Re: [SURBL-Discuss] FP?: ultimatebizsource.biz

on Fri, Oct 15, 2004 at 11:45:57AM -0400, Steven Champeon wrote:

on Fri, Oct 15, 2004 at 05:24:27PM +0200, Alex Broens wrote:

...

...

Do we see any FPs in those?

medica.de= large German Medical Exhibition in Duesseldorf. Definitely not a spamhaus.

If I might recommend a strategy for cleaning up FPs in mass submissions?

There's a well-known ratware package that forges the HELO and sender domain from among a huge list of ccTLDs. e.g.:

Received: from cibo.be (DWM-21-63.go.retevision.es [81.60.63.21]) by serrano.hesketh.net (8.12.11/8.12.8) with SMTP id i55DcmW1015907 for <snip>; Sat, 5 Jun 2004 09:39:12 -0400 Message-ID: ed6201c44b8d$4e62a4a2$9181555a@cibo.be From: "Ian Monroe" monroezh@cilme.it

cibo.be, cilme.it are innocent victims, but it's likely that if you see a bare ccTLD domain in the HELO and a ccTLD in the From: header, and the message has a Message-ID header of the HELO domain, and it was sent via a likely spam zombie, it's spam. (YMMV)

It's also worth mentioning that the sender address is related to the name given in the quoted portion of the From: header, a la:

"Ian Monroe" monroezh@cilme.it First Last lastzz

There's a set of ~60 of these rules, which is now part of SpamAssassin:

http://spamassassin.apache.org/full/3.0.x/dist/rules/20_ratware.cf

They use the simpler set; I've since defined more:

# check for ccTLDs in both mail_from and HELO KEL_FirstMLastZZccTLDs regex -aMATCH -f (at|au|be|ca|ch|de|dk|es|gr|hu|it|jp|kr|lv|md|mx|nl|no|nu|pt|ro|ru|ua|uk|us|za)$

# last_ # e.g. "First M. Last" last_zz@example.com # e.g. "First Last" last_zz@example.com KEL_FirstMLastZZ01 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\2_[a-z]{2}@ # last # e.g. "First M. Last" lastzz@example.com # e.g. "First Last" lastzz@example.com KEL_FirstMLastZZ02 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\2[a-z]{2}@

# flast_ # e.g. "First M. Last" flast_zz@example.com # e.g. "First Last" flast_zz@example.com KEL_FirstMLastZZ03 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z][a-z]\2_[a-z]{2}@ # flast # e.g. "First M. Last" flastzz@example.com # e.g. "First Last" flastzz@example.com KEL_FirstMLastZZ04 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z][a-z]\2[a-z]{2}@

# f.last_ # e.g. "First M. Last" f.last_zz@example.com # e.g. "First Last" f.last_zz@example.com KEL_FirstMLastZZ05 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z].[a-z]\2_[a-z]{2}@ # f.last # e.g. "First M. Last" f.lastzz@example.com # e.g. "First Last" f.lastzz@example.com KEL_FirstMLastZZ06 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z].[a-z]\2[a-z]{2}@

# f.mlast_ # e.g. "First M. Last" f.mlast_zz@example.com KEL_FirstMLastZZ07 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z].[a-z][a-z]\2_[a-z]{2}@ # f.mlast # e.g. "First M. Last" f.mlastzz@example.com KEL_FirstMLastZZ08 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z].[a-z][a-z]\2[a-z]{2}@

# f.m.last_ # e.g. "First M. Last" f.m.last_zz@example.com KEL_FirstMLastZZ09 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z].[a-z].[a-z]\2_[a-z]{2}@ # f.m.last # e.g. "First M. Last" f.m.lastzz@example.com KEL_FirstMLastZZ10 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z].[a-z].[a-z]\2[a-z]{2}@

# f.m_last_ # e.g. "First M. Last" f.m_last_zz@example.com KEL_FirstMLastZZ11 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z].[a-z]_[a-z]\2_[a-z]{2}@ # f.m_last # e.g. "First M. Last" f.m_lastzz@example.com KEL_FirstMLastZZ12 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z].[a-z]_[a-z]\2[a-z]{2}@

