Quick update. I found a few false positives (about 1 in 50,000 messages) and as a result I modified things a little and added a few more checks for supposedly rather unique patterns. The new version is attached. Unless there is a problem I probably won't update it any more, but I felt that it was a good idea to share the update to prevent the possibility of problems. The new version is attached.
Matt
Matt wrote:
Attached is something that I coded up last night for this guy. It's designed to be not totally dependant on one pattern so that it might have some longevity. His forging of a Microsoft format is quite good, but he does make mistakes and does leave patterns, some of which can be tagged with a standard Declude filter, but VBScript could do it even better and even less specifically. Nevertheless, this filter hits 100% of the time right now, levies very heavy points despite being variable, and I haven't seen a false positive yet due to the way that it was designed to operate. Note, the scores are based on a system that holds at a score of 10.
Matt
--- Global.cfg ---
FORGEDPILLSPAMMER filter C:\IMail\Declude\Filters\ForgedPillSpammer.txt x 5 0
--
===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
# FORGEDPILLSPAMMER v1.0.1
SKIPIFWEIGHT 40 MINWEIGHTTOFAIL 5 # Disable when it comes from an IP that is in the MX record just for safety since this targets zombies. TESTSFAILED END NOTCONTAINS IPNOTINMX # Prerequisites for spam pattern. Note that the spammer is near perfect for the headers. HEADERS END NOTCONTAINS X-MimeOLE: Produced By Microsoft MimeOLE V HEADERS END NOTCONTAINS To: " HEADERS END NOTCONTAINS From: " BODY END NOTCONTAINS <!DOCTYPE BODY END NOTCONTAINS This is a multi-part message in MIME format. # X-Unsent header is not something that you see in E-mail after it leaves Outlook. HEADERS 1 CONTAINS X-Unsent: 1 # Microsoft should insert a double line break before the end of the text and the start of the boundary. BODY 1 CONTAINS . ------=_NextPart_ BODY 2 CONTAINS day. ------=_NextPart_ # Start of boundary is always the same recently. BODY 3 CONTAINS NextPart_000_0008_01C53DE2. BODY 3 CONTAINS NextPart_000_0008_01C54072 # Original Message within a tag. BODY 1 CONTAINS > <DIV style=3D"FONT: 10pt arial">----- Original Message ----- # Dead giveaway for Pharmacy spam (non-obfuscated part). BODY 3 CONTAINS yByMail BODY 3 CONTAINS By-Mail BODY 3 CONTAINS ByMAlL BODY 1 CONTAINS By MAIL S # This line is too long for Outlook in quoted-printable format. BODY 3 CONTAINS <META http-equiv=3DContent-Type content=3D"text/html; charset=3Dus-ascii"> <META content # Uses tables for obfuscation. BODY 3 CONTAINS <TD><FONT face=3DArial size=3D4></FONT></TD> <TD rowSpan=3D2><FONT face=3DArial size=3D4> # Subject is always Re:. HEADERS 1 CONTAINS Subject: Re: # Body does text/html as us-ascii. BODY 1 CONTAINS Content-Type: text/html; charset="us-ascii" # Quoted-printable line ended too early in body BODY 3 CONTAINS > <DIV><FONT face=3DArial>Hello, = Would # Text or code patterns uncommon in Outlook generated E-mails BODY 1 CONTAINS save up to BODY 1 CONTAINS on the Net! BODY 1 CONTAINS size=3D4> C</FONT></TD> BODY 1 CONTAINS and many BODY 1 CONTAINS <BLOCKQUOTE dir=3Dltr=20 style=3D"PADDING-RIGHT: