On Wed, 1 Dec 2010, Daniel McDonald wrote:
Lately, I?ve been seeing spammers trying to convince you to click on a site
to make hundreds or tens of Dollars, like:
http://pastebin.com/MfG74WGW
The mail client probably stripped out the more interesting headers before I
got it from my customer, because it originally hit RELAY_RU, and I don?t see
a matching header in the current revision.
But, I was wondering if anyone had a good regex for finding these micro-sum
spams? Now that LOTS_OF_MONEY has been promoted and is doing a great job of
finding the 419-style scammers, they have changed tactics on us again...
Catching the simple variants of that is pretty straightforward:
body __SOME_MONEY /\$?(?:\d+,)?\d{3}\b/
...then use that in metas (untested).
The complexity comes in from all the various obfuscations. I could work up
something similar to LOTS_OF_MONEY for amounts less than $100k.
Another problem is smaller amounts of money are much more FP-prone.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
You know things are bad when Pravda says we [the USA] have gone
too far to the left. -- Joe Huffman
-----------------------------------------------------------------------
14 days until Bill of Rights day
