How do fix a good solution against spam..
Benson Wong
benwong at tummytech.com
Tue May 18 16:12:39 PDT 2004
Mine too.
At my company we use the Barracuda 400 spam firewall. Which uses
SpamAssassin and some custom stuff. Does spam/virus filtering. Really
easy to setup, but is more expensive than free. :)
It does a really great job of filtering spam vs administrative work to
get it going.
Ben.
> hehe ... my SpamAssassin marked this as spam :-)
>
> Cyrille Lefevre wrote:
>
>> take a look here :
>>
>> http://www.merchantsoverseas.com/wwwroot/gorilla
>>
>> then let's try the attached script and patch which may not be up to
>> date.
>>
>> PS : I don't use it since my machine is too slow and this makes
>> mimedefang
>> to give up (timeout) to often.
>>
>> Cyrille Lefevre
>>
>>
>> ------------------------------------------------------------------------
>>
>> diff -u orig/sa_body.cf sa/sa_body.cf
>> --- orig/sa_body.cf Thu Feb 19 14:56:29 2004
>> +++ sa/sa_body.cf Sat Jan 31 01:57:22 2004
>> @@ -4,21 +4,20 @@
>>
>> # submitted by Yorkshire Dave.
>> -> "Dear Fellow Opportunist" (my favorite ;-)
>> +# "Dear Fellow Opportunist" (my favorite ;-)
>>
>> body L_OPPORT /\bfellow.opportunist/i describe L_OPPORT fellow
>> opportunist
>>
>> -> "You need to act now or you will miss out on a great offer"
>> +# "You need to act now or you will miss out on a great offer"
>>
>> body L_ACTMISS /\bact.now.{1,30}or.{5,20}miss\b/i describe
>> L_ACTMISS act now or miss
>>
>> -body L_MISSOFFER
>> -/\bmiss.{1,20}(great|fantastic|unbeatable).{1.20}offer/i
>> +body L_MISSOFFER
>> /\bmiss.{1,20}(great|fantastic|unbeatable).{1.20}offer/i
>> describe L_MISSOFFER miss great offer
>>
>> -> "CASH FOREVER"
>> +# "CASH FOREVER"
>>
>> body L_CASHFOREVER /\bcash.{1,3}forever\b/ describe L_CASHFOREVER
>> cash forever
>> @@ -419,8 +418,7 @@
>>
>> # The following rules submitted by Kai MacTane.
>>
>> -body HIDDEN_VIAGRA
>> -/v[\s{1,5}\-\.\*_]i[\s{1,5}\-\.\*_]a[\s{1,5}\-\.\*_]g[\s{1,5}\-\.\*_]r[\s{1,5}\-\.\*_]a/i
>>
>> +body HIDDEN_VIAGRA
>> /v[\s{1,5}\-\.\*_]i[\s{1,5}\-\.\*_]a[\s{1,5}\-\.\*_]g[\s{1,5}\-\.\*_]r[\s{1,5}\-\.\*_]a/i
>>
>> describe HIDDEN_VIAGRA Uses obfuscated version of "Viagra"
>> score HIDDEN_VIAGRA 2.00
>>
>> @@ -1011,7 +1009,7 @@
>> describe CAREER_BACK_ON_TRACK (LOCAL RULE) Talks about getting
>> a career back on track
>> score CAREER_BACK_ON_TRACK 3 3 3 3
>> -raw 123X456 /123x456/i
>> +rawbody 123X456 /123x456/i
>> describe 123X456 (LOCAL RULE) 123X456 is a marker for the SoBig.E
>> worm
>> score 123X456 99 99 99 99
>>
>> diff -u orig/sa_header_other.cf sa/sa_header_other.cf
>> --- orig/sa_header_other.cf Thu Feb 19 14:56:29 2004
>> +++ sa/sa_header_other.cf Sat Jan 31 02:18:10 2004
>> @@ -9,8 +9,8 @@
>> header HINET Received =~ /bHINET-IP/i
>> describe HINET Received line contains HINET-IP (common spam
>> gate from pacrim)
>>
>> -header TO-EVERYONE To:addr =~ /every(?:one|body)/i
>> -describe TO-EVERYONE To: everyone or everybody
>> +header TO_EVERYONE To:addr =~ /every(?:one|body)/i
>> +describe TO_EVERYONE To: everyone or everybody
>>
>>
>> # The following rules submitted by Daniel Bird.
