On 07/06/2006, at 5:54 AM, David B Funk wrote:
On Tue, 6 Jun 2006, qqqq wrote:
I have to wonder if a spammer is testing their Zombies since all I
have received are from
Dialup/broadband customers. Could this be the rain before the
flood of spam/virus?
QQQQ
I'm voting for this explanation. It started here yesterday and they're
very predictable in format and source (all from dialup/broadband
hosts).
I'm seeing about a dozen per hour.
I'm seeing this too there's a detailed discussion going on the
mimedefang list already and from there the rule i'm about to add is:
#KAM NUMBER EMAILS - Thanks to Mark Damrose for the NUMBER3 idea
header __KAM_NUMBER1 Subject =~ /^\d+$/i
body __KAM_NUMBER2 /\d{1,6}/
header __KAM_NUMBER3 Message-ID =~ /\<[a-z]{19}\@/i
meta KAM_NUMBER ((__KAM_NUMBER1 + __KAM_NUMBER2 +
MIME_HTML_ONLY + HTML_SHORT_LENGTH + __KAM_NUMBER3) >= 5)
describe KAM_NUMBER Silly Number Emails
score KAM_NUMBER 1.0
(thanks to everyone out there so quick off the mark..)
..S.
