Subject =~ /c[o0]py\ dvd/i >> describe L_s_CopyDVD Subject mentions copying DVDs (RM) >> score L_s_CopyDVD 3.1 >> >> -Header L_s_Drugs Subject =~ >> /V[i1][A\@]GR[A\@]|ph[a\@]rm[a\@]c/i >> +header L_s_Drugs Subject =~ >> /V[i1][A\@]GR[A\@]|ph[a\@]rm[a\@]c/i >> describe L_s_Drugs Subject mentions known spam subject (RM) >> score L_s_Drugs 2.1 >> >> -Header L_s_GetPaid Subject =~ /Get\ P[a\@]id/i >> +header L_s_GetPaid Subject =~ /Get\ P[a\@]id/i >> describe L_s_GetPaid Subject mentions getting paid for something >> (RM) >> score L_s_GetPaid 1.1 >> >> -Header L_s_HelpInvest Subject =~ /help.{1,10}invest/i >> +header L_s_HelpInvest Subject =~ /help.{1,10}invest/i >> describe L_s_HelpInvest Subject mentions help in investing >> something (RM) >> score L_s_HelpInvest 1.1 >> >> -Header L_s_MaskedWords1 Subject =~ >> /Ga,ng|L0SE|W\@rning|si0n|t(?:\|0|\|o|i0)n/i >> +header L_s_MaskedWords1 Subject =~ >> /Ga,ng|L0SE|W\@rning|si0n|t(?:\|0|\|o|i0)n/i >> describe L_s_MaskedWords1 masked spam word(s) in subject (RM) >> score L_s_MaskedWords1 9.1 >> >> -Header L_s_MaskedWords2 Subject =~ >> /che\@p|F0r|d0main|Ple\@se|m0ve/i >> +header L_s_MaskedWords2 Subject =~ >> /che\@p|F0r|d0main|Ple\@se|m0ve/i >> describe L_s_MaskedWords2 masked spam word(s) in subject (RM) >> score L_s_MaskedWords2 9.1 >> >> -Header L_s_MaskedWords3 Subject =~ >> /p\@tients|ph0t0|b0y|g1rl|vide0/i >> +header L_s_MaskedWords3 Subject =~ >> /p\@tients|ph0t0|b0y|g1rl|vide0/i >> describe L_s_MaskedWords3 masked spam word(s) in subject (RM) >> score L_s_MaskedWords3 9.1 >> >> -Header L_s_MaskedWords4 Subject =~ /5emin|ch[à\@]rge|Êbãy|pen1s/i >> +header L_s_MaskedWords4 Subject =~ /5emin|ch[à\@]rge|Êbãy|pen1s/i >> describe L_s_MaskedWords4 masked spam word(s) in subject (RM) >> score L_s_MaskedWords4 7.1 >> >> -Header L_s_MaskedWordsC Subject =~ /reaI|excIusive/ >> +header L_s_MaskedWordsC Subject =~ /reaI|excIusive/ >> describe L_s_MaskedWordsC masked spam word(s) in subject - case >> sensitive (RM) >> score L_s_MaskedWordsC 9.1 >> >> -Header L_s_PleaseRead Subject =~ /please\ re[a\@]d/i >> +header L_s_PleaseRead Subject =~ /please\ re[a\@]d/i >> describe L_s_PleaseRead Subject includes request to please read the >> message (RM) >> score L_s_PleaseRead 0.6 >> >> -Header L_s_profile Subject =~ /I\ saw\ your\ profile/i >> +header L_s_profile Subject =~ /I\ saw\ your\ profile/i >> describe L_s_profile Subject mentions your profile (RM) >> score L_s_profile 1.1 >> >> -Header L_s_porn Subject =~ /p[o0]rn|fuck|violenced|jerk\ off/i >> +header L_s_porn Subject =~ /p[o0]rn|fuck|violenced|jerk\ off/i >> describe L_s_porn Subject seems to be about porn (RM) >> score L_s_porn 2.1 >> >> -Header L_s_Tax Subject =~ /T[a\@]x/i >> +header L_s_Tax Subject =~ /T[a\@]x/i >> describe L_s_Tax Subject mentions taxes (RM) >> score L_s_Tax 1.1 >> >> diff -u orig/sa_meta.cf sa/sa_meta.cf >> --- orig/sa_meta.cf Thu Feb 19 14:56:29 2004 >> +++ sa/sa_meta.cf Sat Jan 31 03:00:13 2004 >> @@ -9,9 +9,11 @@ >> >> #Check for a beginning HTML tag <HTML> >> rawbody __MK_HTML_TAG_START /\<html/i >> +describe <html >> >> #Check for a closing HTML tag </html> >> rawbody __MK_HTML_TAG_END /\<\/html\>/i >> +describe </html> >> >> #Check to see if the HTML message is made correctly. Seeing a lot >> of SPAM that isn't >> meta MK_BAD_HTML_4 HTML_MESSAGE && !