Re: Spammed to death

22 Feb 2005 23:08:04 -0000 

On Tue, 22 Feb 2005, Nate wrote:

> Hello,
>
> I'm using spamassassin 2.64 on Debian Woody.
>
> My clients emails are getting clobbered by "Pharma" spam.  The messages seem
> to be using different encoding on words like Viagra, Cialis and sa is not
> picking them up.
[snip..]

> Here is the typical email I get from these morons.  Notice the missing
> letters "Vicodin", "Viagra", "Xanax", and "Cialis".  In my email client
> Microsoft Outlook displays all the letters.  However, if I copy and paste
> the message into a text editor the letters disappear.

Finally found one of these critters in my spamtraps.
Actually the letters aren't missing, just shifted around. They're using
HTML tables to take letters from different parts of the message and
reposition them on the screen to align when viewed with a HTML table
rendering capable client.
EG, in your example:

    Vi   in
      cod

Take the 'cod' and slide it up, then you see the 'vicodin'. View the raw
message source HTML to see how they do that.
The SA anti-drug rulesets won't do much for that as the pieces are too
broken up.


> How do I kill these messages?  I've tried sa-learn spam on several messages,
> but they still keep coming through with almost no spam points.  Please help
> I am so sick of this!
>

Here, I've found that Bayes+SURBL+DNSBL tests are the best tools
to catch this kind of junk.

If you see one arrive with out any SURBL hits, feed it to spamcop,
they should be listed in sc.surbl.org.

If you don't have SURBL added to your 2.64 kit, run, don't walk to:
http://sourceforge.net/projects/spamcopuri
Install SpamCopURI, you'll be amazed at what you suddenly start
missing. ;)

> "From: Esaias Billings [mailto:[EMAIL PROTECTED]
> Sent: Monday, February 21, 2005 11:04 PM
> To: Xzavier Rivera
> Subject: Re: Best Mediccations
>
>
>
> Hello, Welcome to the best ONLINE ST0RE.
>
> Vi  in $178(90p.)  a  a $209(100p.)  ana  al
> cod  Vi gr  X x $299(90p.) Ci is $324(90p.)
>
[snip..]
>

-- 
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

Reply via email to