fake ASDA spam

[Randal, Phil]

Here's what I use.

header   HC_ASDA        Subject =~ /(?:\d{3} ASDA|ASDA \$\d{3} worth
of)/
describe HC_ASDA        Hundreds of bucks ASDA
score    HC_ASDA        5

In our environment false positives don't matter, as our users aren't
supposed to be doing their shopping in working hours.

Not that there have been any FPs so far.

Cheers,

Phil

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of David
Lee
Sent: 15 October 2007 16:58
To: MailScanner discussion
Subject: fake ASDA spam

(This might be a UK-only spam.)

Some of our users are getting lots of instances of a new spam allegedly
offering money off for shopping at ASDA.  The spam seems to have little
content for Bayes to get its teeth into reliably; the linked URLs seem
to
change; the set of machines from which it arrives changes.  So although
it
gets an SA spam score (DCC, RAZOR2) there is insufficient evidence for a
secure conviction, so it gets through and annoys our users.

Has anyone (probably in the UK) seen this and been able to come up with
a
means (SA rules?) of detecting its characteristics, whilst avoiding
false
positives?

Thanks.

-- 

:  David Lee                                I.T. Service          :
:  Senior Systems Programmer                Computer Centre       :
:  UNIX Team Leader                         Durham University     :
:                                           South Road            :
:  http://www.dur.ac.uk/t.d.lee/            Durham DH1 3LE        :
:  Phone: +44 191 334 2752                  U.K.                  :
-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!