John D. Hardin wrote:
On Tue, 19 Dec 2006, John Rudd wrote:
John D. Hardin wrote:
http://www.impsec.org/~jhardin/stupid_spammer_tricks_01.txt
I'm seeing a few of these today too. In fact, at home, I've had
maybe 5 spam messages slip through my defenses today. That's a
HUGE increase for me ... I usually average 1 message every week.
It is worth it to add some rules to score for screwed-up spams like
this? (other headers embedded in the Subject: header)
There already appears to be a "very long header" rule (HEAD_LONG).
How about rules for:
1) 2 or so points for "more than 3 :'s in any header" -> /(?:.*:){3,}/
2) 3 or so points for mime header text inside of other headers, such as:
From: "Content-Transfer-Encoding: 7bit "@h677477.serverkompetenz.net
To:
Content-Transfer-Encoding:7bit.Content-Type:text/plain.Subject:hey.bcc:
3) a small score (0.5?) for "body contains a line that looks like a
misplaced bcc line" -> /^bcc: /i
4) a small score (0.2?) for "body contains many email addresses in a
row, esp. with no spacing between them".
5) a small score (0.5?) for "a text/plain message that contains
/^Content-type: / in the body"
6) a small score (0.5?) if the sender address contains "web" or "www".
7) increase the value of "TO_CC_NONE" (0.1 to 1.0?), "TO_EMPTY" (0.1 to
1.0?), and "HEAD_LONG" (2.5 to 3.0?)
Do those seem reasonable? (and if someone writes them up, let me know ... )
