Matthew Cline just mooed:
> First a few rules to match non-spam:
>
> body SIGNATURE_DELIM /^-- $/
> describe SIGNATURE_DELIM Standard signature delimiter present
>
> While there would be no effort in faking this, it might take a while for some of the
>spammers to catch on.
>
> uri HTTPS_URL /https:\/\//
> describe HTTPS_URL Spammers don't often use HTTPS
>
> Has anyone seen spam that uses an HTTPS URI?
Doh. Sorry, sent it to you without CC:'ing sa-talk, in case others
were curious. Yes - I have 107 unique https URIs in my corpus (in
other words, not too many), advertising 34 different servers. The
most popular:
59: www.paypal.com + 2 secure.paypal.com, +3 secure.paypal.x.com
+ 2 www=2Epaypal=2Ecom encoded
40: www.clickrewards.com
30: www.fitnessfirstusa.com
20: www.secureserver.net
16: www.ahahealth.com
14: www.videoprofessor.com
And a few rules that match some recent spam I've received, and
hits a decent chunk of things in my corpus, applying the
FRIEND_AT_PUBLIC rule to Received headers catches a decent
chunk of mail. There's some crossover with the FRIEND_AT_PUBLIC
test, since some of the spam will put a
"for <[EMAIL PROTECTED]>", so some messages may get slapped twice
by this one, but it does catch a lot of spam that wouldn't otherwise
match it.
header BOGUS_RECV_HOST Received =~
/\b(yourwebsite|yourdomain|you|your|public).(com|net|org)/
describe BOGUS_RECV_HOST Received from a clearly bogus host
Zero false positives in my personal Mail directory, YMMV.
Low-hanging fruit, though it's out of date these days, catch
the snowhite virus since it's there:
header SNOWWHITE_VIRUS Subject =~ /Snowwhite.*REAL story/
describe SNOWWHITE_VIRUS The snow white virus
score SNOWWHITE_VIRUS 10
Merchant accounts are popular to advertise. This is in spam phrases,
but since that's not enabled in 2.11, I have a separate rule to catch it:
body MERCHANT_ACCOUNT /\bmerchant (account|services?)/i
describe MERCHANT_ACCOUNT Spammers like merchant accounts
Spammers MUAs are still stupid sometimes:
header BAD_MESSAGEID MessageID =~ /[a-z]/
describe BAD_MESSAGEID Failed to type message-ID right
-Dave
--
work: [EMAIL PROTECTED] me: [EMAIL PROTECTED]
MIT Laboratory for Computer Science http://www.angio.net/
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
