Tiny text only spam (semi OT)
--[ UxBoD ]--
uxbod at splatnix.net
Sun Jul 12 15:18:38 IST 2009
----- "Bernard Lheureux" <bernard.lheureux at bbsoft4.org> wrote:
> Alessandro Bianchi wrote:
> Gosh, they found the way to bypass this rule:
>
> I received these this night (2 different messages containig this):
>
> in the 1st: Can Exercise Bodost Your sex rDive?.www .za16. com
> in the 2nd: Save oYur Relationship With These Amazing Secerts:
> www,nu26,com
>
> Has anyone a solution to avoid these kind of spams ?
body URI_OBFU_XX99_WS /\bwww(?:\s\W?\s?|\W\s?)\w{1,15}\d{1,10}(?:\s\W?\s?|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
describe URI_OBFU_XX99_WS Space-obfuscated xxx999 URI
score URI_OBFU_XX99_WS 2.0
body __MED_BEG_SP /\bw{2,3}[[:space:]][[:alpha:]]{2,6}\d{2,6}\b/i
body __MED_BEG_PUNCT /\bw{2,3}[[:punct:]]{1,3}[[:alpha:]]{2,6}\d{2,6}\b/i
body __MED_BEG_DOT /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}\b/i
body __MED_BEG_BOTH /\bw{2,3}[[:punct:][:space:]]{2,5}[[:alpha:]]{2,6}\d{2,6}\b/i
body __MED_END_SP /\b[[:alpha:]]{2,6}\d{2,6}[[:space:]](?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body __MED_END_PUNCT /\b[[:alpha:]]{2,6}\d{2,6}[[:punct:]]{1,3}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body __MED_END_DOT /\b[[:alpha:]]{2,6}\d{2,6}\.(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body __MED_END_BOTH /\b[[:alpha:]]{2,6}\d{2,6}[[:punct:][:space:]]{2,5}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
meta AE_MED42 (__MED_BEG_SP || __MED_BEG_PUNCT || __MED_BEG_DOT || __MED_BEG_BOTH ) && (__MED_END_SP || __MED_END_PUNCT || __MED_END_DOT || __MED_END_BOTH) && ! (__MED_BEG_DOT && __MED_END_DOT )
describe AE_MED42 rule to catch still more spam obfuscation
score AE_MED42 2.0
I would highly recommend joining the knowledgeable people on the SpamAssassin list aswell :)
Best Regards,
--
SplatNIX IT Services :: Innovation through collaboration
More information about the MailScanner
mailing list