Dunno - I just grepped my logs to find the FP. You will have to get some complete examples to test on. Maybe do a COPYTO on any emails that fail your regex and then fine tune out the false positives.
-Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: [email protected] General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm ---------------------------------------- From: "David Barker" <[email protected]> Sent: Monday, October 18, 2010 12:05 PM To: [email protected] Subject: RE: [Declude.JunkMail] Good filter? Does the source have a space or different character after the end of the string ? we could look for a space. or a > or " (?i:(http://|www).+\.(com|info|net)/[a-f0-9]{30,40}(\s|[>"])) David From: [email protected] [mailto:[email protected]] On Behalf Of Nick Hayer Sent: Monday, October 18, 2010 11:50 AM To: [email protected] Subject: RE: [Declude.JunkMail] Good filter? Hi David, I think it will FP though - Here is an example: http://eimages.ratepoint.com/7cb5f36dd6464c05d417963e3efc4386/2010-06/02b120ed17cc24cd3567fd4396424914.gif with some tweaking I think it could be very effective though We have been wacking the guy w/sniffer General and dnsbl tests. I cannot tell you which ones of the latter as they are not shown in my logs. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: [email protected] General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm ---------------------------------------- From: "David Barker" <[email protected]> Sent: Monday, October 18, 2010 10:17 AM To: [email protected] Subject: RE: [Declude.JunkMail] Good filter? Provided the prefix to these is either www or http:// the regex will trigger on these From: [email protected] [mailto:[email protected]] On Behalf Of Dave Beckstrom Sent: Monday, October 18, 2010 10:02 AM To: [email protected] Subject: RE: [Declude.JunkMail] Good filter? ude23.protectionist.info/687beaa6678a69ca344212a6ed48f80ba6bca1 cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 ---------------------------------------- From: [email protected] [mailto:[email protected]] On Behalf Of Nick Hayer Sent: Monday, October 18, 2010 8:53 AM To: [email protected] Subject: re: [Declude.JunkMail] Good filter? Post a few of his/her base domains - just to be sure we will be taking about the same guy.. Thanks -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: [email protected] General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm ---------------------------------------- From: "Dave Beckstrom" <[email protected]> Sent: Monday, October 18, 2010 9:38 AM To: [email protected] Subject: [Declude.JunkMail] Good filter? There is pervasive spammer who's uri pattern for the linked spam site is pretty consistent. They all have a "/" followed by some kind of home-grown obfuscation which his server recognizes: http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 Anyone come up with a clever filter for this? Also, these spammers are using domainsite.com as their registrar for their spamvertized domains. Has anyone worked on a solution where the URI can be checked against the registrar and if its registered with domainsite.com then weight can be added or it can be blocked? --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [email protected], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [email protected], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [email protected], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [email protected], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [email protected], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [email protected], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [email protected], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
