Re: [Declude.JunkMail] regex help needed
On 1/13/2012 10:39 AM, Scott Fisher wrote: One Hotmail spammer peddling Chinese drugs is consistently getting through. There just isn’t enough wrong with the emails to get it stopped.  One oddity is the formatting of the subject line over multiple lines:  Subject: [Possible SPAM] MMannyIniidvidualsTakeAnntdierpessantsFor6MotnhsToAYearOrMoore.ThhenTheyGetRidOofDerpsesion. she thought, when she first saw Mr. B. at the masquerade, that he was We're digging into this one a bit right now -- Could you zip up a bunch of samples and send them to me please? We have several structural and content vectors to explore and I'm looking for exploitable commonalities. Thanks, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] regex help needed
All of my samples have been send to madscientist@ From: Pete McNeil [mailto:madscient...@microneil.com] Sent: Friday, January 13, 2012 10:10 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] regex help needed On 1/13/2012 10:39 AM, Scott Fisher wrote: One Hotmail spammer peddling Chinese drugs is consistently getting through. There just isn’t enough wrong with the emails to get it stopped.  One oddity is the formatting of the subject line over multiple lines:  Subject: [Possible SPAM] MMannyIniidvidualsTakeAnntdierpessantsFor6MotnhsToAYearOrMoore.ThhenTheyGetRidOofDerpsesion. she thought, when she first saw Mr. B. at the masquerade, that he was We're digging into this one a bit right now -- Could you zip up a bunch of samples and send them to me please? We have several structural and content vectors to explore and I'm looking for exploitable commonalities. Thanks, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] regex help needed
On 1/13/2012 11:24 AM, Scott Fisher wrote: All of my samples have been send to madscientist@ Sorry, I don't have them. If they were not zipped then it is likely the message got stripped out by existing rules. If they were zipped perhaps they are just slow getting here - I'll keep an eye out. Thanks, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] regex help needed
Apparently I’m catching them on the way out with clamav . Resending now From: Pete McNeil [mailto:madscient...@microneil.com] Sent: Friday, January 13, 2012 10:50 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] regex help needed On 1/13/2012 11:24 AM, Scott Fisher wrote: All of my samples have been send to madscientist@ Sorry, I don't have them. If they were not zipped then it is likely the message got stripped out by existing rules. If they were zipped perhaps they are just slow getting here - I'll keep an eye out. Thanks, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] regex help needed
On 1/13/2012 12:03 PM, Scott Fisher wrote: Resending now Ok I got it and we identified a few additional vectors to throw at this. SNF should catch more of these now, and the SortMonsters are looking at additional vectors as our supply of samples grows. At least 3 new structural abstracts are in play also. If you're not already using the truncate BL that might also help add some weight (I see you're using a lot of tests): http://gbudb.com/truncate/index.jsp Thanks, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
