Spam full of random words not being stopped

[John Wilcock]

On Fri, 16 Jan 2004 09:35:34 +0000, Michael Keightley wrote:
> Been getting lots of Spam recently which just contains lots of random words.
> These aren't being marked as Spam (using MailScanner-4.25-14 + SA-2.61).
> I've attached a couple of examples.  Is there anyway to stop this stuff?
...
> nighttime current finland pestilential
> cruickshank edmondson collateral spitz cavalry
> dark russet lemuel buzzword expert

Various rules to stop this type of spam have been discussed recently
on the SA-talk list. 

Some successful ones that I'm using are given below:

| rawbody  local_WORDWORD_10    /(?:\b(?!=(?:from|even|have|here|more|this|were|with)\b)[a-z]{4,12}\s+){10}/
| describe local_WORDWORD_10    String of 10 or more random words (none with less than 4 letters)
| score    local_WORDWORD_10    0.5
| 
| rawbody  local_WORDWORD_15    /(?:\b(?!=(?:from|even|have|here|more|this|were|with)\b)[a-z]{4,12}\s+){15}/
| describe local_WORDWORD_15    String of 15 or more random words (none with less than 4 letters)
| score    local_WORDWORD_15    2.5

One common form of this spam also has random words in the X-Mailer
header, hence this rule:

| header   local_XMAILER_BOGUS  X-Mailer =~ /^[a-z][^A-Z0-9]*$/
| describe local_XMAILER_BOGUS  X-Mailer header has no uppercase letters or digits at all
| score    local_XMAILER_BOGUS  2.0
|


John.

-- 
-- Over 2000 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages    - www.tradoc.fr