On 01/08/2014 02:34 PM, Martin Gregorie wrote:
On Wed, 2014-01-08 at 10:45 +0300, Christopher Culver wrote:
For the last year or so, I’ve been deluged with Spanish-language spam
with a very predictable format: the sender name begins with "Lic. " and
the sender address is at an .info domain.
EXAMPLE SENDERS:
Lic. Mayra Miranda
Lic. Toledano
Lic. Carmen Quintanar
Lic. Lizárraga Mena
Lic. Lizárraga Mena
Lic. Mildreth Palma
EXAMPLE DOMAINS:
cont...@superecursos.info
acev...@asistenciaejecutiva.info
n...@controltecnicas.info
prestacio...@hoteles2013.info
eficiencialogisticamx.info
fideicomi...@controlinterno.info
While some of the .info domains are reused from spam message to spam
message, allowing me to blacklist them, occasionally new domains
appear. Even with feeding thousands of these into the Bayesian database,
they still get only a spamassassin score of 3.0 out of 5.0 on my
system. Therefore, I believe a new rule is called for.
Is this type of spam common enough that a new rule can be pushed out to
all spamassassin users with sa-update raising the score on messages with
Spanish-language text, with sender names beginning with the substring
"Lic. " and coming from an .info domain?
I for one have never seen this type of spam, but that doesn't mean much:
a lot of sites get types of spam I never see and vice versa. However,
that's why SA lets you write local rules. In this case something like:
SPAMES describe Spanish info spam
SPAMES header From =~ /Lic\..*\.info/
SPAMES score 5
I'd do:
header FROM_NAME_LIC From:name =~ /^Lic\./
as Lic. is in the name and not in the email addr. and avoid the .* slowness.
and meta with
header __FROM_INFO From =~ /\.info/
