RE: [SAtalk] tricky spam

Thu, 10 Jul 2003 15:55:55 -0700 

Hallo,
> > Hi, i've attahced a very tricky SPAM mail that has been
> > scored with 0.8
> > points, what can be done with this kind of SPAM?.
> > Thanks
> > German
> > 
> It is easy to write a rule for some of the better knowns ones like
> /(f|ph)(o|0)t(o|0)/i
> but with all the ways of doing OBFU it would be kind of big. 
> 
> Your spam was a nice example.

Here is a nice example of replacing or cutting words:
---snip---
>From [EMAIL PROTECTED] Thu Jul 10 22:31:25 2003
X-UIDL: dTK"[EMAIL PROTECTED]"!f56!!
Return-Path: <[EMAIL PROTECTED]>
Received: from mail.fl-base.de (localhost [127.0.0.1])
        by youtwo.home.fl-base.de (8.12.3/8.12.3/SuSE Linux 0.6) with ESMTP
    id h6AK50iV002555
        for <[EMAIL PROTECTED]>; Thu, 10 Jul 2003 22:05:00 +0200
Received: from ascheberg.de ([EMAIL PROTECTED])
        by nitrogen.webpack.hosteurope.de (8.11.6/8.11.6) with ESMTP id
    h6AK3NP31400
        for <[EMAIL PROTECTED]>; Thu, 10 Jul 2003 22:03:45 +0200
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Date: Thu, 10 Jul 2003 20:05:35 +0000
Message-ID: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: =?ISO-8859-1?B?VG9vIG1hbnkgdG8gYw==?=ount!
MIME-Version: 1.0
From: "Eugenio Samuels" <[EMAIL PROTECTED]>
Content-Type: text/html
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: by amavis-milter (http://amavis.org/)
X-Spam-Status: No, hits=3.8 required=5.0
        tests=HTML_60_70,HTML_IMAGE_ONLY_02,HTML_MESSAGE,MIME_HTML_ONLY,
              MSGID_GOOD_EXCHANGE,RCVD_IN_NJABL,RCVD_IN_OSIRUSOFT_COM,
              RCVD_IN_UNCONFIRMED_DSBL
        version=2.54
X-Spam-Level: ***
X-Spam-Checker-Version: SpamAssassin 2.54 (1.174.2.17-2003-05-11-exp)

<HTML> 
 
<body> 
 
                        <p align="center"><KPFD><font face="verdana"><YLPP>
Make your balls and penís l<KF>a<XGPM>rger and get more satisfaction.<br>
<a href="http://www.32547.biz/mka/m2c.php?man=st4vp";>Find out more 
<XNH>h<CW>e<C>re<br><img src="http://www.32547.biz/p.gif";
border=0></a><br><br>
<a href=http://www.98207.biz/bek/>Remove me</a></font></p> 
        
 
</body>         </html>
---snap---
They are just putting some useless tags into the words. I think it will be
hard to detect.

Greets
Thomas




-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps1
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to