mickalo

Well-Known Member
Apr 16, 2002
782
5
318
N.W. Iowa
Hello,

we have been working on cutting down our spam this past week, and thanks to all the great info provided on this forum, have reduced it greatly.

I recall a thread regard this new spam coming through, with the subject:
SomeNameHere wrote: , IE: Debra Wrote: which seems to still getting through. But can seem to find that thread that addressed this issue.

If someone knows how to caught this type of spam, would appreciate a rule or filter to caught these types.

TIA,
Mickalo
 

mctDarren

Well-Known Member
Jan 6, 2004
665
4
168
New Jersey
cPanel Access Level
Root Administrator
Add a rule to local.cf if you are using spamassassin:
Code:
header    WROTESPAM     Subject =~ /^wrote\:/i
score     WROTESPAM     9.000
Note that the spaces in-between are tabs. Afterward I would install a stocks ruleset and image rules so you can reduce the score or eliminate this. hope that helps!
 

mickalo

Well-Known Member
Apr 16, 2002
782
5
318
N.W. Iowa
Add a rule to local.cf if you are using spamassassin:
Code:
header    WROTESPAM     Subject =~ /^wrote\:/i
score     WROTESPAM     9.000
Note that the spaces in-between are tabs. Afterward I would install a stocks ruleset and image rules so you can reduce the score or eliminate this. hope that helps!
thx's webtiva, we'll add this and see what happens, much appreciated.

where can one get these "stock rulesets" from. We already implemented the image rules which seem to be working great .... so far!!

Mickalo
 

mickalo

Well-Known Member
Apr 16, 2002
782
5
318
N.W. Iowa
We use 70_sare_stocks from http://www.rulesemporium.com/rules.htm

If you implement Rules Du Jour it will make your life much easier! Highly recommended.
again, much appreciated :)

I tried to get that "Rules Du Jour" auto setup, but the link that was posted here to that earlier on this forum seems to be a dead link or incorrect. Do you happen to have that correct link for this setup ?

Thx's
Mickalo
 

mctDarren

Well-Known Member
Jan 6, 2004
665
4
168
New Jersey
cPanel Access Level
Root Administrator
A decent auto installer is located here, or you can check out their how to page here.

I also highly recommend Chirpy's MailScanner setup here, which includes it. For $35 they install Mailscanner with clamAV; they set up SA, Vipul's Razor and DCC; plus they install a WHM front end for you and your hosting customers. WELL worth the cost!
 

mickalo

Well-Known Member
Apr 16, 2002
782
5
318
N.W. Iowa
A decent auto installer is located here, or you can check out their how to page here.

I also highly recommend Chirpy's MailScanner setup here, which includes it. For $35 they install Mailscanner with clamAV; they set up SA, Vipul's Razor and DCC; plus they install a WHM front end for you and your hosting customers. WELL worth the cost!
Much appreciate all the info, you've been a big help :)

I've been strongly considering having Chirpy do his setup w/MailScanner package, on our server, but just abit concerned about the load I've read alot about that this MailScanner can put on the server.

we only run about 45 domains on our server, with approx., 3-4000 emails daily and about 100 POP accounts. We do run 1GB mem., and average about 30-40% CPU usage daily, which I think the server should be able to handle. Gonna think about a bit more tho.

Again, appreciate you info,
Mickalo

P.S. to any one that may use the autoinstaller, they must edit two configurations settings, 1)location of spamassassin folder and 2) path to restart spam
this is for the Cpanel install.
 
Last edited:

secretreal

Member
Nov 20, 2006
5
0
151
Add a rule to local.cf if you are using spamassassin:
Code:
header    WROTESPAM     Subject =~ /^wrote\:/i
score     WROTESPAM     9.000
Note that the spaces in-between are tabs. Afterward I would install a stocks ruleset and image rules so you can reduce the score or eliminate this. hope that helps!

it doesnt effect :S

i use mailscanner should i do different think ?
 

Sash

Well-Known Member
Feb 18, 2003
252
0
166
Messages that contain "Name wrote:" are still getting by. Any advice?

I added the code to /etc/mail/spamassassin/local.cf

Thanks,
Mike
 

Adrnalnrsh

Well-Known Member
Apr 6, 2005
74
0
156
AZ
Not working for me either, using Chirpy's MailScanner installation.
 

intonet

Registered
Nov 22, 2006
1
0
151
I'm trying to capture these damned "xxx wrote:" e-mail as well.

I've added a rule to the global local.cf file, which as you can see from the following header extract it is picking up. What it's not doing though is marking it as SPAM. I've set the score to 6.0 in the rule...

X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on
xeon.intonet-technology.co.uk
X-Spam-Level: **
X-Spam-Status: No, score=2.5 required=5.0 tests=BAYES_00,LOCAL_WROTE_RULE
autolearn=no version=3.1.7

Any ideas folks?

- Tim
 

cbwass

Well-Known Member
Mar 29, 2002
149
0
316
You can stop them getting through using etc/antivirus.exim.

Find:

if error_message and $header_from: contains "[email protected]"
then
# looks like a real error message - just ignore it
finish
endif

#Than right under it put:

if $header_subject: contains "wrote"
then
seen finish
endif

It should look like this.

if error_message and $header_from: contains "[email protected]"
then
# looks like a real error message - just ignore it
finish
endif

if $header_subject: contains "wrote"
then
seen finish
endif
 

asmithjr

Well-Known Member
Jun 13, 2003
514
6
168
Great!

Remember to make sure your WHM->System Configuration->Exim Configurator Editor has the /etc/antivirus.exim selected (Use the Default)
 

mctDarren

Well-Known Member
Jan 6, 2004
665
4
168
New Jersey
cPanel Access Level
Root Administrator
We need to figure out why that rule isn't hitting your spam. When you look at the headers, what is the SA score on those that are getting through? If you see that it's not hitting for some reason, something is wrong with the set up. If you see it is hitting, then you might have a higher spam score requirement then what we are assigning in that rule. Sometimes I will write several rules, just to make sure that legit mail can still sneak past.

It's probably because of my custom set up, however, that mine are getting blocked. I have an extensively trained Bayesian database, plus I raise some rules scores as well - giving that little extra push for these annoying messages. Right now the "(name) wrote:" spam is hitting these rules for our servers:

3.50 BAYES_99 Bayesian spam probability is 99 to 100%
2.86 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel letters
4.50 NAMEWROTE
1.00 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
2.40 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level above 50%
1.00 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)

So the only "wrote:" spam rule I have is this:
Code:
## (NAME) WROTE:
header  NAMEWROTE       Subject =~ /.*wrote\:/i
score   NAMEWROTE       4.500
You could also add another like so:
Code:
## (NAME) WROTE2:
header  NAMEWROTE2       Subject =~ /.*wrote/i
score   NAMEWROTE2       2.200
This way if the "wrote:" (with the colon) is there, it hits both and ups the score. If someone puts in their legit mail subject "I wrote to you yesterday!" it will only hit the smaller score and lessen the chance for a false positive. But for those that it is not hitting, check your High Spam Score on those email accounts that these are slipping past. If you have a high spam score of 12 needed, and the spam is hitting a score of 9 only, they will come through. Use the tools you have (bayesian database, DCC, Razor, etc) to get your system to the point that these will be blocked. Hope this helps...