On Thu, 2003-06-12 at 17:08, Mike Scheidler wrote: > "Yorkshire" == Yorkshire Dave <[EMAIL PROTECTED]> writes: > Yorkshire> > >> # Long-gone user listed in the To: or Cc: line > >> header ANCIENT_RCPT ToCc =~ /(joeuser1|joeuser2|joeuser3)/i > >> describe ANCIENT_RCPT LOCAL: Long-departed user ID in addressee list > >> score ANCIENT_RCPT 4.0 > Yorkshire> > Yorkshire> I hope you'll bounce them for a few months first to give the > Yorkshire> mailing lists a chance.. > > These people have been gone for about 5 years. I think that's long enough > to wait. :-) > > Yorkshire> if you want something site specific AND effective, try > Yorkshire> searching the bodies for mycompany.com ROT13'd or backwards > Yorkshire> like moc.ynapmocym > > I just checked, and you're right. I see a lot of hits ROT13 hits. There > seems to be a built-in BODY rule already checking for this, though: > > * 2.9 -- BODY: Message seems to contain obscured email address (rot13)
> body OBSCURED_EMAIL /^\w+\^\S+\(\w{2,3}\b/m not quite as precise as searching for the string itself > I'm seeing some occurrences of it in the headers, too, though I don't see > any mention of any header rule hits. As for the reversed domain name, I > found none in 3 months worth of spam. > backwards, usually in capitals, in an html comment, near the end of a lot of porn spam. > Yorkshire> I have a few more if anybody really wants them :) > > Perhaps... Thanks for the followup. I've been studying spammers using rot13 and other tricks for a few weeks Other snippets that may work for you, at least they work for me. most of these I obtained from my own spam, some by grepping the spamassassin corpus, others from nanas strange places to find email addresses </body>[EMAIL PROTECTED]</html> I think this is broken ratware sign, failed to encrypt email address? needs more investigating but so far hasn't fp'd [EMAIL PROTECTED]/EM% userXymycompany.com and user^^mycompany.com matches some spammer's unsubscribe links and web bugs. no fp's so far but i guess it's possible try feeding your email address thru this one and see what it matches. more porn spam, it's used in Q CITE= and A NAME= in the same way as html comments are used to obfuscate html. it also appears in unsubscribe links and webbugs. y/[EMAIL PROTECTED]/[EMAIL PROTECTED]/; looking for your own domain name or recipients username (I do that from procmail before spamassassin) in an html comment can be good too, as long as your users aren't likely to be sending things like <!-- this section by [EMAIL PROTECTED] --> to each other. finally, the one I haven't cracked the code yet. X-Mime-Flavour: seems to contain the same code as the mime boundaries and the web bug in a small number of spam. Content-Type: multipart/alternative; boundary="(40 mixed case letters)=" X-Mime-Flavour: (same 40 letters)= <img src="(a pornsite)/i.php?id=(same letters)="> I'd love to be able to decode this one but that's just my nature, it's working now in my rules like this header MIME_FLAVOUR exists:X-Mime-Flavour describe MIME_FLAVOUR X-Mime-Flavour but still tastes of spam score MIME-FLAVOUR 1.2 Are any of those any use to you? -- Yorkshire Dave -- Scanned by MailScanner at wot.no-ip.com ------------------------------------------------------- This SF.NET email is sponsored by: eBay Great deals on office technology -- on eBay now! Click here: http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk