Cybertime Hostmaster wrote:
>>Is anyone blocking on the occurance of one or more ^ in a Subject:
>
> header?
>
>>If so, what are your experiences? Most of the spam that is getting
>
> through
>
>>here contains at least one and I don't typically see valid mail with
>>one--although I'm sure they are common on the Exponential Math mailing
>
> list ;-)
>
> Lately I have seen a lot of "junk characters" in spam subject lines. The
> use of the [EMAIL PROTECTED]&*()`'<>,./?;:'"~ is what I mean by that.
>
> It seems to be an attempt by spammers to bypass filters based off of pure
> subject matching.
>
> My question, in reply to yours, is do you think it would be good to aim
> for ^, or do you think it would be better to aim for the whole lot?
Of the one's I've seen, the ^ stands out as being the one most likely to be
used in a valid email. Of the list you note above, probably the backtick is
another likely candidate--the others are too common in valid email.
>
> Obviously there needs to be a limit where 4 or 5 of these characters would
> not trigger the REJECT. Then, the mail that goes over the limit would be
> slammed.
>
> This would, unfortunately, require the use of match all between the blocks
> tested.
>
> So I think the regexp involved would be something along the lines of this:
>
> /^Subject:.*[:^alnum:].*[:^alnum:].*[:^alnum:].*[:^alnum:].*[:^alnum:].*[:
> ^alnum:]/
>
> Anyone see anything majorly wrong with that?
No, but only because I don't understand it ;-)
> If not, it would be worth it
> to test with a "WARN subject_junk ${1}" to see what it hits, and adjust as
> needed.
Good idea. I think I'll start w/something simple to test:
/^Subject:(.*(\^|~))/ WARN subject_junk ${1}
--
Chris Scott
Host Orlando, Inc
http://www.hostorlando.com/
