On Wed, 1 Jul 2015, Alex wrote:
Hi,
I've been receiving a handful of spam claiming to be from whatsapp,
and I can't figure out how to block it.
http://pastebin.com/8E66QRkn
http://pastebin.com/KrTgKGh1
What does a legitimate whatsapp email look like? I've searched their
site, and their DNS entry doesn't even have an MX record, let alone
any indication of SPF, etc.
Bayes is obviously a problem, but my bayes db generally performs well.
I'm sure the domains in the body would be listed now, and probably the
source addresses too.
Ideas greatly appreciated.
It looks like they are doing unicode obfuscation of text in the body:
WhatsApp W=C3=A8b You h=C3=A4ve a new message D=C3=A8tails:
Not sure if the Unicode replace stuff will catch it, but you might try this:
body FUZZY_DETAILS /<D>(?:etails)<E><T><A><I><L><S>/i
replace_rules FUZZY_DETAILS
It doesn't catch it, and I don't know enough about replace_rules to
figure it out.
Rats. It would probably involve changes to 25_replace.cf
Is there supposed to be an existing FUZZY_DETAILS rule?
I don't think so.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
[For Earth Day] Obama flew a 747 all the way to the Everglades
then rode in a massive SUV motorcade to tell you
to cut carbon emissions. -- Twitter satirist @hale_razor
-----------------------------------------------------------------------
3 days until the 239th anniversary of the Declaration of Independence
