[SAtalk] Re: One persistent spammer defeating SA.

Sun, 07 Dec 2003 15:23:23 -0800 

Robert Nicholson wrote:
> 
> I've got a mailbox full of messages that got past SA
> 
> They are all from the same spammer.

What sort of stuff is in the messages?

And if it's a bulk send -- that is, a real spammer, as opposed to
someone targeting only you (which would be, most likely, for the most
part (or largely), evil) -- DCC and/or Razor should catch it -
otherwise, as you mention, Bayes.

> From:     Taking Applications <[EMAIL PROTECTED]>
>         Subject:        Do you have what it takes to be wealthy?
>         Date:   December 6, 2003 2:20:08 PM CST
>         To:       Robert David Nicholson <[EMAIL PROTECTED]>
>         Reply-To:         <[EMAIL PROTECTED]>
> <[EMAIL PROTECTED]>

<snipage>

> 
> Do we have a way of dealing with the spammer who's Reply-To's always
> look the same?

Yes.  The spammer must be dealt with.

That reply-to could be trapped with a match on one or more addresses
with no comma separation.  Your email being the motivation for my
introduction to Perl regular expressions, I have little (until now,
zero) experience with such, but I'd say finding the end point of the
reply-to header would be the ugly part of such a rule.

I pulled most of the following bit from the wdvl web development site's
Perl regular expressions section:

/[EMAIL PROTECTED](\.org|\.net)\s+,\$/ig

It matches - or tries to match - on an email address, followed by a
comma.  But what's needed is one or more comma delimited email
addresses, so I just repeated the pattern:

/[EMAIL PROTECTED](\.org|\.net)\s+,[EMAIL PROTECTED](\.org|\.net)\$/ig

Oh, but it's supposed to be *absent* a separating comma - so I removed
the comma:

/^reply-to:[EMAIL PROTECTED](\.org|\.net)[EMAIL PROTECTED](\.org|\.net)\$/igm

Assuming the above is even close, it goes matching across newlines (the
added 'm' modifier is intended to ignore (though not sure in what sense
- ignore, or just doesn't terminate matching attempt?) newlines) into
whatever header fields (or body) follow the reply-to (delimit, I
suppose, with a newline preceeded by a comma, a newline followed by a
comma, or just a newline, but no immediately following, space delimted
email address pattern), and it does not cover addresses enclosed in <>
like <[EMAIL PROTECTED]> -- would that be ^\<|\w+ etcetera?  

I imagine there's a lot it doesn't cover, but I'm satisfied with my
little Perl regex excursion for the time being.

> Is Bayes the only way of handling these?

It's a pattern.  Does Bayes tokenize patterns?  It would be really cool
if it did - something along the lines of xml abstraction I mean - whoa.

Bryan
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click

-- 
Nothing in the world has more potential for beauty than woman.  Nothing
has more potential to destroy it, than the world. - (Anonymous)

http://www.wecs.com/content.htm

This signature file is generated by Pick-a-Tag !
Written by Jeroen van Vaarsel
http://www.google.com/search?hl=en&ie=ISO-8859-1&q=pick-a-tag



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to