AW: Rechnung offline Spam

[Holger Gebhard]

Hi Johan,

this is my current anti-phishing rule for the telekom spams. If the spammers
change the messages from time to time you must tweak the regex a little bit.

header          __PHISHING_TXT_14060401 Subject =~ /RechnungOnline Monat/i
body            __PHISHING_TXT_14060402 /(?:als Anlage (?:ist|erhalten
Sie)|diese Nachricht finden Sie) die Rechnung \d+ als
PDF.{1,5}(?:Datei|Anhang)/i
body            __PHISHING_TXT_14060403
/rechnung(?:_|-)(?:januar|februar|m.rz|april|mai|juni|juli|august|september|
oktober|november|dezember)((?:_|-)201\d)?(?:_|-)(?:\d|-)+((?:_|-)sign?)?\.zi
p/i
meta            TELEKOM_PHISHING_01        (__PHISHING_TXT_14060401 &&
__PHISHING_TXT_14060402 && __PHISHING_TXT_14060403)
score           TELEKOM_PHISHING_01       5.0
describe        TELEKOM_PHISHING_01        Typical phishing message parts


Best regards

Holger

-----Ursprüngliche Nachricht-----
Von: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] Im Auftrag von Johan
Hendriks
Gesendet: Mittwoch, 11. Juni 2014 15:42
An: MailScanner List (mailscanner at lists.mailscanner.info)
Betreff: Rechnung offline Spam

Hello all.

I am trying to stop some spam but it seems MailScanner just lets them
pass...

It is about mail with the following Subject.
RechnungOnline Monat Juni 2014 (Buchungskonto: 4660367728)

So i made a custum.cf  file with the following


header TELECOM_SUBJECT      Subject =~ /RechnungOnline/i
score TELECOM_SUBJECT       5.1
describe TELECOM_SUBJECT    Telekom spam


Is my rule not ok, and is it looking for a subject ONLY with RechnungOnline
??

Secondly the mail contains a Trojan and that also is getting through?

Could someone please help me.

regards
Johan

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!