Clever Spammers, Anything to catch this?

Rick Cooper rcooper at DWFORD.COM
Mon Nov 21 00:48:16 GMT 2005


    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Julian Field
> Sent: Sunday, November 20, 2005 4:40 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Clever Spammers, Anything to catch this?
>
>
> >I tried those and Jules's didn't hit at all, Matt's hit one of
> seven drugs
> >listed in the email, one of four that they were designed to hit.
> I changed
> >Matt's rules a bit (changed all the \s to \s? ) and added a rule
> and hit all
> >of the drugs listed. I also converted to meta rule so I could
> assign a score
> >based on how many hits 4,3, 2 or 1 to lessen the possibility of false
> >positives when I want to drop at SMTP.
> >
> >
> Shame mine didn't work. I was quite pleased with the implementation, the
> rule was quite succinct. It hit a couple I tried it on, but I guess the
> spammers didn't take that path.
>
> Guess I'll leave writing rules to others in the future, not much point
> writing code if it doesn't do anything useful :-)

I would think it more likely mutated a bit. The concept is a bit frightening
because it wouldn't be too hard to add other obfuscation techniques to the
DIV crap . It really seem to me the best way to catch it would be with a
multi-line match so you could look for a pattern of <br>X<br> in a
<div></div> section, but unless I missed something even the latest SA
doesn't allow that. :-(

Rick


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list