Have anyone found a good way to block these using SpamAssassin? We tried
to make some rules, but it's hard to make any with that gibberish and
short subject and body.
The rule we made initially looked at the length of the body. It was good
at catching these, but unfortunately it also got some false positives
due to how SpamAssassin splits longer mails into smaller segments:
All body paragraphs (double-newline-separated blocks text) are
turned into a line breaks removed, whitespace normalized single line.
Any lines longer than 2kB are split into shorter separate lines
(from a boundary when possible), this may unexpectedly prevent
pattern from matching. Patterns are matched independently against each
of these lines.
That causes some long mails to get tagged as short mails with less than
20 characters, due to one of the lines in the long email had less than
20 characters.
Additionally some subjects deviate from the "3 2 1 5"-character pattern,
like "Habvd l qh"
--
Martin Flygenring (maf)
Systems Engineer, One.com
On 04/06/2021 10.20, Bjoern Franke via mailop wrote:
Hi,
since several weeks we are getting several mails a day from hotmail.com
users with subjects like "fob xt k xerhc", an attached malware PDF like
[1] and adressed to ~200 recipients.
Mabye we should consider blocking all outbound servers of Microsoft
because some part of their network is sending malware. Oh, wait...
Regards
Bjoern
[1]https://www.virustotal.com/gui/file/0266273639c665b5420a08f372ec94c277d34a2a09aa3c9fd171b6473fb9d552/detection
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
