AW: Rechnung offline Spam

Holger Gebhard holger at
Fri Jun 13 10:06:06 IST 2014

Hi Johan,

this is my current anti-phishing rule for the telekom spams. If the spammers
change the messages from time to time you must tweak the regex a little bit.

header          __PHISHING_TXT_14060401 Subject =~ /RechnungOnline Monat/i
body            __PHISHING_TXT_14060402 /(?:als Anlage (?:ist|erhalten
Sie)|diese Nachricht finden Sie) die Rechnung \d+ als
body            __PHISHING_TXT_14060403
meta            TELEKOM_PHISHING_01        (__PHISHING_TXT_14060401 &&
__PHISHING_TXT_14060402 && __PHISHING_TXT_14060403)
score           TELEKOM_PHISHING_01       5.0
describe        TELEKOM_PHISHING_01        Typical phishing message parts

Best regards


-----Ursprüngliche Nachricht-----
Von: mailscanner-bounces at
[mailto:mailscanner-bounces at] Im Auftrag von Johan
Gesendet: Mittwoch, 11. Juni 2014 15:42
An: MailScanner List (mailscanner at
Betreff: Rechnung offline Spam

Hello all.

I am trying to stop some spam but it seems MailScanner just lets them

It is about mail with the following Subject.
RechnungOnline Monat Juni 2014 (Buchungskonto: 4660367728)

So i made a  file with the following

header TELECOM_SUBJECT      Subject =~ /RechnungOnline/i
score TELECOM_SUBJECT       5.1
describe TELECOM_SUBJECT    Telekom spam

Is my rule not ok, and is it looking for a subject ONLY with RechnungOnline

Secondly the mail contains a Trojan and that also is getting through?

Could someone please help me.


MailScanner mailing list
mailscanner at

Before posting, read

Support MailScanner development - buy the book off the website! 

More information about the MailScanner mailing list