On 12/7/10 8:20 AM, "Florescu, Dan Alexandru"
<alexandru.flore...@rompetrol.com> wrote:
> Hi,
>
> In the last few days some spam messages have been able to elude the filters I
> use. Upon checking the headers, it seems to be following the same pattern.
>
> I just earned $31 in a few hours at home on the computer! I went to - Business
> Week Journal* You will thank me
> -----
> * this is a <a href=virus_link>Business Week Journal</a> link
>
> My question is: shouldn't there be a rule to verify that the mail specified at
> "To:" header actually corresponds to the one at "Received: [...] for <>"?
> This would be a very effective spam catching rule.
No, it would be a really bad rule, for lots of reasons.
I am trying to catch these by looking for the body pattern:
I {verbed} {money} {verbing} {uri} {salutation}
Here is my current rule. I'd love to get more verbs to add to it, based on
more examples. They seem to have a pretty good thesaurus...
body __SOME_MONEY_HUNDREDS /\$\d{2,3}\b/
describe __SOME_MONEY_HUNDREDS Has a dollar amount up to $one
thousand
body __EASY_MONEY
/\bI\b.{0,10}(?:racked|pulled|scored|made|profited|earned)/
describe __EASY_MONEY talks about making easy money
body __EASY_WORK /(?:being
online|doing\s(?:(?:simple|easy)\s)?(?:tasks|things|stuff)|working at
home|on the computer)/
describe __EASY_WORK talks about the work being simple
meta AE_WORKFROM_HOME __EASY_MONEY && __SOME_MONEY_HUNDREDS &&
__EASY_WORK && __DOS_HAS_ANY_URI
describe AE_WORKFROM_HOME work from home spam
score AE_WORKFROM_HOME 1.00
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281
