On Mon, 2013-09-23 at 10:51 +0530, Blason rock wrote:
> So guys can you confirm if this is an correct rule?
It is technically incorrect (the pattern is not an RE but a string) and
logically incorrect (matching the pattern against all headers, instead
of testing for the existence of a header).
Moreover, you picked a really bad header to indicate spam -- X-BeenThere
is added to outgoing mail by Mailman (a mailing list server).
> for this kind of SPAM messages?
I didn't keep the previous messages of this thread, but IIRC you didn't
provide a sample, did you? Upload the full, raw message to a pastebin,
or please remind me of the link if you did already.
> X-Mailer: phpmailer [version 1.41]
> X-BeenThere: sc...@mailman.wikimedia.org
>
> header XBEENTHERE ALL =~ X-BeenThere
> score XBEENTHERE 6
Hmm. Wikimedia does use Mailman, but the lists seem to be hosted at a
"lists" named hostname. And "scoot" doesn't appear to be a valid
wikimedia list.
That is not a mailing list you are subscribed to, and spam sent via the
list, right?
That said, does all of the spam you target at do have both these
headers? Do the values change? You might want to show us a list of these
headers observed.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
