yep, the ones I have here do. however the Storm output is mutating daily so it'll probably change tomorrow ;)
UxBoD writes: > Thanks Justin. Do they all follow the same patterns ? > > Regards, > > --[ UxBoD ]-- > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B > // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B > // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] > > ----- Original Message ----- > From: "Justin Mason" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Cc: users@spamassassin.apache.org > Sent: Thursday, October 18, 2007 8:24:35 PM (GMT) Europe/London > Subject: Re: MP3 Spam > > > UxBoD writes: > > Does anybody have one of these, or different one, that you could upload > > somewhere so can do some analysis ? > > sure: http://taint.org/x/2007/mp3spam.txt > anyway, these rules catch them as far as I can tell: > > ifplugin Mail::SpamAssassin::Plugin::MIMEHeader > mimeheader __CTYPE_STORM_MP3_1 Content-Type:raw =~ /^audio\/mpeg;\n > name=\"[a-z]+\.mp3\"$/s > mimeheader __CDISP_STORM_MP3_1 Content-Disposition:raw =~ /^inline;\n > filename=\"[a-z]+\.mp3\"$/s > mimeheader __CTYPE_STORM_MP3_2 Content-Type:raw =~ > /^audio\/mpeg;\n\tname=\"[a-z]+\.mp3\"$/s > mimeheader __CDISP_STORM_MP3_2 Content-Disposition:raw =~ > /^attachment;\n\tfilename=\"[a-z]+\.mp3\"$/s > > meta JM_STORM_MP3 ((__CTYPE_STORM_MP3_1&&__CDISP_STORM_MP3_1) || > (__CTYPE_STORM_MP3_2&&__CDISP_STORM_MP3_2)) > > > --j. > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean.
