On Thu, 2008-12-04 at 02:26 +0100, Karsten Bräckelmann wrote: > On Thu, 2008-12-04 at 13:48 +1300, Kate wrote:
> > Yeah have been getting lots of variations of: > > http://www.pastebin.ca/1275436 > > Quite a lot are getting caught but in saying that alot are still getting > > through. > > That one example smells like pure spam to me. Not phish, definitely not > a scam (though I didn't investigate much). > > Funnily enough, the Sanesecurity.Spam.9216 found in the *scam* sigs [1] > does match. However, it translates to the RE > m~http://cid-.{0,30}\.spaces\.live\.com/blog/cns~ > > This topic has been beaten to death recently... More on-topic. More beating dead horses. :) We've discussed this very spam type recently. Scores around 10+ here... They usually hit at least RCVD_IN_XBL, if not a few more. They hit any custom rule for the live spaces URI, including the one above as per SaneSecurity scam sigs, Daryls, and a custom one I am running locally, targeting the alphanumeric alternation. They all are direct MUA to MX transmissions, no relay. That spample (like most of these I have seen) hit RCVD_IN_BRBL (which has been discussed a few times recently, too) and also hits the DNSBL RCVD_IN_NIXSPAM, which can be found as an *additional* info on the iXhash plugin pages [2]. It does not use that hash but sending IPs, though. Oh, yeah, also all of those I have seen do hit a rather cute rule of mine, which can be found in my sandbox. rawbody __PQRTW_4_A m,<a name="\#[pqrtw]{4}">\s*</a>, rawbody __PQRTW_4_SPAN m,<span name="\#[pqrtw]{4}">\s*</span>, meta PQRTW_4 __PQRTW_4_A || __PQRTW_4_SPAN score PQRTW_4 1.0 That score is rather conservative, FWIW. And I sure hope the spammers stopped reading this thread like 10 posts ago... I love that rule. :-) guenther [1] Which I coincidentally just this evening started to look into for an entirely unrelated reason. [2] http://ixhash.net/ -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
