Spammer on the list

[richb at pioneer.ci.net (Rich Braun)]

The deluge of incoming spam has risen from an average of 180/day in January
(when the can-spam act took effective) to 300/day the past few weeks. 
Congress still has its work cut out.  Maybe Kerry should build stockades in
the public square for all spammers and maintain a ready supply of ripe
tomatoes, I think that would decide this year's election.

I have further tweaked SpamAssassin on my home server in response to the
increase in junk.  Maybe my rules attached below (line breaks will need to be
edited out) will help others; maybe y'all can suggest more for me.  At some
point maybe we need to install SA on the BLU server.  (One of my rules is a
hitlist which includes 'mortgage' in the subject line, which for some reason
is not in the default SA installation.)  But I don't want my rules to become
part of the SA default because spammers can innoculate against them in their
battle to get noticed...  Someone set up a marketing database that includes my
first/last names and city, so a lot of spammers try to "personalize" my
spam--makes it easier to weed out.  ;-)

Do these people really think I'm going to pay attention to *300* messages a
day--that's *10,000* a month??!?  At some point their response rate is going
to drop below the threshold where it's worth sending any more.  I can only
hope.

-rich

score   CI_SUBJECT_IS_RICH_1    3.0
score   CI_SUBJECT_IS_RICH_2    2.5
score   CI_SUBJECT_IS_RICH_3    2.5
score   CI_SUBJECT_HAS_USERNAME 3.0
score   CI_FROM_TLD_FOREIGN     2.5
score   CI_FROM_TLD_BIZ         1.0
score   CI_TO_SYSTEM_ALIAS      2.0
score   CI_DRUG_PUSHER          3.0
score   CI_SUBJECT_GIBBERISH    0.7
score   CI_SUBJECT_PUNCTUATED   1.0
score   CI_SUBJECT_HITLIST_1    1.0
score   CI_SUBJECT_HITLIST_2    0.5
score   CI_SUBJECT_LONG         0.5
score   CI_FROM_ADDR_BOGUS      1.0

header           CI_SUBJECT_IS_RICH_1 Subject =~ /Richard K\./
describe         CI_SUBJECT_IS_RICH_1 Subject line contains first name

header           CI_SUBJECT_IS_RICH_2 Subject =~ /Braun/
describe         CI_SUBJECT_IS_RICH_2 Subject contains last name

header           CI_SUBJECT_IS_RICH_3 Subject =~ /\bBRAUN\b/
describe         CI_SUBJECT_IS_RICH_3 Subject contains all-CAPS last name

header   CI_SUBJECT_HAS_USERNAME Subject =~ /Richb/
describe CI_SUBJECT_HAS_USERNAME Subject line contains capitalized username

header   CI_FROM_TLD_FOREIGN From:addr =~ /\.(?:ac|ad|ae|af|ag|ai|al|am|an|ao|aq
|ar|as|at|au|aw|az|ba|bb|bd|be|bf|bg|bh|bi|bj|bm|bn|bo|br|bs|bt|bv|bw|by|bz|ca|c
c|cd|cf|cg|ch|ci|ck|cl|cm|cn|co|cr|cu|cv|cx|cy|cz|de|dj|dk|dm|do|dz|ec|ee|eg|er|
es|et|fi|fj|fk|fm|fo|fr|ga|gb|gd|ge|gf|gg|gh|gi|gl|gm|gn|gp|gq|gr|gs|gt|gu|gw|gy
|hk|hm|hn|hr|ht|hu|id|ie|il|im|in|io|iq|ir|is|it|je|jm|jo|jp|ke|kg|kh|ki|km|kn|k
r|kw|ky|kz|la|lb|lc|li|lk|lr|ls|lt|lu|lv|ly|ma|mc|md|mg|mh|mk|ml|mm|mn|mo|mp|mq|
mr|ms|mt|mu|mv|mw|mx|my|mz|na|nc|ne|nf|ng|ni|nl|no|np|nr|nu|nz|om|pa|pe|pf|pg|ph
|pk|pl|pm|pn|pr|ps|pt|pw|py|qa|re|ro|ru|rw|sa|sb|sc|sd|se|sg|sh|si|sj|sk|sl|sm|s
n|so|sr|st|su|sv|sy|sz|tc|td|tf|tg|th|tj|tk|tm|tn|to|tp|tr|tt|tv|tw|tz|ua|ug|uk|
um|uy|uz|va|vc|ve|vg|vi|vn|vu|wf|ws|ye|yt|yu|za|zm|zw)$/i
describe CI_FROM_TLD_FOREIGN From a foreign-country domain suffix

header   CI_FROM_TLD_BIZ From:addr =~ /\.biz$/i
describe CI_FROM_TLD_BIZ From a dot-biz domain suffix

header   CI_TO_SYSTEM_ALIAS To:addr =~ /(:?amanda|daemon)@/i
describe CI_TO_SYSTEM_ALIAS Addressed to a system daemon

header   CI_DRUG_PUSHER Subject =~ /(:?\bv[^:alpha:]?i[^:alpha:]?c[^:alpha:]?o[^
:alpha:]?d[^:alpha:]?i[^:alpha:]?n\b|\bc[^:alpha:]?i[^:alpha:]?a[^:alpha:]?l[^:a
lpha:]?i[^:alpha:]?s\b|l[^:alpha:]?e[^:alpha:]?v[^:alpha:]?i[^:alpha:]?t[^:alpha
:]?r[^:alpha:]?a|\bv[^:alpha:]?a[^:alpha:]?l[^:alpha:]?i[^:alpha:]?u[^:alpha:]?m
)/i
describe CI_DRUG_PUSHER Subject promotes vicodin/cialis/levitra/valium

header   CI_SUBJECT_GIBBERISH Subject =~ /[bcdfghjklmnpqrstvwxz]{5,}/i
describe CI_SUBJECT_GIBBERISH Subject contains gibberish consonants

header   CI_SUBJECT_PUNCTUATED Subject =~ /(.[\~\`\@\#\$\%\&\:\!\*\^|\[\]\{\}\(\
)]){4,}/
describe CI_SUBJECT_PUNCTUATED Subject contains excessive punctuation

header   CI_SUBJECT_HITLIST_1 Subject =~ /\b(doctors?|physicians?|prescription|c
ancel|shopping|savings|prices?|cheap|discounts?|clearance|secrets?|complete|medi
cations?|medicines?|meds|weight|health|debts?|eliminate|warranty|financial|refin
ance|application|surveys?|rates?|loan|quality|residence|somerville|deserve|sampl
e|credit|homeowners?|delivery|cash|money|dollars?|solutions?|incredible|effectiv
e|deluxe|proven|attractive|genuine|conquer|insurance|limited|mortgage|payments?|
premiums?|reduce|lower|consolidation|degree|dreams?|guaranteed?|ipod|botox|virus
)\b/i
describe CI_SUBJECT_HITLIST_1 Subject contains promotional keywords

header   CI_SUBJECT_HITLIST_2 Subject =~ /\b(orders?|free|sex|pain|notice|save|s
pecial|best|important|urgent|opportunity|available|online|complimentary|cellphon
e|phone|buy|directv|instant|status|earn)\b/i
describe CI_SUBJECT_HITLIST_2 Subject contains promotional keywords

header   CI_SUBJECT_LONG Subject =~ /.{61,}/
describe CI_SUBJECT_LONG Subject line is longer than 60 bytes

header   CI_FROM_ADDR_BOGUS From:addr =~ /[bcdfghjklmnpqrstvwxz]{4,}[a-z0-9]*\@/i
describe CI_FROM_ADDR_BOGUS From-addr has gibberish consonants