SpamAssassin rule for stock pump and dump spam

Rich Braun richb at pioneer.ci.net
Wed Oct 25 12:39:56 EDT 2006 

During the past month or so I've been getting a new deluge of spam.  In fact
it appears to be the bulk of the spam getting past my exim/spamassassin rules
set up a year or so ago.

These messages contain a binary image plus a couple kbytes of randomly
cut/pasted text.  They are intended to get suckers to bid up a penny stock
that the day-trading spammer has bought during previous hours.  Anyway I
noticed that most of them contain a one- or two-word subject line, and that
the folks at Spamassassin.org have yet to add new rules (latest version is
3.1.7).  So I'm sharing my rules here for your edification/comment:

header   __CI_QOTD_DR    To =~ /(qotd|domreg|postmaster)\@/i
header   __CI_SUBJ_2WRD  Subject =~ /^\w{4,14}( \w{4,14})?$/
rawbody  __CI_HAS_BIN    eval:check_for_mime('mime_base64_count')
meta     CI_PUMP_DUMP    (__CI_QOTD_DR && __CI_HAS_BIN)
describe CI_PUMP_DUMP    Message to qotd/domreg/pm contains binary
meta     CI_PUMP_DUMP2   (__CI_SUBJ_2WRD && __CI_HAS_BIN)
describe CI_PUMP_DUMP2   Binary message has 1- or 2-word subject

score   CI_PUMP_DUMP            6.0
score   CI_PUMP_DUMP2           6.0

I'll explain these here:

* QOTD_DR is a list of local site addresses that are now in the spammers'
databases; I only trap those sent to these (minus my main "richb" address).

* SUBJ_2WRD is my attempt to match subject lines containing one or two words
of 4 to 14 characters' length each.

* HAS_BIN looks for a base64 attachment

* The first rule PUMP_DUMP looks for my less-used spammer-targeted site
addresses.

* The second rule PUMP_DUMP2 looks for those 2-word subject lines on messages
containing base64 attachments.  New friends not yet in my address book don't
send me pictures with 2-word subject lines.  I hope. ;-)

--

Spam seems to be ever-increasing yet somehow I've been able to easily keep on
top of it with this Spamassassin tool, without having to resort to outsourcing
my email to some commercial site.
-rich


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the Discuss mailing list