Clever Spammers, Anything to catch this?

Rick Cooper rcooper at DWFORD.COM
Sun Nov 20 21:02:40 GMT 2005


    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]



> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Glenn Steen
> Sent: Sunday, November 20, 2005 1:05 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: [MailScanner HIGHLY Probable Spam] Re: Clever Spammers,
> Anything to catch this?
>
>
> On 20/11/05, Rick Cooper <rcooper at dwford.com> wrote:
> > I have also sent this to the SpamAssassin List but thought I
> would post here
> > as well.
> >
> > I have noted there are a lot of spams getting through that are
> using <DIV>
> > tags and spelling the drug workds in columns top to bottom then move a
> > column right and repeat. An example would be
[...]

> Both Jules and Matt Kettler posted some rules that I think are aimed
> at these.... And at least some get taged by them (@work). Posted just
> the other day, so take a look through the relatively recent archives.
>

I tried those and Jules's didn't hit at all, Matt's hit one of seven drugs
listed in the email, one of four that they were designed to hit. I changed
Matt's rules a bit (changed all the \s to \s? ) and added a rule and hit all
of the drugs listed. I also converted to meta rule so I could assign a score
based on how many hits 4,3, 2 or 1 to lessen the possibility of false
positives when I want to drop at SMTP.

I attached a copy of the changes I made to Matt's rules and it also includes
my own rule. My own rule doesn't care about the words just the methodology
used. I didn't get any FPs with the latest SA public Corpus BTW.


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

    [ Part 2, Application/OCTET-STREAM (Name: "DIVSpellRules.cf")  8.3KB. ]
    [ Unable to print this part. ]




More information about the MailScanner mailing list