Wierd words for spam filter

David Jacobson davidj at IMPOL.NET
Fri Feb 20 13:12:23 GMT 2004 

Hi,

Thanks to all who helped me with the obfuscated spam words - implementing
my own rules now
works like a charm.

Kind regards,

David Jacobson
Network Security Administrator
RHCE

Imperial Online - The Imperial Connection

Switchboard (+27) 11 723-8000
Helpdesk (+27) 11 723-8181
Mobile  (+27) 83 235-0760
Facsimile (+27) 11 454 1236
Email  davidj at impol.net

www.imperialonline.co.za / www.imperialtoday.co.za

Confidentiality Notice:
This communication and the information it contains are intended for the
person(s) or organisation(s) named above and for no other person(s) or
organisation(s).
The content of this communication may be confidential, legally privileged
and protected. Unauthorised use, copying or disclosure of any part of this
communication may be unlawful.



Martin Hepworth <martinh at SOLID-STATE-LOGIC.COM>
Sent by: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
02/20/2004 11:57 AM
Please respond to
MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>


To
MAILSCANNER at JISCMAIL.AC.UK
cc

Subject
Re: Wierd words for spam filter






david

try the antidrug ruleset at
http://mywebpages.comcast.net/mkettler/sa/antidrug.cf

having said that I'm running it and it didn't trigger it, but this rule
did...

# Created using Chris's Mediocre Obfuscation Script Version 0.00.0.0001h
# http://sandgnat.com/cmos/
#

header LOCAL_OBFU_VGR_SUBJ Subject =~
/(?:\b[vu]|\B(?:\\\/|\xCE\xBD))[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]|\xC4[\xA8-\xB0]|\xC4\xBA|\xC4\xBC|\xC4\xBE|\xC5\x80|\xC5\x82|\xC7[\x8F-\x90]|\xD0[\x86-\x87]|\xD1[\x96-\x97]|\xCE\x8A|\xCE\x90|\xCE\x99|\xCE\xAA|\xCE\xAF|\xCE\xB9|\xCF\x8A)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[a4\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\xB1|\xD0\x90|\xD0\xB0)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[g6]|\xC4[\x9C-\xA3]])[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[r\xAE]|\xC5[\x94-\x99]|\xD1\x93)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[a4]\b|(?:[\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\x
B1|\xD0\x90|\xD0\xB0)\B)/i
score LOCAL_OBFU_VGR_SUBJ 2.6
describe LOCAL_OBFU_VGR_SUBJ Obfuscated 'viagra' in subject

body LOCAL_OBFU_VGR
/(?:\b[vu]|\B(?:\\\/|\xCE\xBD))[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]|\xC4[\xA8-\xB0]|\xC4\xBA|\xC4\xBC|\xC4\xBE|\xC5\x80|\xC5\x82|\xC7[\x8F-\x90]|\xD0[\x86-\x87]|\xD1[\x96-\x97]|\xCE\x8A|\xCE\x90|\xCE\x99|\xCE\xAA|\xCE\xAF|\xCE\xB9|\xCF\x8A)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[a4\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\xB1|\xD0\x90|\xD0\xB0)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[g6]|\xC4[\x9C-\xA3]])[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[r\xAE]|\xC5[\x94-\x99]|\xD1\x93)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[a4]\b|(?:[\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\x
B1|\xD0\x90|\xD0\xB0)\B)/i
score LOCAL_OBFU_VGR 1.8
describe LOCAL_OBFU_VGR Obfuscated 'viagra' in body
xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[r\xAE]|\xC5[\x94-\x99]|\xD1\x93)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[a4]\b|(?:[\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\xB1|\xD0\x90|\xD0\xB0)\B)/i
score LOCAL_OBFU_VGR_SUBJ 2.6
describe LOCAL_OBFU_VGR_SUBJ Obfuscated 'viagra' in subject


body LOCAL_OBFU_VGR
/(?:\b[vu]|\B(?:\\\/|\xCE\xBD))[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]|\xC4[\xA8-\xB0]|\xC4\xBA|\xC4\xBC|\xC4\xBE|\xC5\x80|\xC5\x82|\xC7[\x8F-\x90]|\xD0[\x86-\x87]|\xD1[\x96-\x97]|\xCE\x8A|\xCE\x90|\xCE\x99|\xCE\xAA|\xCE\xAF|\xCE\xB9|\xCF\x8A)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[a4\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\xB1|\xD0\x90|\xD0\xB0)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[g6]|\xC4[\x9C-\xA3]])[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[r\xAE]|\xC5[\x94-\x99]|\xD1\x93)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[a4]\b|(?:[\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\x
B1|\xD0\x90|\xD0\xB0)\B)/i
score LOCAL_OBFU_VGR 1.8
describe LOCAL_OBFU_VGR Obfuscated 'viagra' in body

If you also add in the xanax and others as well (generated using Chris's
  CGI scripts on his home page above) you should be able to trigger a
spam action.

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


David Jacobson wrote:
>
> Hi Again,
>
> I've got customers complaining that spam is coming through and when
> analyzing the e-mails
> I notice they're using words as follows:
>
>  <<FWD: Need Meds Valiu+m+ $ v|agr@ % Xan_a_x _ At`|v at n ' Pnte.r.min - =
> Som+a+  gJe3w>>  <<FWD: On sale V1Agr@ ; xan at x ' V.a.lium & At|v:@n * =
> +Soma+ < Pn.t.ermin fmRdI>>  <<FWD: Everything 4 U /Xanax/ ' :V:alium #
=
> v|@gRa ) A:t|v at n + .S.oma _ Pnter:m:in Q6bgh>>  <<Re: flanders>>  =
> <<Re:>>=20
>
> which are not getting tagged, now everytime I try add special words like
> that with pipes colons pluses etc
> it seems to break stuff and tag everything as spam, can someone give me
> an example of how to add such
> words?
>
> Thanks
>
> Kind regards,
>
> David Jacobson
> Network Security Administrator
> RHCE
>
> Imperial Online - The Imperial Connection
>
> Switchboard (+27) 11 723-8000
> Helpdesk (+27) 11 723-8181
> Mobile  (+27) 83 235-0760
> Facsimile (+27) 11 454 1236
> Email  davidj at impol.net
>
> www.imperialonline.co.za / www.imperialtoday.co.za
>
> Confidentiality Notice:
> This communication and the information it contains are intended for the
> person(s) or organisation(s) named above and for no other person(s) or
> organisation(s).
> The content of this communication may be confidential, legally
> privileged and protected. Unauthorised use, copying or disclosure of any
> part of this communication may be unlawful.

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040220/712b38e9/attachment.html

More information about the MailScanner mailing list