I strongly suggest not doing this exact test. Scott's is more refined,
however it's still not refined enough to not have false positives.
This spammer is better caught by his boundary, for example:
Content-type: multipart/alternative;
boundary="_NextPart_Njg3YmQ3N2JiYzdlZGU3YzZlZmFhY2NhNGQwOWU2MTY_"
You need to target the "_NextPart_" along with a long string of letters
and numbers (and without underscores in between. For instance, you
would search the headers for the following:
boundary="_Nextpart_(a-z0-9){20,}_"
The bad news is that this particular spammer has changed their pattern
twice in the last two months after being fixed for over a year, so this
detection will likely be short-lived as the spammer is figuring out how
to randomize. This spammer accounts for about 7% of all E-mail that
makes it to my deep scanning layer. Sniffer seems to miss a good deal
of their spam, so there isn't much protection from it otherwise.
Matt
On 7/20/2010 11:42 AM, Dave Beckstrom wrote:
Thanks. David's regex worked well. I'll give the fine tuning a try.
Also, all of this spammer's domains are in DNS servers ns1.domainsite.com -
ns4.domainsite.com.
I might fine tune it a bit.
I've only seen length 37 and 38 characters after the tld
It is only lower case hex codes so you can exclude (g-z)
I've seen lots of .info and a few .nets as additional tld.
Very active spammer here
(?i:href=.+\.(com|info|net)/[a-f0-9]{37,38}">)
-----Original Message-----
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
Beckstrom
Sent: Tuesday, July 20, 2010 8:00 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Regex to block this?
I'm getting hit by one spammer who manages to get through most of my
filters. His spam consistently uses the format of:
<a
href="http://gcc128.blinksroads.com/5768cbbeb6bba86c3157116a6de8e54b31dab5";
<img src="http://gcc128.blinksroads.com/images/157286c08.jpg";....
How would I write a regex that would look for .com/ followed by a string
of
garbage with no .htm or other web extension on the end?
---
[This E-mail scanned for viruses by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
![http://gcc128.blinksroads.com/images/157286c08.jpg"](http://gcc128.blinksroads.com/images/157286c08.jpg"){kind=link}