I got several of these from different IPs recently. There were several key
identifiers that gave it away to me:
>Subject: Re: IXCH, the sky over
>
For example. One slipped through that was pretty dumb but very easy to figure
out:
>Subject: Re: %RND_UC_CHAR[2-8]
>
See, the spammers are so dumb they write rules for us:
Subject =~ /(?:Re|RE|FW|Fw|FWD):.(?:[A-Z]{2,8}|%RND_)/
Also,
>Received: from [200.223.153.82] by 2004hosting.orgIP with HTTP;
>
Very obvious, and again, the same for the 10-20 I saw to wit:
Received =~ /from.+by.+ip.with.http;/i
And lastly,
>X-Originating-IP: [2004hosting.orgIP]
>
I am tempted to block X-Originating-IP but I can put up with:
ALL =~ /\nX-Originating-IP:.\[.+IP\]/
I don't know if this will continue (I'm too lazy to run tests retroactively).
We shall see.
I am a big fan of filtering by meta-information (cf. DATE_SPAMWARE_Y2K), not
content. The content is too easy to obfuscate, causes too many false positives
and is too easily poisened. Just my opinion. If the spammers would just
send a normal outlook email with regular text, they would all get through just
fine. :)
-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
