<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<body text="#400040" bgcolor="#FFFFFF" link="#FF0000" vlink="#551A8B" alink="#FFFFFF">
I just ammended spam.assassin.prefs.conf as we got some more of these through
today:
<p>header FRIEND_GREETINGS Subject =~ /you have
an E-Card from/i
<br>describe FRIEND_GREETINGS Nasty E-card from FriendGreetings.com
<br>score FRIEND_GREETINGS 100.0
<p>header FRIEND_GREETINGS2 Subject
=~ /you have a greeting card from/i
<br>describe FRIEND_GREETINGS2 Nasty E-card
from FriendGreetings.com
<br>score FRIEND_GREETINGS2
100.0
<p>header FRIEND_GREETINGS3 Subject
=~ /you received an e-card e-mailed/i
<br>describe FRIEND_GREETINGS3 Nasty E-card
from FriendGreetings.com
<br>score FRIEND_GREETINGS3
100.0
<br>
<p>Here is most of a message that was redirected to me, I haven't seen
an actual delivered card yet:
<blockquote>Subject: Jeanie you received an e-card e-mailed by .
<br>X-MailScanner: Found to be clean
<br>
<br>
<p>Jeanie,
<p>just emailed you an ecard.
<p>Retrieve your greeting by clicking below.
<p><A HREF="http://www.FriendGreeting.com/pickup.aspx?code=Jeanie&id=0412024">http://www.FriendGreeting.com/pickup.aspx?code=Jeanie&id=0412024</A>
<p>Note;
<br>Jeanie,
<br>Read the greeting card I just sent.</blockquote>
So, I guess we are going to have to edit this every time a minor new variant
of this comes out? If so, do we have to change the identifier every time?
That is, will I soon be vlocking for "FRIEND_GREETINGS99" in my system?
<p>Van
<br>
<br>
<p>Julian Field wrote:
<blockquote TYPE=CITE>At 16:28 13/11/2002, you wrote:
<br>>I am ready to just block all e-mail.
<p>Do that and I'll have to go back to collecting things (glasses, clocks,
<br>bottles of brandy...)
<br>:-)
<p>>I attached the two possibilitys now according to Mcafee. Does
anybody
<br>>have a long term solution for these guys. I believe the rule
that
<br>>Julian suggested adding to spam.assassin.prefs.conf only covers the
<br>>first one.
<p>I have only seen these two. The second one appeared last week. Updates
for
<br>sendmail.cf or spam.assassin.prefs.conf are included here for everyone's
<br>benefit. If I hear any more news in this I'll let you all know.
<p>Stop them in sendmail:
<p>HSubject: $>Check_Subject
<br>D{FriendPat1}you have an E-Card from
<br>D{FriendPat2}you have a greeting card from
<br>D{FriendMsg}This message is probably a nasty E-Card.
<br>SCheck_Subject
<br>R$* ${FriendPat1} $*
$#error $@ 5.7.1 $: ${FriendMsg}
<br>R$* ${FriendPat2} $*
$#error $@ 5.7.1 $: ${FriendMsg}
<p>Or stop them in SpamAssassin:
<p>header FRIEND_GREETINGS
Subject =~ /you have an E-Card from/i
<br>describe FRIEND_GREETINGS Nasty
E-card from FriendGreetings.com
<br>score FRIEND_GREETINGS
100.0
<br>header FRIEND_GREETINGS2
Subject =~ /you have a greeting card from/i
<br>describe FRIEND_GREETINGS2 Nasty E-card
from FriendGreetings.com
<br>score FRIEND_GREETINGS2
100.0
<p>--
<br>Julian Field
Teaching Systems Manager
<br>jkf@ecs.soton.ac.uk
Dept. of Electronics & Computer Science
<br>Tel. 023 8059 2817
University of Southampton
<br>
Southampton SO17 1BJ</blockquote>
<p>--
<br>----------------------------------------------------------
<br>Sign up now for Quotes of the Day, a handful of quotations
<br>on a theme delivered every morning.
<br>Enlightenment! Daily, for free!
<br><A HREF="mailto:twisted@whidbey.com?subject=Subscribe_QOTD">mailto:twisted@whidbey.com?subject=Subscribe_QOTD</A>
<p>For web hosting and maintenance,
<br>visit Van's home page: <A HREF="http://www.domainvanhorn.com/van/">http://www.domainvanhorn.com/van/</A>
<br>----------------------------------------------------------
<br>
</body>
</html>