>> @@ -97,27 +97,27 @@
>> score L_f_Refi 0.4
>>
>> # Spamsign in misc headers
>> -Header L_hR_NOREPLY Return-path =~ /<>/
>> +header L_hR_NOREPLY Return-path =~ /<>/
>> describe L_hR_NOREPLY Return path is set to empty (common for
>> bounces) (RM)
>> score L_hR_NOREPLY 1.1
>>
>> -Header L_hr_clkheremail Received =~ /clkheremail\.com/
>> +header L_hr_clkheremail Received =~ /clkheremail\.com/
>> describe L_hr_clkheremail Spam passed through clkheremail.com
>> relay (RM)
>> score L_hr_clkheremail 3.1
>>
>> -Header L_hr_HeloIP Received =~
>> /helo=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/i
>> +header L_hr_HeloIP Received =~
>> /helo=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/i
>> describe L_hr_HeloIP Received has helo=IP - may be valid DSL
>> router w/nat - may be spam (RM)
>> score L_hr_HeloIP 0.5
>>
>> -Header L_hx_PSSBulk X-Mailer =~ /PSS\ Bulk\ Mailer/
>> +header L_hx_PSSBulk X-Mailer =~ /PSS\ Bulk\ Mailer/
>> describe L_hx_PSSBulk Uses PSS Bulk Mailer (RM)
>> score L_hx_PSSBulk 1.1
>>
>> -Header L_hx_XaM3API exists:X-XaM3-API-Version
>> +header L_hx_XaM3API exists:X-XaM3-API-Version
>> describe L_hx_XaM3API X-XaM3-API-Version header found, often
>> spamsign (RM)
>> score L_hx_XaM3API 1.1
>>
>> -Header L_hx_JLH exists:X-JLH
>> +header L_hx_JLH exists:X-JLH
>> describe L_hx_JLH X-JLH header found, possible spamsign (RM)
>> score L_hx_JLH 1.1
>>
>> diff -u orig/sa_header_subject.cf sa/sa_header_subject.cf
>> --- orig/sa_header_subject.cf Thu Feb 19 14:56:29 2004
>> +++ sa/sa_header_subject.cf Sat Jan 31 02:08:47 2004
>> @@ -27,59 +27,59 @@
>> # The following rules submitted by Robert Menschel.
>>
>> # Spamsign subjects
>> -Header L_s_casino Subject =~ /c[a\@]sin[o0]/i
>> +header L_s_casino Subject =~ /c[a\@]sin[o0]/i
>> describe L_s_casino Subject mentions a casino (RM)
>> score L_s_casino 1.1
>>
>> -Header L_s_CopyDVD Subject =~ /c[o0]py\ dvd/i
>> +header L_s_CopyDVD Subject =~ /c[o0]py\ dvd/i
>> describe L_s_CopyDVD Subject mentions copying DVDs (RM)
>> score L_s_CopyDVD 3.1
>>
>> -Header L_s_Drugs Subject =~
>> /V[i1][A\@]GR[A\@]|ph[a\@]rm[a\@]c/i
>> +header L_s_Drugs Subject =~
>> /V[i1][A\@]GR[A\@]|ph[a\@]rm[a\@]c/i
>> describe L_s_Drugs Subject mentions known spam subject (RM)
>> score L_s_Drugs 2.1
>>
>> -Header L_s_GetPaid Subject =~ /Get\ P[a\@]id/i
>> +header L_s_GetPaid Subject =~ /Get\ P[a\@]id/i
>> describe L_s_GetPaid Subject mentions getting paid for something
>> (RM)
>> score L_s_GetPaid 1.1
>>
>> -Header L_s_HelpInvest Subject =~ /help.{1,10}invest/i
>> +header L_s_HelpInvest Subject =~ /help.{1,10}invest/i
>> describe L_s_HelpInvest Subject mentions help in investing
>> something (RM)
>> score L_s_HelpInvest 1.1
>>
>> -Header L_s_MaskedWords1 Subject =~
