Bart Schaefer wrote:
The largest number of spam messages currently getting through SA at my
site are short text-only spams with subject "Re: good " followed by an
obfuscated drug name (so badly mangled as to be unrecognizable in many
cases). The body contains a gappy-text list of several other kinds of
equally unreadable pharmaceuticals, a single URL which changes daily
if not more often, and then several random words and a short excerpt
from a novel.
They usually hit RCVD_IN_BL_SPAMCOP_NET,URIBL_SBL but those alone
aren't scored high enough to classify as spam, and I'm reluctant to
crank them up just for this. However, the number of spams getting
through SA has tripled in the last four days or so, from around 14 for
every thousand trapped, to around 40.
I'm testing out RdJ on the SARE_OBFU and SARE_URI rulesets but so far
they aren't having any useful effect. Other suggestions?
The ReplaceTags plugin can be very useful for creating rules to match
these. Let's say you get a message with text that looks like:
S b P u A z M
where the lower-case letters vary. A traditional rule might look like:
/S [a-z] P [a-z] A [a-z] M/
Which is really not too bad. However, ReplaceTags allows you to create
short hand. Something like:
replace_tag WS ( [a-z] )
And your rule becomes:
/S<WS>P<WS>A<WS>M/
For this to work, you'll also need to add your rule name to a
replace_rules line. Using parentheses in your regex will create wasted
captures so you'll probably want to use a different method to mark off
the whitespace. You also might want to add a negative lookahead
although in this case you probably wouldn't need it.
For more on ReplaceTags:
http://spamassassin.apache.org/full/3.1.x/dist/doc/Mail_SpamAssassin_Plugin_ReplaceTags.html
-Stuart
