Hello,

You could write a Meta rule that contained two sub rules - one for matching "The Bat!" mailer, and the other matching the "chat.ru" link at the bottom. Fire a score if both rules hit. It may not be optimal, but it got rid of that Spam for me, and I haven't had a FP yet.

If you check out the meta that was posted on here not long ago to do with the "Spaces Live" Spam, that has a very similar concept, involving The Bat mailer and Spaces Live links at the bottom of the Spam.

Cheers,
Mike


-----Original Message-----
From: Francis Russell [mailto:francis+***@unchartedbackwaters.co.uk]
Sent: Thursday, 15 January 2009 1:35 p.m.
To: ***@spamassassin.apache.org
Subject: Russian spam

Anyone know of any good rule-sets to block this sort of spam?

http://www.unchartedbackwaters.co.uk/files/russian_spam.txt

I find that Pyzor and Razor completely miss it as well as the DNS
blacklists (although I believe this one has a relay in one of the
Spamhaus ones now). I'm aware of the language whitelisting feature but
presumably there is a better way then just assuming everything in
language x is spam?

Francis

If you want something that's language specific, checking for koi8-r can
be quite effective, but if you do receive legitimate Russian mail then
it may lead to FPs. Anyway, here's a rule to check the subject that
would hit your example:

header LOCAL_CHARSET_SUBJECT Subject:raw =~
/\=\?(koi8-r|windows-1251|iso-2022-jp|gb2312)\?/i

There's a few other foreign character sets thrown in there that I also
reject - edit to suit your needs.

Looking at the rest of the mail, I have a few other custom rules that
fire on your example:


header LOCAL_THEBAT_MUA X-Mailer =~ /^The Bat!/

uri LOCAL_URI_RU m{https?://.{1,40}\.ru\b}
uri LOCAL_URI_CHAT_RU m{https?://.{1,40}\.chat\.ru\b}

I score against The Bat MUA, and also against any [dot] ru domains, plus
an additional (additive) score for [dot] chat [dot] ru URIs. I have no
legitimate use for these in emails (I also have a similar rule for
Chinese domains that's very popular!)

So I have 4 or 5 custom rules that all score against your example and
add a little to the score taking it well over the spam threshold.

Content analysis details: (12.6 points, 5.0 required)

pts rule name description
---- ----------------------
-------------------------------------------------
1.5 URICOUNTRY_RU Contains a URI hosted in RU
3.3 TVD_RCVD_IP4 TVD_RCVD_IP4
1.6 TVD_RCVD_IP TVD_RCVD_IP
2.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[84.16.105.146 listed in zen.spamhaus.org]
2.0 FROM_EXCESS_BASE64 From: base64 encoded unnecessarily
1.3 SAGREY Adds score to spam from first-time senders

,----
| X-Spam-Flag: YES
| X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on debian64.potato.lan
| X-Spam-Level: *************************************
| X-Spam-Status: Yes, score=37.7 required=5.0 tests=BAYES_60,BOTNET,
| CHARSET_FARAWAY,CHARSET_FARAWAY_HEADER,KAM_THEBAT,LOCAL_CHARSET_SUBJECT,
| MIME_CHARSET_FARAWAY,RCVD_IN_BRBL,RCVD_IN_XBL,SAGREY,SARE_SUB_ENC_KOI8R,
| TVD_RCVD_IP,TVD_RCVD_IP4,URICOUNTRY_RU,VERYBADRELAY,YAHOO_FILTER
| autolearn=spam version=3.2.5
| X-Spam-Flag: YES
| X-Spam-Relay-Country: CZ CZ CZ
| X-Spam-Report:
| * 3.0 URICOUNTRY_RU Contains a URI hosted in Russland
| * 2.5 YAHOO_FILTER von YAHOO als Spam erkannt
| * 1.5 KAM_THEBAT Abused X-Mailer Header for The Bat! MUA
| * 3.0 LOCAL_CHARSET_SUBJECT Contains charsets we don't accept
| * 0.7 SARE_SUB_ENC_KOI8R Subject specifies display in non-English lang
| * 1.9 TVD_RCVD_IP TVD_RCVD_IP
| * 3.2 TVD_RCVD_IP4 TVD_RCVD_IP4
| * 3.0 RCVD_IN_XBL RBL: Transportiert via Rechner in XBL-Liste
| * (http://www.spamhaus.org/xbl/)
| * [84.16.105.146 listed in zen.spamhaus.org]
| * 2.0 RCVD_IN_BRBL RBL: Received via a relay in Barracuda BRBL
| * [84.16.105.146 listed in bb.barracudacentral.org]
| * 3.0 BOTNET Relay might be a spambot or virusbot
| * [botnet0.8,ip=84.16.105.146,rdns=84.16.105.146,baddns,client,ipinhostname]
| * 3.2 CHARSET_FARAWAY_HEADER Fremdsprachlicher Zeichensatz in Kopfzeilen
| * benutzt
| * 1.0 BAYES_60 BODY: Spamwahrscheinlichkeit nach Bayes-Test: 60-80%
| * [score: 0.6228]
| * 3.2 CHARSET_FARAWAY BODY: Zeichensatz deutet auf fremde Sprache hin
| * 3.0 VERYBADRELAY very bad Relay
| * 2.5 MIME_CHARSET_FARAWAY MIME-Zeichensatz deutet auf fremde Sprache hin
| * 1.0 SAGREY Adds 1.0 to spam from first-time senders
`----

My user_prefs:
<ftp://hot-potato.homelinux.org/config/Desktop/home/spamassassin/user_prefs>


Gruß
Stefan

I get 17 points on that one. And looked the ip up manually on xbl and it is
there because its on cbl:

http://cbl.abuseat.org/lookup.cgi?ip=84.16.105.146

pts rule name description
---- ----------------------
--------------------------------------------------
3.3 TVD_RCVD_IP4 TVD_RCVD_IP4
1.6 TVD_RCVD_IP TVD_RCVD_IP
3.2 CHARSET_FARAWAY_HEADER A foreign language charset used in headers
2.8 UNWANTED_LANGUAGE_BODY BODY: Message written in an undesired language
3.2 CHARSET_FARAWAY BODY: Character set indicates a foreign language
2.5 MIME_CHARSET_FARAWAY MIME character set indicates foreign language
--
Michael Scheidell, CTO
Winner 2008 Network Products Guide Hot Companies
FreeBSD SpamAssassin Ports maintainer


_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________