Anything similar to debora* out there?

mikea mikea at mikea.ath.cx
Sat Nov 18 01:08:25 GMT 2006


On Fri, Nov 17, 2006 at 03:37:13PM -0500, Alex Neuman van der Hans wrote:
> Daniel Straka wrote:
> > Just wondering...I'm sure the name will change to something else soon.
> > 
> >  
> > Dan Straka
> > Systems Coordinator
> > Casper College
> > 
> > 
> Still catching quite a bunch of these, some with greet_pause, some with 
> rbls, some with sender-address-verification, some with spf, some with 
> greylisting, some with spamassassin 
> (razor|pyzor|dcc|imageinfo|fuzzyocr), and so on.
> 
> I've been using it to (unscientifically, sort of like sticking your hand 
> out the window to see how much it's raining) see how effective each 
> method is.

Content-ID in my spambucket at home is _quite_ interesting, especially
after a sort | uniq -c | sort -r: 

 244 Content-ID: <000301c634d3$5e87f4f0$aa0fa8c0 at sanya>
  52 Content-ID: <000c01c63b06$077134e0$0403a8c0 at mlto>
  52 Content-ID: <000b01c63b06$076ec3e0$0403a8c0 at mlto>
  52 Content-ID: <000901c63b06$076ec3e0$0403a8c0 at mlto>
  52 Content-ID: <000801c63b06$0762dd00$0403a8c0 at mlto>
  34 Content-ID: <image001.jpg at 01C671DF.7F05CC90>
  31 Content-ID: <00088751267563$0762dd00$0403a8c0 at zuzu>
  28 Content-ID: <004601c66a1a$04432100$0403a8c0 at tutu>
  25 Content-ID: <000301c6430e$44668390$aa0fa8c0 at sanya>
  23 Content-ID: <000301c64a92$2fd0c6d0$aa0fa8c0 at sanya>
  22 Content-ID: <000701c62a48$e2358cd0$aa0fa8c0 at sanya>
  21 Content-ID: <001601c65631$ad9d9610$aa0fa8c0 at sanya>
  21 Content-ID: <001501c65631$ad9d9610$aa0fa8c0 at sanya>
  19 Content-ID: <000c01c63b06$077134e0$0403a8c0 at rcvd>
  19 Content-ID: <000b01c63b06$076ec3e0$0403a8c0 at rcvd>
  19 Content-ID: <000901c63b06$076ec3e0$0403a8c0 at rcvd>
  19 Content-ID: <000801c63b06$0762dd00$0403a8c0 at rcvd>
  19 Content-ID: <000501c62cfa$7b75c640$aa0fa8c0 at sanya>
  18 Content-ID: <000701c66bc0$e6666180$aa0fa8c0 at sanya>
  12 Content-ID: <image001.gif at 01C49ABA.A9A899D0>
  12 Content-ID: <004601c66a1a$04432100$0403a8c0 at pivo>
  12 Content-ID: <00088751267563$0762dd00$0403a8c0 at vino>
  12 Content-ID: <000801c62381$fd26a740$0100a8c0 at sanya>
  12 Content-ID: <000701c62381$fd26a740$0100a8c0 at sanya>
  12 Content-ID: <000601c62381$fd26a740$0100a8c0 at sanya>
  12 Content-ID: <000501c62381$fd26a740$0100a8c0 at sanya>
  12 Content-ID: <000401c62381$fd26a740$0100a8c0 at sanya>
  12 Content-ID: <000301c62381$fd26a740$0100a8c0 at sanya>
  11 Content-ID: <000b01c67e42$90d13990$aa0fa8c0 at alex>
  10 Content-ID: <pic.gif>
  10 Content-ID: <TEHLGFIC.RELRPHSD.PEQWBJGD.NFUEKLQE_csseditor>
   9 Content-ID: <image001.gif at 01C4586D.DFC5D3A0>
   9 Content-ID: <2.jpg>
   9 Content-ID: <1.jpg>
   6 Content-ID: <TSFOCOKD.SLSIBPBO.BOMJNJCS.GQFLCEEX_csseditor>
   6 Content-ID: <00088751267563$0762dd00$0403a8c0 at terv>
   5 Content-ID: <>
   5 Content-ID: <00088751267563$0762dd00$0403a8c0 at pego>
   5 Content-ID: <00088751267563$0762dd00$0403a8c0 at gopa>
   4 Content-ID: <pic1.gif>
   4 Content-ID: <photo.gif at 0231FD3E.84AB4C27>
   4 Content-ID: <image001.jpg at 01C44C33.A417E910>
   4 Content-ID: <image001.gif at 01C49B7B.FBDC7BB0>
   4 Content-ID: <000901c62e40$c12c04f0$aa0fa8c0 at sanya>
   4 Content-ID: <000601c4cdba$73ad39c0$020aa8c0 at SHARP>
   4 Content-ID: <000501c59d80$8686c0c0$0100a8c0 at sanya>
   4 Content-ID: <000301c662d1$69261c30$aa0fa8c0 at sanya>
   4 Content-ID: <000301c64237$3a6d1660$aa0fa8c0 at sanya>
   3 Content-ID: <trans.gif>
   3 Content-ID: <image001.gif at 01C49EB0.FFD29500>
   3 Content-ID: <image001.gif at 01C44767.3BA1CE80>
   3 Content-ID: <004601c66a1a$04432100$0403a8c0 at caca>
   3 Content-ID: <001901c5bda9$f8729a30$6f6e81d4 at pc>
   3 Content-ID: <000c01c63b06$077134e0$0403a8c0 at bdsm>
   3 Content-ID: <000b01c67399$2c073c20$aa0fa8c0 at alex>
   3 Content-ID: <000b01c63b06$076ec3e0$0403a8c0 at bdsm>
   3 Content-ID: <000901c63b06$076ec3e0$0403a8c0 at bdsm>

A very great deal of the spam I get appears to have a Content-ID in
the body that matches 

/^Content-ID: <.*aa0fa8c0@>/ ("alex" or "sanya" 
or 
/^Content-ID: <.*0403a8c0@>/ ("bdsm", "caca", "pego", "pivo", etc.)
or
/^Content-ID: <.*0100a8c0@>/ ("sanya")

Suitable rules should be easy to code in SA. 

I'm _very_ close to blocking anything that contains a GIF, and let the 
chips fall where they may. 

Hope this helps. 

I need to do the same sort of analysis at work, but it's more difficult 
there.

-- 
Mike Andrews, W5EGO
mikea at mikea.ath.cx
Tired old sysadmin 


More information about the MailScanner mailing list