Re: Image spams getting thru

Sat, 29 Jul 2006 09:32:34 -0700 

On Sat, 29 Jul 2006, Loren Wilton wrote:

> >> > From: Rory [mailto:[EMAIL PROTECTED]
> >> > From: Barbra [mailto:[EMAIL PROTECTED]
> 
> Something like
> 
> header FROMFROM    =~ /[A-Z]\w+ \[mailto\: \w+\.\w+\@/
>
> There is a way to be more specific, but it costs considerably
> more.

Namely:

   header   FROM_REPEAT  From =~ /\b(\w{1,20})\.\1\@/

Incorrect results returned quickly are useless.

Adding a test for a single-word unquoted display name would reduce the
cost as the RE engine wouldn't get to the expensive backreference
unless there was a single-word unquoted display name:

   header   FROM_REPEAT  From =~ /^\w{1,20}\s<(\w{1,20})\.\1\@/

> I'd try this first.

It won't work. [A-Z] without the case-insensitive flag won't match the
samples provided. You should also have a beginning-of-line anchor to
ensure it only hits on single-word display names. And the samples
don't have a space after the colon.

Also (and primarily), the "[mailto:...]"; cruft is likely a
Winders-MUA-specific display-only mangle coded by somebody who is only
familiar with HTML and who should have stuck to browser programming.
If that's actually IN the raw From: message header then it makes an
excellent spam sign by itself as it is a URI format, NOT a valid email
mail address format per RFC-2822.

   describe FROM_URI   Browser Hammer syndrome
   header   FROM_URI   From =~ /\[mailto:/i
   score    FROM_URI   5000

(...is my hatred of that too obvious?)

The loose version would be:

   header   FROM_REPEAT   From =~ /^\w{1,20}\s<\w{1,20}\.\w{1,20}\@/

...but don't score it too high (above, say, 0.5) because it would hit
on possibly legitimate senders like:

  From: BillG <[EMAIL PROTECTED]>

  From: ChairMaster <[EMAIL PROTECTED]>

(whew. My blood sugar is low this morning, I'm cranky...)

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]    FALaholic #11174    pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  The problem is when people look at Yahoo, slashdot, or groklaw and
  jump from obvious and correct observations like "Oh my God, this
  place is teeming with utter morons" to incorrect conclusions like
  "there's nothing of value here".        -- Al Petrofsky, in Y! SCOX
-----------------------------------------------------------------------

Reply via email to