 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
During the past month or so I've been getting a new deluge of spam. In fact
it appears to be the bulk of the spam getting past my exim/spamassassin rules
set up a year or so ago.
These messages contain a binary image plus a couple kbytes of randomly
cut/pasted text. They are intended to get suckers to bid up a penny stock
that the day-trading spammer has bought during previous hours. Anyway I
noticed that most of them contain a one- or two-word subject line, and that
the folks at Spamassassin.org have yet to add new rules (latest version is
3.1.7). So I'm sharing my rules here for your edification/comment:
header __CI_QOTD_DR To =~ /(qotd|domreg|postmaster)\@/i
header __CI_SUBJ_2WRD Subject =~ /^\w{4,14}( \w{4,14})?$/
rawbody __CI_HAS_BIN eval:check_for_mime('mime_base64_count')
meta CI_PUMP_DUMP (__CI_QOTD_DR && __CI_HAS_BIN)
describe CI_PUMP_DUMP Message to qotd/domreg/pm contains binary
meta CI_PUMP_DUMP2 (__CI_SUBJ_2WRD && __CI_HAS_BIN)
describe CI_PUMP_DUMP2 Binary message has 1- or 2-word subject
score CI_PUMP_DUMP 6.0
score CI_PUMP_DUMP2 6.0
I'll explain these here:
* QOTD_DR is a list of local site addresses that are now in the spammers'
databases; I only trap those sent to these (minus my main "richb" address).
* SUBJ_2WRD is my attempt to match subject lines containing one or two words
of 4 to 14 characters' length each.
* HAS_BIN looks for a base64 attachment
* The first rule PUMP_DUMP looks for my less-used spammer-targeted site
addresses.
* The second rule PUMP_DUMP2 looks for those 2-word subject lines on messages
containing base64 attachments. New friends not yet in my address book don't
send me pictures with 2-word subject lines. I hope. ;-)
--
Spam seems to be ever-increasing yet somehow I've been able to easily keep on
top of it with this Spamassassin tool, without having to resort to outsourcing
my email to some commercial site.
-rich
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
