On Wed, 1 Jul 2015, Alex wrote:
I've been receiving a handful of spam claiming to be from whatsapp,
and I can't figure out how to block it.
http://pastebin.com/8E66QRkn
http://pastebin.com/KrTgKGh1
What does a legitimate whatsapp email look like? I've searched their
site, and their DNS entry doesn't even have an MX record, let alone
any indication of SPF, etc.
Bayes is obviously a problem, but my bayes db generally performs well.
I'm sure the domains in the body would be listed now, and probably the
source addresses too.
Ideas greatly appreciated.
It looks like they are doing unicode obfuscation of text in the body:
WhatsApp W=C3=A8b You h=C3=A4ve a new message D=C3=A8tails:
Not sure if the Unicode replace stuff will catch it, but you might try
this:
body FUZZY_DETAILS /<D>(?:etails)<E><T><A><I><L><S>/i
replace_rules FUZZY_DETAILS
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
We should endeavour to teach our children to be gun-proof
rather than trying to design our guns to be child-proof
-----------------------------------------------------------------------
3 days until the 239th anniversary of the Declaration of Independence
