Eddy Beliveau wrote:
> Hi!
>
> I'm receiving spams with the following subject line
> Subject: TRAMAD0OL, MER1DllA, \/ALUUM, XANA, L0RAAZEPAM, AMBllEN,
> ALPRAZZ0LAM, \/llGRA, CAALlS, LEVlTRRA
>
> Spamassassin does not give points to this spam.
>
> Any rule to filter this
>
> Thanks,
> Eddy
Re-quoting myself from my 7/5/2005 post under the thread "Re: Subject does not
get scored"
-----------
I know, I got the same spam and it skipped by my filter too, and I wrote most of
the drugs rules...
Yes it should match.. all of the body text rules are run against the subject
line as well, by default.
However, all of the above words are carefully crafted to avoid the DRUGS_*
rules.
Each one of them is obfuscated in a way beyond what the drugs rules currently
expect.
For example: \/llGRA
The DRUGS_ERECTILE rule can recognize the \/ for v, and the l for i, but it
doesn't recognize l as a substitute for a...
Here's two patches you can add to local.cf (or any other file) to at least fix
the erectile drugs... they'll automatically over-ride the default sub-rules from
20_drugs.cf. Be sure to remove line wraps.. each of those should only be one
line long.
body __DRUGS_ERECTILE1
/(?:\b|\s)[_\W]{0,3}(?:\\\/|V)[_\W]{0,3}[a4ij1!|l\xCC-\xCF\xEC-\xEF][_\W]{0,[EMAIL
PROTECTED],3}[x
yz]?[gj][_\W]{0,3}rr?[_\W]{0,[EMAIL PROTECTED],3}x?[_\W]{0,3}(?:\b|\s)/i
body __DRUGS_ERECTILE3
/(?:\A|[\s\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f])[_\W]{0,3}C[_\W]{0,3}[a4ij1!|l\xCC-\xCF\xEC-\xEF][_\W]{0,3}[ila40\xC0
[EMAIL
PROTECTED],3}l?[l!|1][_\W]{0,3}[ij1!|l\xCC-\xCF\xEC-\xEF][_\W]{0,3}s[_\W]{0,3}(?:\b|\s)/i
-----------
If you run SA 3.0.x you should be able to add those to a .cf file in
/etc/mail/spamassassin. (Note: you should NOT have
/etc/mail/spamassassin/antidrug.cf if you use 3.0.x, it's redundant).
If you run SA 2.6x you can replace those lines of your antidrug.cf.
That at least fixes the erectile variant and makes DRUGS_ERECTILE_OBFU fire.
