-Original Message-
From: Mike Fahey [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 27 February 2008 6:16 a.m.
To: users@spamassassin.apache.org
Subject: any rules for this?
Does anyone have any rules for these?
C A 5N A D/1AN P 7 5H A RM A 9CY
V / 7A G R \A - $1.45
C 4/ A L
Here is what I'm trying:
body CAN_PHAR
/c[\W\d]{0,4}a[\W\d]{0,4}n[\W\d]{0,4}a[\W\d]{0,4}d[\W\d]{0,4}a[\W\d]{0,4}n[\W\d]{0,4}p[\W\d]{0,4}h[\W\d]{0,4}a[\W\d]{0,4}r[\W\d]{0,4}m[\W\d]{0,4}a[\W\d]{0,4}c[\W\d]{0,4}y/i
I believe I have stripped out all non-letters and then search for the
tip-off
On Tue, 2008-02-26 at 13:15 -0800, Paul Douglas Franklin wrote:
Here is what I'm trying:
body CAN_PHAR
/c[\W\d]{0,4}a[\W\d]{0,4}n[\W\d]{0,4}a[\W\d]{0,4}d[\W\d]{0,4}a[\W\d]{0,4}n[\W\d]{0,4}p[\W\d]{0,4}h[\W\d]{0,4}a[\W\d]{0,4}r[\W\d]{0,4}m[\W\d]{0,4}a[\W\d]{0,4}c[\W\d]{0,4}y/i
Seems to me
This looks like a new version of the old Leo pill spams. Catching those
obfuscated things gets difficult since the spammers get VERY creative using
HTML formatting to juggle the characters around in non-obvious ways.
About the best method of catching them currently is SURBL, since they almost
The ones I have seen I haven't been able to find a pattern. They tend to
use letters in place of any character.
I'll look over this run and feed it some of the samples. Any else have
thoughts?
Paul Douglas Franklin wrote:
Here is what I'm trying:
body CAN_PHAR
Robert Nicholson wrote:
At this time I'm forwarding mail that SA considers spam to my gmail
account. The following bounces with
SMTP error from remote mail server after end of data:
host gmail-smtp-in.l.google.com [64.233.185.27]:
552 5.7.0 Illegal Attachment g5si5192165wra
Matt Kettler wrote:
Robert Nicholson wrote:
At this time I'm forwarding mail that SA considers spam to my gmail
account. The following bounces with
SMTP error from remote mail server after end of data:
host gmail-smtp-in.l.google.com [64.233.185.27]:
552 5.7.0 Illegal Attachment
Michele Neylon :: Blacknight wrote:
Matt Kettler wrote:
Robert Nicholson wrote:
At this time I'm forwarding mail that SA considers spam to my gmail
account. The following bounces with
SMTP error from remote mail server after end of data:
host gmail-smtp-in.l.google.com
None of the rules indicate that it had any exe or zip attachment
Why would they?
SA is a spam filter, not a virus filter.
You could try MailScanner (http://www.mailscanner.info)
Or this if you already have a procmail infrastructure:
I'm not sure it's actually obfuscated though?? It seems to be a valid URL, I
mean in terms of it existing in DNS as-is, and in terms of it working (click
on it and it takes you to the spammer's site). I actually didn't know you
could use [] characters in a domain name, but I guess you can - this
On Fri, 18 Aug 2006, Jeremy Fairbrass wrote:
It seems to be a valid URL
I actually didn't know you could use [] characters in a domain
name
I dunno what the RFCs say about the usage of such characters in a
sub-domain...
*boggle*
I am going to have to re-read the RFCs as well - I, too,
John D. Hardin wrote:
An obfuscated URL like that should be fairly easy to detect - are
there any rules (e.g. SARE) for these?
Do you need rules for them? It looks like URIBL was able to pick it up
fine.
It picks it up so well, in fact, that the list rejected my first attempt
to reply until
On Thu, 17 Aug 2006, Kelson Vibber wrote:
John D. Hardin wrote:
An obfuscated URL like that should be fairly easy to detect - are
there any rules (e.g. SARE) for these?
Do you need rules for them? It looks like URIBL was able to pick
it up fine.
Yes, but I want enough points to push it
Do you need rules for them? It looks like URIBL was able to pick
it up fine.
Yes, but I want enough points to push it over the automatic-discard
threshhold. An extra point or two for that form of obfuscation would
be welcome (to me, at least).
I wrote a rule against those sort of things
On 11/17/2004 12:53 PM, Martin wrote:
|I'm looking to use the RelayCountry plugin data but there |doesn't
seem to be any rules. Anybody know of any?
Here's some rules I use, utilising the nerds.dk lists, not sure if its
what you are looking for.
That works perfectly, and doesn't even
15 matches
Mail list logo
