you need some rules for SA which can detect obfuscated spellings of those keywords like vagira, cilais a.s.o.
heres a sample rule i normally use for such words
body MY_OBF1 /((?!*censored*)(?:(?:[EMAIL PROTECTED]|@])|(?:v\W*[i|1]\W*[a|@]\W*g\W*r\W*[a|@])))/i describe MY_OBF1 body: contains obfuscated keyword *censored* score MY_OBF1 1.0
this rule would catch many many spellings (but surely not all) of *censored* which i'm not allowed to post on this list. :S
drawback is that those rules are hard to write, i'm thinking about coding a template that can generate such rules out of keywords.
or is there such a thing already?
Jürgen R. Plasser wrote:
Hi all,
in the last view days I experienced some (for me) "strange" kind of spam.
The first part of the email is a random text (that's what I see in my email client when opening the email):
<snip>
embedding rose abalone freedman havana bayport regretful menlo gate blomquist
force parasitic infelicity crayon
insidious brasilia pinsky noel priestley fried praiseworthy gimmick even
</snip>
Makes no sense to me at all ;-)
And besides that, there is a html part with an ad section (scrambled letter words) and below that an irritating set of words.
Is there any way to get rid (say: score > 5) of those mails with SA? Some rules?
I have SA 2.61 and the latest Bigevel rules installed.
Best regards, Jürgen
ps. Here is the email source
Return-Path: <[EMAIL PROTECTED]>
Received: from mailserver ([unix socket]) (authenticated user=cyrus bits=0)
by mailserver (Cyrus v2.1.16) with LMTP; Wed, 21 Jan 2004 11:04:46 +0100
X-Sieve: CMU Sieve 2.2
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: by mailserver.example.com (Postfix, from userid 65534)
id 1F70F60441F; Wed, 21 Jan 2004 11:04:46 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
by mailserver.example.com (Postfix) with ESMTP
id 0A0806042D6; Wed, 21 Jan 2004 11:04:44 +0100 (CET)
Received: from mailserver.example.com (localhost [127.0.0.1])
by localhost (AvMailGate-2.0.1) id 23887-263A9B8D;
Wed, 21 Jan 2004 11:04:44 +0100
Received: from pD954857A.dip.t-dialin.net (pD954857A.dip.t-dialin.net [217.84.133.122])
by mailserver.example.com (Postfix) with SMTP
id AED3A6042D6; Wed, 21 Jan 2004 11:04:11 +0100 (CET)
Received: from [104.221.238.124] by 66.41.127.38 with HTTP;
Wed, 21 Jan 2004 03:14:44 -0700
From: "Ruth Walden" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: kirchner acquaint sanctify acrobatic
Mime-Version: 1.0
X-Mailer: animadversion
Date: Wed, 21 Jan 2004 06:14:44 -0400
Reply-To: "Ruth Walden" <[EMAIL PROTECTED]>
Content-Type: multipart/alternative;
boundary="5846461431537959"
Message-Id: <[EMAIL PROTECTED]>
X-Spam-Checker-Version: SpamAssassin 2.61-myrulesjrp20040121
(1.212.2.1-2003-12-09-exp) on mailserver.example.com
X-Spam-Level: **
X-Spam-Status: No, hits=2.6 required=5.0 tests=FORGED_HOTMAIL_RCVD2,
HTML_MESSAGE autolearn=no version=2.61-myrulesjrp20040121
embedding rose abalone freedman havana bayport regretful menlo gate blomquist
force parasitic infelicity crayon
insidious brasilia pinsky noel priestley fried praiseworthy gimmick even
------------------------------------ HTML part
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD>
<TITLE>Message</TITLE>
<META content="MSHTML 6.00.2800.1276" name=GENERATOR></HEAD>
<BODY>
<DIV><!-- Converted from text/plain format --><FONT face=Arial size=2>
<p>Hi,<br>
<br>
Genierc and Sepur Viarga (Caiils) available onlnie!<br>
Most trsuted onilne source!<br>
<br>
<br>
Cilais or (Spuer Vagira)<br>
takes afefct right away & lasts 24-36 huors!<br>
<A HREF="http://www.qwhhjaak.gjoovm.com=www.qaoy.oxunz.butetoit.com/cv/?AFF_ID
=cv0119&rzcxctqhu=mnxb">FOR SUEPR VAIRGA TOCUH HERE</a><br>
<br>
<br>
Genierc Virgaa<br>
costs 60% less! save a lot of $.<br>
<A HREF="http://www.kghhakaat.qyhpi.com=www.emqdxl.bkted.butetoit.com/cv/?AFF_
ID=cv0119&fppnboy=getn">FOR VIGARA TOCUH HERE</a><br>
<br>
<br>
Both prudocts shipped dicsretely to your door<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<A HREF="http://www.tzelxglc.rqxinuh.com=www.zgahucwbdj.bcfr.butetoit.com/home
page/?mrfzabrpbv=oqaj">Not itnreseted</a><br></FONT></DIV></BODY></HTML>
maximilian scant durham grim euterpe palestinian pastiche peaceful gary ineducable jubilant alamo rickshaw hercules <br>
gratis hippopotamus imbecile illicit invade fulsome print blizzard pivot brocade elate bureaucracy auberge geography chang infinity plaster decay <br>
sextuplet belgrade emile coruscate borneo imaginate barbecue maybe patio erudition <br>
bright cry beck calm footprint chiropractor evidential alberta amphibian lucerne grille aristotle glycerol sec cambridge pertain <br>
crucial armenian elliot bittern copybook demit allotropic grope ecumenist fujitsu infallible complainant nauseum mellon scaffold francoise fragmentary puerto flurry impermissible bounce access agony healy faint modulus sandusky backbone biltmore exclusion lexicon antiperspirant chart forward acton epsilon chariot efflorescent <br>
preferred commensurable azimuth mini bullock jot impelling cultural curvaceous backstitch endemic convect limbo dot exploitation coppery colorado deport bunyan arteriole cleric fluid astute contraption captive ganglion calm <br>
enterprise harrisburg lawmake citroen axolotl edwin herdsman chronicle escheat brant configure epitaxial handline bulb fbi <br>
pile derogate livery clamber pickup grantee hypochlorous gossip jurisprudent define egypt inaccessible farsighted basepoint poll prevention hairdo d'art moines eastbound circumcircle <br>
citric mercenary credential ashame middletown demote penultimate headset paulo bicep coke occurred <br>
annum berlioz eager bromide dobbin curia dressy gerard invariant quiescent husky gingko debenture delano agate darkle cormorant s's durable aluminate gravel glob agnostic prosodic genii moulton <br>
------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