__MK_HTML_TAG_START && >> !__MK_HTML_TAG_END >> @@ -102,8 +104,7 @@ >> >> header __THEBAT_UA User-Agent =~ /The Bat/ >> meta L_FORGED_MUA_THEBAT ( __THEBAT_UA && !__THEBAT_MSGID ) >> -describe L_FORGED_MUA_THEBAT Forged message pretending to be from the >> -bat! >> +describe L_FORGED_MUA_THEBAT Forged message pretending to be from >> the bat! >> >> #spewing virus reports to forged sender addresses is spamming, talking >> # about them on mailing lists isn't. >> @@ -111,7 +112,8 @@ >> body __VIRUS_WARNING_FWD >> /(attachment|email|file|message|scanner).{0,50}(contain(s|ed)|infect(ion|ed)|report(s|ed)|detected).{0,50}virus/is >> >> body __VIRUS_WARNING_REV >> /virus.{0,50}(found|infect(ion|ed)|reported|detected).{0,50}(attachment|email|file|message)/is >> >> body __FORGING_VIRUS /(braid.a|bugbear|klez|sobig|winevar|yaha.e)/i >> -meta L_BROKEN_ANTIVIRUS ((__VIRUS_WARNING_FWD || >> __VIRUS_WARNING_REV) && __FORGING_VIRUS && ! (REFERENCES || >> IN_REP_TO)) describe L_BROKEN_ANTIVIRUS UBE from dysfunctional virus >> scanner >> +meta L_BROKEN_ANTIVIRUS ((__VIRUS_WARNING_FWD || >> __VIRUS_WARNING_REV) && __FORGING_VIRUS && ! (REFERENCES || IN_REP_TO)) >> +describe L_BROKEN_ANTIVIRUS UBE from dysfunctional virus scanner >> >> # The following rules were submitted by Sandy S. (The last S is for >> Secret!) >> >> diff -u orig/sa_oct03_rules.cf sa/sa_oct03_rules.cf >> --- orig/sa_oct03_rules.cf Thu Feb 19 14:56:29 2004 >> +++ sa/sa_oct03_rules.cf Sat Jan 31 02:57:16 2004 >> @@ -223,7 +223,7 @@ >> >> rawbody MY_ONECHAR_SCRIPT /\/..?\.(pl|plx|cgi|asp)/ >> describe MY_ONECHAR_SCRIPT 1 or 2 letter script name found. >> -score MY_ONE_CHAR_SCRIPT .33 >> +score MY_ONECHAR_SCRIPT .33 >> >> rawbody MY_THISIS /this is spam/i >> describe MY_THISIS They said this is spam themselves! >> diff -u orig/sa_uri.cf sa/sa_uri.cf >> --- orig/sa_uri.cf Thu Feb 19 14:56:29 2004 >> +++ sa/sa_uri.cf Sat Jan 31 02:10:42 2004 >> @@ -358,8 +358,7 @@ >> >> uri MY_BLUETABS /fastbluetabs\.com/i >> score MY_BLUETABS 5.000 >> -describe MY_BLUETABS Message contains a link or email address to >> -fastbluetabs.com >> +describe MY_BLUETABS Message contains a link or email address to >> fastbluetabs.com >> >> uri MY_CERTREWARDS /certrewards\.com/i >> score MY_CERTREWARDS 5.000 >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to >> "freebsd-security-unsubscribe@freebsd.org" > > > >------------------------------------------------------------------------ > >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40A40689.3010006>