# f_last_ # e.g. "First M. Last" f_last_zz@example.com # e.g. "First Last" f_last_zz@example.com KEL_FirstMLastZZ13 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]_[a-z]\2_[a-z]{2}@ # f_last # e.g. "First M. Last" f_lastzz@example.com # e.g. "First Last" f_lastzz@example.com KEL_FirstMLastZZ14 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]_[a-z]\2[a-z]{2}@

# f_mlast_ # e.g. "First M. Last" f_mlast_zz@example.comKEL_FirstMLastZZ15 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]_[a-z]\2_[a-z]{2}@ # f_mlast # e.g. "First M. Last" f_mlastzz@example.comKEL_FirstMLastZZ16 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]_[a-z]\2[a-z]{2}@

# f_m.last_ # e.g. "First M. Last" f_m.last_zz@example.comKEL_FirstMLastZZ17 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]_[a-z].[a-z]\2_[a-z]{2}@ # f_m.last # e.g. "First M. Last" f_m.lastzz@example.comKEL_FirstMLastZZ18 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]_[a-z].[a-z]\2[a-z]{2}@

# f_m_last_ # e.g. "First M. Last" f_m_last_zz@example.comKEL_FirstMLastZZ19 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]_[a-z]_[a-z]\2_[a-z]{2}@ # f_m_last # e.g. "First M. Last" f_m_last_zz@example.comKEL_FirstMLastZZ20 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]_[a-z]_[a-z]\2[a-z]{2}@

# firstlast_ # e.g. "First M. Last" firstlast_zz@example.com # e.g. "First Last" firstlast_zz@example.comKEL_FirstMLastZZ21 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1[a-z]\2_[a-z]{2}@ # firstlast # e.g. "First M. Last" firstlastzz@example.com # e.g. "First Last" firstlastzz@example.comKEL_FirstMLastZZ22 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1[a-z]\2[a-z]{2}@ # first.last_ # e.g. "First M. Last" first.last_zz@example.com # e.g. "First Last" first.last_zz@example.com KEL_FirstMLastZZ23 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1.[a-z]\2_[a-z]{2}@ # first.last # e.g. "First M. Last" first.lastzz@example.com # e.g. "First Last" first.lastzz@example.com KEL_FirstMLastZZ24 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1.[a-z]\2[a-z]{2}@

# first.mlast_ # e.g. "First M. Last" first.mlast_zz@example.com KEL_FirstMLastZZ25 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1.[a-z][a-z]\2_[a-z]{2}@ # first.mlast # e.g. "First M. Last" first.mlastzz@example.com KEL_FirstMLastZZ26 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1.[a-z][a-z]\2[a-z]{2}@

# first.m.last_ # e.g. "First M. Last" first.m.last_zz@example.com KEL_FirstMLastZZ27 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1.[a-z].[a-z]\2_[a-z]{2}@ # first.m.last # e.g. "First M. Last" first.m.lastzz@example.com KEL_FirstMLastZZ28 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1.[a-z].[a-z]\2[a-z]{2}@

# first.m_last_ # e.g. "First M. Last" first.m_last_zz@example.com KEL_FirstMLastZZ29 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1.[a-z]_[a-z]\2_[a-z]{2}@ # first.m_last # e.g. "First M. Last" first.m_lastzz@example.com KEL_FirstMLastZZ30 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1.[a-z]_[a-z]\2[a-z]{2}@

# first_last_ # e.g. "First M. Last" first_last_zz@example.com# e.g. "First Last" first_last_zz@example.com KEL_FirstMLastZZ31 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1_[a-z]\2_[a-z]{2}@ # first_last # e.g. "First M. Last" first_lastzz@example.com# e.g. "First Last" first_lastzz@example.com KEL_FirstMLastZZ32 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1_[a-z]\2[a-z]{2}@

# first_mlast_# e.g. "First M. Last" first_mlast_zz@example.com KEL_FirstMLastZZ33 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1_[a-z][a-z]\2_[a-z]{2}@ # first_mlast# e.g. "First M. Last" first_mlastzz@example.com KEL_FirstMLastZZ34 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1_[a-z][a-z]\2[a-z]{2}@

