Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SpamAssassin rule for stock pump and dump spam

During the past month or so I've been getting a new deluge of spam.  In fact
it appears to be the bulk of the spam getting past my exim/spamassassin rules
set up a year or so ago.

These messages contain a binary image plus a couple kbytes of randomly
cut/pasted text.  They are intended to get suckers to bid up a penny stock
that the day-trading spammer has bought during previous hours.  Anyway I
noticed that most of them contain a one- or two-word subject line, and that
the folks at have yet to add new rules (latest version is
3.1.7).  So I'm sharing my rules here for your edification/comment:

header   __CI_QOTD_DR    To =~ /(qotd|domreg|postmaster)\@/i
header   __CI_SUBJ_2WRD  Subject =~ /^\w{4,14}( \w{4,14})?$/
rawbody  __CI_HAS_BIN    eval:check_for_mime('mime_base64_count')
meta     CI_PUMP_DUMP    (__CI_QOTD_DR && __CI_HAS_BIN)
describe CI_PUMP_DUMP    Message to qotd/domreg/pm contains binary
meta     CI_PUMP_DUMP2   (__CI_SUBJ_2WRD && __CI_HAS_BIN)
describe CI_PUMP_DUMP2   Binary message has 1- or 2-word subject

score   CI_PUMP_DUMP            6.0
score   CI_PUMP_DUMP2           6.0

I'll explain these here:

* QOTD_DR is a list of local site addresses that are now in the spammers'
databases; I only trap those sent to these (minus my main "richb" address).

* SUBJ_2WRD is my attempt to match subject lines containing one or two words
of 4 to 14 characters' length each.

* HAS_BIN looks for a base64 attachment

* The first rule PUMP_DUMP looks for my less-used spammer-targeted site

* The second rule PUMP_DUMP2 looks for those 2-word subject lines on messages
containing base64 attachments.  New friends not yet in my address book don't
send me pictures with 2-word subject lines.  I hope. ;-)


Spam seems to be ever-increasing yet somehow I've been able to easily keep on
top of it with this Spamassassin tool, without having to resort to outsourcing
my email to some commercial site.

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /