Thank you Benny,
I will use this command next time.
Sergio
By the way your links are very accurate, that are the spammers that sent
the email, with my new rule they are
On Tue, Nov 22, 2011 at 3:42 AM, Benny Pedersen wrote:
> On Mon, 21 Nov 2011 22:32:42 +0100, Karsten Bräckelmann wrote:
>
>>
On Mon, 21 Nov 2011 22:32:42 +0100, Karsten Bräckelmann wrote:
=?iso-8859-1?B?LlZlbnRhIGRlIENBTkFTVEFTIE5BVklERdFBUyAtIHB1YmyhY2kgZGFk?=
Not "eval", but encoded -- in this case even necessary, rather than
an
attempt at obfuscation, because it contains non ASCII letters.
yep its base64 enco
Spammers are using a lot of different ways of using the word "publicidad",
I had a few different rules to block them, but since now I saw that there
was a character "¡" used an "i" and at the same time an "i " followed by an
space.
So, I used the .?. and it catches the "i" and the space and just i
On Mon, 2011-11-21 at 17:49 -0600, Sergio wrote:
> Thank you Karsten for your input.
>
> I have modified the rule to the following and is working great:
>
> header ADVERTISE_RULE8Subject =~ /publ.?.c.?.dad/i
I see you wildcarded both instances of 'i', with an additional, optional
second ch
Thank you Karsten for your input.
I have modified the rule to the following and is working great:
header ADVERTISE_RULE8Subject =~ /publ.?.c.?.dad/i
describe ADVERTISE_RULE8Encripted word
scoreADVERTISE_RULE811
If I see there are a lot of false positives I will modify it a bit,
On Mon, 2011-11-21 at 14:46 -0600, Sergio wrote:
> I block a lot of spam searching for strings on the subject, but
> sometimes the subject in the header comes in EVAL, like this:
> Subject:
> =?iso-8859-1?B?LlZlbnRhIGRlIENBTkFTVEFTIE5BVklERdFBUyAtIHB1YmyhY2kgZGFk?=
Not "eval", but encoded -- in th
That's an excellent question. My systems receive this as well
-Original Message-
From: Sergio
Date: Mon, 21 Nov 2011 14:46:35
To:
Subject: In subject how to detect a word in an EVAL string?
I block a lot of spam searching for strings on the subject, but sometimes
the subje