All the Perl that's Practical to Extract and Report

SpamAssassin rules

gav on 2004-01-20T14:43:59

I've added the following rules to my SpamAssassin ruleset this weekend to try to keep winning this losing battle:

score HABEAS_SWE -5.0

header SUBJECT_RE_XXX Subject =~ /^Re: [A-Z]+,(?: [a-z]+){3}$/
describe SUBJECT_RE_XXX Spammy subject RE
score SUBJECT_RE_XXX 2.0

rawbody BODY_LOTS_OF_WORDS /(?: [a-z]+){20,}/
describe BODY_LOTS_OF_WORDS Body contains a bunch of lower case words
score BODY_LOTS_OF_WORDS 1.5

header SUBJECT_CHEAP_MEDS Subject =~ /^Cheap Meds/
describe SUBJECT_CHEAP_MEDS Selling Xanax, Valium, Viagra, Soma...
score SUBJECT_CHEAP_MEDS 5.0

rawbody BODY_CONTAINS_XANAX /[Xx].?[Aa].?[Nn].?[Aa].?[Xx]/
describe BODY_CONTAINS_XANAX Body contains XANAX
score BODY_CONTAINS_XANAX 0.8

rawbody BODY_CONTAINS_VALIUM /[Vv].?[Aa].?[Ll].?[Ii].?[Uu].?[Mm]/
describe BODY_CONTAINS_VALIUM Body contains VALIUM
score BODY_CONTAINS_VALIUM 0.7

rawbody BODY_CONTAINS_VIAGRA /[Vv].?[Ii].?[Aa].?[Gg].?[Rr].?[Aa]/
describe BODY_CONTAINS_VIAGRA Body contains VIAGRA
score BODY_CONTAINS_VIAGRA 0.9

meta BODY_LOTS_OF_DRUGS (BODY_CONTAINS_XANAX && BODY_CONTAINS_VALIUM && BODY_CONTAINS_VIAGRA)
describe BODY_LOTS_OF_DRUGS Somebody is selling prescription drugs
score BODY_LOTS_OF_DRUGS 6.0

header UNLIMITED_ORGASMS Subject =~ /^Give her unlimited orgasms/i
describe UNLIMITED_ORGASMS Annoying graphic advert
score UNLIMITED_ORGASMS 10

SWEET

jbisbee on 2004-01-20T15:06:39

It was on my to do list to do the exact same thing. Stuipd "RE: XXX" spams :)

Re:SWEET

vsergu on 2004-01-21T21:11:52

I'm currently using this for those spams:

# New flood of spam with subject lines like "Re: SYACZAS, you can believe"
# (The word "woland" happened to occur in a couple of the subject lines)
header __L_SUBJ_WOLAND  Subject =~ /^Re: [A-Z]{2,8},( [a-z]{2,16}[.?'!]{0,2}){3}$/
header __L_MUA_MPOP X-Mailer =~ /^mPOP Web-Mail 2\.19$/
header __L_MIME_BOUND_ALT  Content-Type =~ /boundary="--ALT--[A-Z]{4}\d{14}"/
meta L_WOLAND_SPAM  __L_SUBJ_WOLAND && __L_MUA_MPOP && __L_MIME_BOUND_ALT
describe L_WOLAND_SPAM  Subject, mailer, and MIME boundary match "Woland"-style spam
score L_WOLAND_SPAM  5

It's overly conservative (for example, there are some different MIME boundaries occasionally, and the subject sometimes has some other punctuation), but I haven't gone back to tweak it. The mailer is a pretty good enough sign on its own, but there are apparently people out there using it for real mail.

annoying spam

rjbs on 2004-01-21T12:24:43

also catcjes annoying: /^Test, yep$/

Those damned recent "Hi" spams.