# first_m.last_# e.g. "First M. Last" first_m.last_zz@example.com KEL_FirstMLastZZ35 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1_[a-z].[a-z]\2_[a-z]{2}@ # first_m.last# e.g. "First M. Last" first_m.lastzz@example.com KEL_FirstMLastZZ36 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1_[a-z].[a-z]\2[a-z]{2}@

# first_m_last_# e.g. "First M. Last" first_m_last_zz@example.com KEL_FirstMLastZZ37 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1_[a-z]_[a-z]\2_[a-z]{2}@ # first_m_last # e.g. "First M. Last" first_m_lastzz@example.com KEL_FirstMLastZZ38 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1_[a-z]_[a-z]\2[a-z]{2}@ # firstmlast_ # e.g. "First M. Last" firstmlast_zz@example.com KEL_FirstMLastZZ39 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\2_[a-z]{2}@# firstmlast # e.g. "First M. Last" firstmlastzz@example.com KEL_FirstMLastZZ40 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\2[a-z]{2}@ # firstm.last_ # e.g. "First M. Last" firstm.last_zz@example.com KEL_FirstMLastZZ41 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1[a-z].[a-z]\2_[a-z]{2}@# firstm.last # e.g. "First M. Last" firstm.lastzz@example.com KEL_FirstMLastZZ42 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1[a-z].[a-z]\2[a-z]{2}@ # firstm_last_ # e.g. "First M. Last" firstm_last_zz@example.com KEL_FirstMLastZZ43 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1[a-z]_[a-z]\2_[a-z]{2}@# firstm_last # e.g. "First M. Last" firstm_lastzz@example.com KEL_FirstMLastZZ44 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]\1[a-z]_[a-z]\2[a-z]{2}@ # fmlast_ # e.g. "First M. Last" fmlast_zz@example.com KEL_FirstMLastZZ45 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z][a-z][a-z]\2_[a-z]{2}@# fmlast # e.g. "First M. Last" fmlastzz@example.com KEL_FirstMLastZZ46 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z][a-z][a-z]\2[a-z]{2}@

# fm.last_ # e.g. "First M. Last" fm.last_zz@example.com KEL_FirstMLastZZ47 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z][a-z].[a-z]\2_[a-z]{2}@ # fm.last # e.g. "First M. Last" fm.lastzz@example.com KEL_FirstMLastZZ48 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z][a-z].[a-z]\2[a-z]{2}@

# fm_last_ # e.g. "First M. Last" fm_last_zz@example.com KEL_FirstMLastZZ49 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z][a-z]_[a-z]\2_[a-z]{2}@ # fm_last # e.g. "First M. Last" fm_lastzz@example.com KEL_FirstMLastZZ50 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z][a-z]_[a-z]\2[a-z]{2}@

# mlast_ # e.g. "First M. Last" mlast_zz@example.com KEL_FirstMLastZZ51 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z][a-z]\2_[a-z]{2}@ # mlast # e.g. "First M. Last" mlastzz@example.com KEL_FirstMLastZZ52 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z][a-z]\2[a-z]{2}@

# m.last_ # e.g. "First M. Last" m.last_zz@example.com KEL_FirstMLastZZ53 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z].[a-z]\2_[a-z]{2}@ # m.last # e.g. "First M. Last" m.lastzz@example.com KEL_FirstMLastZZ54 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z].[a-z]\2[a-z]{2}@

# m_last_ # e.g. "First M. Last" m_last_zz@example.com KEL_FirstMLastZZ55 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]_[a-z]\2_[a-z]{2}@ # m_last # e.g. "First M. Last" m_lastzz@example.com KEL_FirstMLastZZ56 regex -f -a_SPAMSIGN_ "[A-Z]([a-z]+)\ [A-Z]*.*\ *[A-Z]([a-z-]+[A-Z]*[a-z]*)"\ <[a-z]_[a-z]\2[a-z]{2}@

These are sendmail 'maps', hence the stilted syntax.