On Thu, 2003-06-12 at 17:08, Mike Scheidler wrote:
> "Yorkshire" == Yorkshire Dave <[EMAIL PROTECTED]> writes:
>  Yorkshire> 
>  >> # Long-gone user listed in the To: or Cc: line
>  >> header    ANCIENT_RCPT  ToCc =~ /(joeuser1|joeuser2|joeuser3)/i
>  >> describe  ANCIENT_RCPT  LOCAL: Long-departed user ID in addressee list
>  >> score     ANCIENT_RCPT  4.0
>  Yorkshire> 
>  Yorkshire> I hope you'll bounce them for a few months first to give the
>  Yorkshire> mailing lists a chance..
> 
> These people have been gone for about 5 years.  I think that's long enough
> to wait.  :-)
> 
>  Yorkshire> if you want something site specific AND effective, try
>  Yorkshire> searching the bodies for mycompany.com ROT13'd or backwards
>  Yorkshire> like moc.ynapmocym
> 
> I just checked, and you're right.  I see a lot of hits ROT13 hits.  There
> seems to be a built-in BODY rule already checking for this, though:
> 
>   *  2.9 -- BODY: Message seems to contain obscured email address (rot13)

> body OBSCURED_EMAIL             /^\w+\^\S+\(\w{2,3}\b/m

not quite as precise as searching for the string itself

> I'm seeing some occurrences of it in the headers, too, though I don't see
> any mention of any header rule hits.  As for the reversed domain name, I
> found none in 3 months worth of spam.
> 
backwards, usually in capitals, in an html comment, near the end of a
lot of porn spam.

>  Yorkshire> I have a few more if anybody really wants them :)
> 
> Perhaps...  Thanks for the followup.

I've been studying spammers using rot13 and other tricks for a few weeks

Other snippets that may work for you, at least they work for me. most of
these I obtained from my own spam, some by grepping the spamassassin
corpus, others from nanas

strange places to find email addresses
</body>[EMAIL PROTECTED]</html> 

I think this is broken ratware sign, failed to encrypt email address?
needs more investigating but so far hasn't fp'd
[EMAIL PROTECTED]/EM%

userXymycompany.com and
user^^mycompany.com matches some spammer's unsubscribe links and web
bugs. no fp's so far but i guess it's possible

try feeding your email address thru this one and see what it matches.
more porn spam, it's used in Q CITE= and A NAME= in the same way as html
comments are used to obfuscate html. it also appears in unsubscribe
links and webbugs.
y/[EMAIL PROTECTED]/[EMAIL PROTECTED]/;

looking for your own domain name or recipients username (I do that from
procmail before spamassassin) in an html comment can be good too, as
long as your users aren't likely to be sending things like 
<!-- this section by [EMAIL PROTECTED] --> to each other.

finally, the one I haven't cracked the code yet.
X-Mime-Flavour: seems to contain the same code as the mime boundaries
and the web bug in a small number of spam.

Content-Type: multipart/alternative; boundary="(40 mixed case letters)="
X-Mime-Flavour: (same 40 letters)=

<img src="(a pornsite)/i.php?id=(same letters)=">

I'd love to be able to decode this one but that's just my nature, it's
working now in my rules like this

header MIME_FLAVOUR exists:X-Mime-Flavour
describe MIME_FLAVOUR X-Mime-Flavour but still tastes of spam
score MIME-FLAVOUR 1.2

Are any of those any use to you?

--
Yorkshire Dave


-- 
Scanned by MailScanner at wot.no-ip.com



-------------------------------------------------------
This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to