>> /Ga,ng|L0SE|W\@rning|si0n|t(?:\|0|\|o|i0)n/i
>> +header L_s_MaskedWords1 Subject =~
>> /Ga,ng|L0SE|W\@rning|si0n|t(?:\|0|\|o|i0)n/i
>> describe L_s_MaskedWords1 masked spam word(s) in subject (RM)
>> score L_s_MaskedWords1 9.1
>>
>> -Header L_s_MaskedWords2 Subject =~
>> /che\@p|F0r|d0main|Ple\@se|m0ve/i
>> +header L_s_MaskedWords2 Subject =~
>> /che\@p|F0r|d0main|Ple\@se|m0ve/i
>> describe L_s_MaskedWords2 masked spam word(s) in subject (RM)
>> score L_s_MaskedWords2 9.1
>>
>> -Header L_s_MaskedWords3 Subject =~
>> /p\@tients|ph0t0|b0y|g1rl|vide0/i
>> +header L_s_MaskedWords3 Subject =~
>> /p\@tients|ph0t0|b0y|g1rl|vide0/i
>> describe L_s_MaskedWords3 masked spam word(s) in subject (RM)
>> score L_s_MaskedWords3 9.1
>>
>> -Header L_s_MaskedWords4 Subject =~ /5emin|ch[à\@]rge|Êbãy|pen1s/i
>> +header L_s_MaskedWords4 Subject =~ /5emin|ch[à\@]rge|Êbãy|pen1s/i
>> describe L_s_MaskedWords4 masked spam word(s) in subject (RM)
>> score L_s_MaskedWords4 7.1
>>
>> -Header L_s_MaskedWordsC Subject =~ /reaI|excIusive/
>> +header L_s_MaskedWordsC Subject =~ /reaI|excIusive/
>> describe L_s_MaskedWordsC masked spam word(s) in subject - case
>> sensitive (RM)
>> score L_s_MaskedWordsC 9.1
>>
>> -Header L_s_PleaseRead Subject =~ /please\ re[a\@]d/i
>> +header L_s_PleaseRead Subject =~ /please\ re[a\@]d/i
>> describe L_s_PleaseRead Subject includes request to please read the
>> message (RM)
>> score L_s_PleaseRead 0.6
>>
>> -Header L_s_profile Subject =~ /I\ saw\ your\ profile/i
>> +header L_s_profile Subject =~ /I\ saw\ your\ profile/i
>> describe L_s_profile Subject mentions your profile (RM)
>> score L_s_profile 1.1
>>
>> -Header L_s_porn Subject =~ /p[o0]rn|fuck|violenced|jerk\ off/i
>> +header L_s_porn Subject =~ /p[o0]rn|fuck|violenced|jerk\ off/i
>> describe L_s_porn Subject seems to be about porn (RM)
>> score L_s_porn 2.1
>>
>> -Header L_s_Tax Subject =~ /T[a\@]x/i
>> +header L_s_Tax Subject =~ /T[a\@]x/i
>> describe L_s_Tax Subject mentions taxes (RM)
>> score L_s_Tax 1.1
>>
>> diff -u orig/sa_meta.cf sa/sa_meta.cf
>> --- orig/sa_meta.cf Thu Feb 19 14:56:29 2004
>> +++ sa/sa_meta.cf Sat Jan 31 03:00:13 2004
>> @@ -9,9 +9,11 @@
>>
>> #Check for a beginning HTML tag <HTML>
>> rawbody __MK_HTML_TAG_START /\<html/i
>> +describe <html
>>
>> #Check for a closing HTML tag </html>
>> rawbody __MK_HTML_TAG_END /\<\/html\>/i
>> +describe </html>
>>
>> #Check to see if the HTML message is made correctly. Seeing a lot
>> of SPAM that isn't
>> meta MK_BAD_HTML_4 HTML_MESSAGE && !__MK_HTML_TAG_START &&
>> !__MK_HTML_TAG_END
>> @@ -102,8 +104,7 @@
>>
>> header __THEBAT_UA User-Agent =~ /The Bat/
>> meta L_FORGED_MUA_THEBAT ( __THEBAT_UA && !__THEBAT_MSGID )
>> -describe L_FORGED_MUA_THEBAT Forged message pretending to be from the
>> -bat!
