Re: Possible pattern here?

[Axb]

On 09/10/2014 08:48 AM, Joolee wrote:

Sounds like a case of
http://www.gossamer-threads.com/lists/spamassassin/users/187586

You might be able to find the rule mentioned here:
http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/

RAND_HEADER_MANY

On 10 September 2014 07:38, Bob Proulx <b...@proulx.com> wrote:

I am helping a friend who is getting hit with a lot of spam.  He is
running SpamAssassin.  While looking at the spam that he is receiving
I am seeing a pattern in the headers.  Along with the normal headers
the messages also contain a random set of "random" headers.  Here are
just the pattern headers from the message.

Spam 1:
   Martian-Scurf: d4b0a3f064bc16518af081b52350787f9442861
   Gonad-Marfa: 9442861.d4b0a3f064bc16518af081b52350787f.9442861
   Diamant-Hop:
d4b0a3f064bc16518af081b52350787f22464616.9442861d4b0a3f064bc16518af
   Mutiny-Tardo: 22464616-22464616
   Odinist-Gawsy: d4b0a3f064bc16518af081b52350787f-22464616
   Pennant-Agape: 9442861-22464616

Spam 2:
   Mispage-Slav: 16035617
   Irra-Etna: 9493147
   Brigand-Parry: 1603561716035617
   Peatier-Fthm: d4b0a3f064bc16518af081b52350787f

Spam 3:
   Penang-Titan: d4b0a3f064bc16518af081b52350787f12517557
   Imbrue-Gaol: 12517557.12517557
   Tousle-Zany: d4b0a3f064bc16518af081b52350787f
   Callie-Scale: 19474509.19474509

Spam 4:
   Felda-Elayl: 1-15546426
   Bluma-Spoom: 15546426-14093545455-9801
   Prs-Cathy: 14093545-ag84js-dk3k32
   Quest-Argue: 0.a4-052.15546426

You get the idea.  I have 187 spams from a recent burst like this.

Here is a more complete header example.  I am not showing my buddy's
address intentionally so redacted the To: line but all of the other
headers are there.

   http://pastebin.com/0jmiDBt1

And here is a full sample.  Notice how the header data is repeated in
the message body.

   http://pastebin.com/0Ga7g0UX

Looking at the headers by eye and flipping from message to message it
is pretty easy to visually see the pattern that is created.

Is there a way to use this to create a SpamAssassin rule to try to
catch this type of spam?

Thanks,
Bob

P.S. Note that if I run these through my Bayes my database almost
always scores them quite high.  But on his, not so much.  Improving
his Bayes training will help.  But the pattern seems ripe too.