[SLUG] Recipe set to match stock/pharma-gif-spam:

Adam Bogacki Mon, 06 Nov 2006 00:35:30 -0800

Fyi,

Adam Bogacki.


----------------------------------------------------------------------

Message: 1
Date: Sun, 05 Nov 2006 03:52:20 +0100
From: "Ruud H.G. van Tol" <[EMAIL PROTECTED]>
Subject: stock/pharma-gif-spam
To: "[procmail]" <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=iso-8859-15

Recipe set to match stock/pharma-gif-spam:

  s = '[        ]'  # a space and a tab

  h  = '[0-9A-Fa-f]'
  h2 = "$h$h"    h3  = "$h2$h"
  h4 = "$h2$h2"  h6  = "$h4$h2"
  h8 = "$h4$h4"  h12 = "$h8$h4"

  :0
  *  ^^(From |Return-Path: <)[^ @[EMAIL PROTECTED]/[^ >]+
  { DOMAIN = $MATCH }

  :0
  * 1^1 ^Received:
  { } N_RCVD = $=

  :0
  *$ ^Content-Type: multipart/related;.*\
                    boundary=(\")?\/[^\"]+
  { H_CTB = $MATCH }

  :0
  *  ^Message-ID:.*\/[^ <@[EMAIL PROTECTED]>]+
  { H_MID = $MATCH
    :0
    *  H_MID ?? ^^\/[EMAIL PROTECTED]
    {  MID1 = $MATCH }
    :0
    *  H_MID ?? @\/.+
    {  MID2 = $MATCH }
  }

  :0
  *  N_RCVD ?? ^^(1|2)^^
  *$ H_CTB  ?? ^^----=_NextPart_000_${h4}_$h8\.$h8^^
  *  MID2   ?? ^^[^.]+^^
  *  ^MIME-Version: 1\.0\
     ^Content-Type:.*\
     ^X-Priority: 3\
     ^X-MSMail-Priority: Normal\
     ^X-Mailer: Microsoft Outlook Express 6(\.[0-9]+)+\
     ^X-MimeOLE: Produced By Microsoft MimeOLE V6(\.[0-9]+)+$
  *$ B ?? ^--$\H_CTB\
          ^Content-Type: image/gif;\
          ^$s+name=\"[^\"]*\.gif\"\
         (^Content-Transfer-Encoding: base64)?\
          ^Content-ID: <[EMAIL PROTECTED]>$
  .in.suspect.stock-gif/

  :0
  *  N_RCVD ?? ^^(2|3)^^
  *$ H_CTB  ?? ^^$h+^^
  *$ MID2   ?? $\DOMAIN^^
  *$ ^From: [^\"<]+ <[EMAIL PROTECTED]@$\DOMAIN>$
  *$ B ?? ^--$\H_CTB\
          ^Content-Type: image/gif;\
          ^$s+name=\"[^\"]+\.gif\"\
         (^Content-Transfer-Encoding: base64)?\
          ^Content-ID: <[EMAIL PROTECTED]>$
  .in.suspect.pharma-gif/

Based on about 20 recent samples. These recipes can catch ham with an
attached gif too, so please report back here how you refined the
conditions to solve that.

-- 
Groet, Ruud




------------------------------

_______________________________________________
procmail mailing list
[EMAIL PROTECTED]
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail


End of procmail Digest, Vol 46, Issue 6
***************************************



----- End forwarded message -----

-- 
Adam Bogacki,

--------------------------------------------------------------------- 
email:  adam(at)bogacki.net    afb(at)paradise.net.nz
VoIP:   sip:agike(at)ekiga.net [Zfone]       
Key: 0x4E553910 -  DABB 4963 8973 7CCD 33C0  DC27 D7C5 F516 4E55 3910
---------------------------------------------------------------------

signature.asc
Description: Digital signature

-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

[SLUG] Recipe set to match stock/pharma-gif-spam:

Reply via email to