Most of my samples don't have a boundary just plain text. Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit Content-Disposition: inline
-----Original Message----- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Matt Sent: Friday, July 23, 2010 1:30 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Regex to block this? I strongly suggest not doing this exact test. Scott's is more refined, however it's still not refined enough to not have false positives. This spammer is better caught by his boundary, for example: Content-type: multipart/alternative; boundary="_NextPart_Njg3YmQ3N2JiYzdlZGU3YzZlZmFhY2NhNGQwOWU2MTY_" You need to target the "_NextPart_" along with a long string of letters and numbers (and without underscores in between. For instance, you would search the headers for the following: boundary="_Nextpart_(a-z0-9){20,}_" The bad news is that this particular spammer has changed their pattern twice in the last two months after being fixed for over a year, so this detection will likely be short-lived as the spammer is figuring out how to randomize. This spammer accounts for about 7% of all E-mail that makes it to my deep scanning layer. Sniffer seems to miss a good deal of their spam, so there isn't much protection from it otherwise. Matt On 7/20/2010 11:42 AM, Dave Beckstrom wrote: > Thanks. David's regex worked well. I'll give the fine tuning a try. > > Also, all of this spammer's domains are in DNS servers ns1.domainsite.com - > ns4.domainsite.com. > > > > >> I might fine tune it a bit. >> I've only seen length 37 and 38 characters after the tld >> It is only lower case hex codes so you can exclude (g-z) >> I've seen lots of .info and a few .nets as additional tld. >> Very active spammer here >> >> (?i:href=.+\.(com|info|net)/[a-f0-9]{37,38}">) >> >> -----Original Message----- >> From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave >> Beckstrom >> Sent: Tuesday, July 20, 2010 8:00 AM >> To: declude.junkmail@declude.com >> Subject: [Declude.JunkMail] Regex to block this? >> >> >> I'm getting hit by one spammer who manages to get through most of my >> filters. His spam consistently uses the format of: >> >> <a >> >> > href="http://gcc128.blinksroads.com/5768cbbeb6bba86c3157116a6de8e54b31dab5"; > >>> >> <img src="http://gcc128.blinksroads.com/images/157286c08.jpg";.... >> >> How would I write a regex that would look for .com/ followed by a string >> > of > >> garbage with no .htm or other web extension on the end? >> >> >> >> >> >> >> >> >> --- >> [This E-mail scanned for viruses by Declude] >> >> >> >> --- >> This E-mail came from the Declude.JunkMail mailing list. To >> unsubscribe, just send an E-mail to imail...@declude.com, and >> type "unsubscribe Declude.JunkMail". The archives can be found >> at http://www.mail-archive.com. >> >> >> >> --- >> [This E-mail scanned for viruses by Declude] >> >> >> >> --- >> This E-mail came from the Declude.JunkMail mailing list. To >> unsubscribe, just send an E-mail to imail...@declude.com, and >> type "unsubscribe Declude.JunkMail". The archives can be found >> at http://www.mail-archive.com. >> > > > > --- > [This E-mail scanned for viruses by Declude] > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to imail...@declude.com, and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > > --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
![http://gcc128.blinksroads.com/images/157286c08.jpg"](http://gcc128.blinksroads.com/images/157286c08.jpg"){kind=link}