I am helping a friend who is getting hit with a lot of spam. He is running SpamAssassin. While looking at the spam that he is receiving I am seeing a pattern in the headers. Along with the normal headers the messages also contain a random set of "random" headers. Here are just the pattern headers from the message.
Spam 1: Martian-Scurf: d4b0a3f064bc16518af081b52350787f9442861 Gonad-Marfa: 9442861.d4b0a3f064bc16518af081b52350787f.9442861 Diamant-Hop: d4b0a3f064bc16518af081b52350787f22464616.9442861d4b0a3f064bc16518af Mutiny-Tardo: 22464616-22464616 Odinist-Gawsy: d4b0a3f064bc16518af081b52350787f-22464616 Pennant-Agape: 9442861-22464616 Spam 2: Mispage-Slav: 16035617 Irra-Etna: 9493147 Brigand-Parry: 1603561716035617 Peatier-Fthm: d4b0a3f064bc16518af081b52350787f Spam 3: Penang-Titan: d4b0a3f064bc16518af081b52350787f12517557 Imbrue-Gaol: 12517557.12517557 Tousle-Zany: d4b0a3f064bc16518af081b52350787f Callie-Scale: 19474509.19474509 Spam 4: Felda-Elayl: 1-15546426 Bluma-Spoom: 15546426-14093545455-9801 Prs-Cathy: 14093545-ag84js-dk3k32 Quest-Argue: 0.a4-052.15546426 You get the idea. I have 187 spams from a recent burst like this. Here is a more complete header example. I am not showing my buddy's address intentionally so redacted the To: line but all of the other headers are there. http://pastebin.com/0jmiDBt1 And here is a full sample. Notice how the header data is repeated in the message body. http://pastebin.com/0Ga7g0UX Looking at the headers by eye and flipping from message to message it is pretty easy to visually see the pattern that is created. Is there a way to use this to create a SpamAssassin rule to try to catch this type of spam? Thanks, Bob P.S. Note that if I run these through my Bayes my database almost always scores them quite high. But on his, not so much. Improving his Bayes training will help. But the pattern seems ripe too.
