On Wed, 1 Dec 2010, Daniel McDonald wrote:
On 12/1/10 1:28 PM, "John Hardin" <jhar...@impsec.org> wrote:
On Wed, 1 Dec 2010, Daniel McDonald wrote:
Lately, I¹ve been seeing spammers trying to convince you to click on a site
to make hundreds or tens of Dollars, like:
http://pastebin.com/MfG74WGW
The mail client probably stripped out the more interesting headers before I
got it from my customer, because it originally hit RELAY_RU, and I don¹t see
a matching header in the current revision.
But, I was wondering if anyone had a good regex for finding these micro-sum
spams? Now that LOTS_OF_MONEY has been promoted and is doing a great job of
finding the 419-style scammers, they have changed tactics on us again...
Catching the simple variants of that is pretty straightforward:
body __SOME_MONEY /\$?(?:\d+,)?\d{3}\b/
Seems like that would hit on large sums as well, since there is no anchor on
the front of the pattern. I suppose I could do __SOME_MONEY &&
!LOTS_OF_MONEY
or /\b\$?...etc/
That was off the top of my head.
...then use that in metas (untested).
Correct.
The complexity comes in from all the various obfuscations. I could work up
something similar to LOTS_OF_MONEY for amounts less than $100k.
Another problem is smaller amounts of money are much more FP-prone.
Agreed. I've seen a couple of these from India and this one from Russia,
but it will require a number of metas to make it at all useful.
Yeah, but it might be quite handy in catching work-at-home spams.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Of the twenty-two civilizations that have appeared in history,
nineteen of them collapsed when they reached the moral state the
United States is in now. -- Arnold Toynbee
-----------------------------------------------------------------------
14 days until Bill of Rights day
