From: Maybe it's time to revive EvilNumbers?
No, not the same meaning as an arithmetic, binary, "Evil Number" :)
Loren Wilton wrote:
A number of the rules I passed along are generic "order" rules rather
than Amazon specific. I had to go back to last month's spam to find an
Amazon order spam, but I've gotten a dozen or so fake orders for other
things this month, all of which hit on the LW_BOGUS_ORDER rule.
Loren
----- Original Message -----
*From:* Mark London <mailto:m...@psfc.mit.edu>
*To:* users@spamassassin.apache.org
<mailto:users@spamassassin.apache.org>
*Sent:* Thursday, June 17, 2021 8:52 AM
*Subject:* Re: Maybe it's time to revive EvilNumbers?
Loren - Unfortunately, the fake amazon shipment email that we
received, doesn't contain the word Amazon in it's From or Subject
headers.
Or even the word amazon in the text of the message! Just the
Amazon logo.
And they've removed all the URLs, so the links don't work at the
bottom. And they left the postal address of amazon, without the
word amazon.
I hate bogus spam that is so obviously bogus that it avoids filter
rules. :) - Mark
On 6/17/2021 10:52 AM, users-digest-h...@spamassassin.apache.org
wrote:
Subject:
Re: Maybe it's time to revive EvilNumbers?
From:
"Loren Wilton" <lwil...@earthlink.net>
Date:
6/16/2021, 8:18 PM
To:
<users@spamassassin.apache.org>
Here are a handful of rules that work for me. Feel free to try them.
If you do, please let me know how they work for you.
(Apologies for my mail client trashing the formatting.
Be sure to check for possible line wrap on some of the rules!)
Well, EvilNumbers sounds good. I saw a post popup on my phone yesterday
from ThreatPost citing that "no security professionals track phone
numbers". Pissed me right off, those morons. I love it because for
these spammers, their biggest cost probably IS the phone number. Go
ahead and waste it. The only thing that could be better would be to
have some sort of "Perkelator Dialer" (RIP, thank you) that
automatically dials these numbers and hangs up!
Here's a couple of rules with phone numbers. This is what I've tracked
mid-2019 to present. NOTE: Many, but not all, are associated with
Amazon-type order schemes. Some are just persistent junk mailers.
body __JR_BODY_GEN_PHONE11
/\b(1\-718\-989\-5740|1\-877\-482\.4956|1\-877\-482\-4956|1\-682\-626\-0008|877\-208\-5661|8772085661|1\-877\-208\.5661|877\.208\-5661|\+12063090336|\+44\-703\-590\-3232|1\-309\-401\-0721|\+1\(206\)309\-0336|1\~877\~767\~9308|\+18777679308|1\~877\~767\~9308|877\.767\-9308|\+12063090336|1\-415\-738\-5373|1\-718\-989\-5740|TEL\:00447024064951|Assured1\-682\-626\-00082|1\-832\-550\-3161|800\.481\.2979|1\.718\.989\.5746|1\-206\-350\-2402|1\.845\.709\.8044|\+1\s757\s5853620|919\-529\-5373|\+6912751776|1\-833\-945\-1505|\(d61rfo808\)\s53v3as201\s9473|\+1\s\(808\)\s201\s9473)\b/i
body __JR_BODY_GEN_PHONE12
/\b(800\.481\.2979|1\-718\-989\-5740|\+356\s72986291|\+225\-54189599|415\-508\-4161|\+44\-\(7\)\s4\s5639\s1361|\(230\)\s216\s4865|\+2347041941368|\+1\-866\-879\-1354|\+380\s48\s7932609|\+380\s68\s8220267|\+1\s\(803\)\s692\-1706|\+1\s\(903\)\s403\-1710|\+17247693888|\+12819079195|\+1\-800\-803\-7592|\+1\-866\-879\-1354|\+31\s635250814|\+1\s346\s273\s1937|\+1\-800\-803\-7592|\+9368170104|\+1184571790|\+6244488968|1\s\(201\)\s578\-4239|1\s\(855\)\s518\-7430|\+\s1\-833\-220\-4052|\+1\s661\s280\s8730|\+1\s\(570\)\s500\-8391|\+1\-866\-785\-0325)\b/i
As per Loren and Martin, these rules are best used in a meta rule.
Loren's rule is solid. I had one message that did not contain the word
"order" in the subject and one other that had "Order Status" in the
From:Name field.
I also use these in conjunction with FreeMail rules. Good Luck.
My $0.02,
-- Jared Hall
