On Fri, 20 Apr 2012, Ned Slider wrote:
John - please could you explain the closing /sm as I'm unfamiliar with it's
usage?
Multiline matching.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key:
On Fri, 20 Apr 2012, Ned Slider wrote:
On 16/04/12 04:56, John Hardin wrote:
header SUBJ_ODD_CASE ALL =~
/\n(?!(?:Subject:|SUBJECT:|subject:))(?i:subject:)/sm
describe SUBJ_ODD_CASE Oddly mixed-case Subject: header
I have quite a few examples of these in my archives, and I confirm your ru
On 20/04/12 23:24, Ned Slider wrote:
On 20/04/12 20:17, Ned Slider wrote:
On 16/04/12 04:56, John Hardin wrote:
On Tue, 10 Apr 2012, John Hardin wrote:
On Tue, 10 Apr 2012, Thomas Johnson wrote:
On Tue, Apr 10, 2012 at 7:08 AM, Bowie Bailey
wrote:
> That sounds like it might be good rule-f
On 20/04/12 20:17, Ned Slider wrote:
On 16/04/12 04:56, John Hardin wrote:
On Tue, 10 Apr 2012, John Hardin wrote:
On Tue, 10 Apr 2012, Thomas Johnson wrote:
On Tue, Apr 10, 2012 at 7:08 AM, Bowie Bailey
wrote:
> That sounds like it might be good rule-fodder. "subject", "Subject",
> and "SU
xample, I'd expect to see:
Subject: Re: Some text
and not:
Subject:Re:Some text
I have ~100 further examples of these that do not have mixed case
Subject (pastebin below), mostly pill spams that look like they are sent
by the same broken bot mailer, just with "Subject" in more conventional
case.
http://pastebin.com/Zu0uvViQ
Regards.
On Tue, 10 Apr 2012, John Hardin wrote:
On Tue, 10 Apr 2012, Thomas Johnson wrote:
On Tue, Apr 10, 2012 at 7:08 AM, Bowie Bailey
wrote:
> That sounds like it might be good rule-fodder. "subject", "Subject",
> and "SUBJECT" are possibly valid, but the other funky capitalizations
> might
On 4/10/2012 6:29 PM, RW wrote:
> On Tue, 10 Apr 2012 17:58:51 -0400
> Rob McEwen wrote:
>> Meanwhile, the snowshoe spammer's DNS server happens to be messed up,
>> overloaded, and returns answers within about 4 seconds.
> But unless I'm misunderstanding, the NS lookups would be done on the
> TLDs
On Tue, 10 Apr 2012 17:58:51 -0400
Rob McEwen wrote:
> Meanwhile, the snowshoe spammer's DNS server happens to be messed up,
> overloaded, and returns answers within about 4 seconds.
But unless I'm misunderstanding, the NS lookups would be done on the
TLDs nameservers, rather than the spammer's
On 4/10/2012 3:16 PM, Axb wrote:
> On 04/10/2012 08:07 PM, Rob McEwen wrote:
>
>> (b) If anyone programs this idea into SA, or anywhere else, then
>> this should be a separate step AFTER regular URI checkinggiving
>> the message a chance to "short circuit" out of processing if it
On 04/10/2012 08:07 PM, Rob McEwen wrote:
(b) If anyone programs this idea into SA, or anywhere else, then
this should be a separate step AFTER regular URI checkinggiving
the message a chance to "short circuit" out of processing if it
already scored high enough after URI
On Tue, 10 Apr 2012, Thomas Johnson wrote:
On Tue, Apr 10, 2012 at 7:08 AM, Bowie Bailey wrote:
That sounds like it might be good rule-fodder. "subject", "Subject",
and "SUBJECT" are possibly valid, but the other funky capitalizations
might be worth a few points.
And how would one write a r
On 4/10/2012 11:42 AM, Thomas Johnson wrote:
> Any other ideas on these pill spams? What are they scoring for anyone else?
Hi. I've been following this thread. Here are some (random) thoughts &
suggestions:
(1) In some of those examples Thomas provided, at least one of the
assigned
On Mon, Apr 9, 2012 at 3:33 PM, Alex wrote:
> +1 for these. I've seen a ton of these, and the only protection I have
> is a local URIBL I've built for the many new domains that haven't yet
> been added to the public URIBLs.
>
> Yours don't have any spamassassin/amavisd headers. How are you process
rule for that? It's not a header rule that
matches the content of the Subject header line, but the initial
"SubjeCT" itself. And how to do the proper regex match?
Any other ideas on these pill spams? What are they scoring for anyone else?
On 4/9/2012 5:39 PM, Thomas Johnson wrote:
> Getting a bunch of these, and I'm getting very low scores, using the
> latest spamassassin rules, and the most common third-party rulesets.
>
> Also using spamhaus, investment and other DNSBLs, but my users seem to
> be getting these before the urls are
Hi,
> Getting a bunch of these, and I'm getting very low scores, using the
> latest spamassassin rules, and the most common third-party rulesets.
>
> Also using spamhaus, investment and other DNSBLs, but my users seem to
> be getting these before the urls are making their way into those
> DNSBLs.
Getting a bunch of these, and I'm getting very low scores, using the
latest spamassassin rules, and the most common third-party rulesets.
Also using spamhaus, investment and other DNSBLs, but my users seem to
be getting these before the urls are making their way into those
DNSBLs.
The subject is
17 matches
Mail list logo