>> +describe L_FORGED_MUA_THEBAT Forged message pretending to be from
>> the bat!
>>
>> #spewing virus reports to forged sender addresses is spamming, talking
>> # about them on mailing lists isn't.
>> @@ -111,7 +112,8 @@
>> body __VIRUS_WARNING_FWD
>> /(attachment|email|file|message|scanner).{0,50}(contain(s|ed)|infect(ion|ed)|report(s|ed)|detected).{0,50}virus/is
>>
>> body __VIRUS_WARNING_REV
>> /virus.{0,50}(found|infect(ion|ed)|reported|detected).{0,50}(attachment|email|file|message)/is
>>
>> body __FORGING_VIRUS /(braid.a|bugbear|klez|sobig|winevar|yaha.e)/i
>> -meta L_BROKEN_ANTIVIRUS ((__VIRUS_WARNING_FWD ||
>> __VIRUS_WARNING_REV) && __FORGING_VIRUS && ! (REFERENCES ||
>> IN_REP_TO)) describe L_BROKEN_ANTIVIRUS UBE from dysfunctional virus
>> scanner
>> +meta L_BROKEN_ANTIVIRUS ((__VIRUS_WARNING_FWD ||
>> __VIRUS_WARNING_REV) && __FORGING_VIRUS && ! (REFERENCES || IN_REP_TO))
>> +describe L_BROKEN_ANTIVIRUS UBE from dysfunctional virus scanner
>>
>> # The following rules were submitted by Sandy S. (The last S is for
>> Secret!)
>>
>> diff -u orig/sa_oct03_rules.cf sa/sa_oct03_rules.cf
>> --- orig/sa_oct03_rules.cf Thu Feb 19 14:56:29 2004
>> +++ sa/sa_oct03_rules.cf Sat Jan 31 02:57:16 2004
>> @@ -223,7 +223,7 @@
>>
>> rawbody MY_ONECHAR_SCRIPT /\/..?\.(pl|plx|cgi|asp)/
>> describe MY_ONECHAR_SCRIPT 1 or 2 letter script name found.
>> -score MY_ONE_CHAR_SCRIPT .33
>> +score MY_ONECHAR_SCRIPT .33
>>
>> rawbody MY_THISIS /this is spam/i
>> describe MY_THISIS They said this is spam themselves!
>> diff -u orig/sa_uri.cf sa/sa_uri.cf
>> --- orig/sa_uri.cf Thu Feb 19 14:56:29 2004
>> +++ sa/sa_uri.cf Sat Jan 31 02:10:42 2004
>> @@ -358,8 +358,7 @@
>>
>> uri MY_BLUETABS /fastbluetabs\.com/i
>> score MY_BLUETABS 5.000
>> -describe MY_BLUETABS Message contains a link or email address to
>> -fastbluetabs.com
>> +describe MY_BLUETABS Message contains a link or email address to
>> fastbluetabs.com
>>
>> uri MY_CERTREWARDS /certrewards\.com/i
>> score MY_CERTREWARDS 5.000
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> freebsd-security at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-security
>> To unsubscribe, send any mail to
>> "freebsd-security-unsubscribe at freebsd.org"
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>freebsd-security at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-security
>To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>
>
More information about the freebsd-security
mailing list