On Sat, May 21, 2005 at 02:14:04PM +1000, James Gray wrote: > On Sat, 21 May 2005 09:48 am, Voytek wrote: > > <quote who="James Gray"> > > > > > http://www.techweb.com/wire/security/163106139 > > > > > > Hold onto your mail servers folks - looks like Monday could be ground-hog > > > > > > I can catch some samples in the wild to modify the spamassassin filters. > > > Will let people know if I (or other admins I know) manage to achieve > > > this. > > > > isn't it simpler to DISCARD with a header check ? > > that's what I done with the current crop > > Indeed, you are correct - discarding at the MTA level is by far the better > option. However, the method for doing this varies between > Postfix/Sendmail/Exim/Qmail/etc. SpamAssassin is pretty universal to all of > these and if there's a Perl regex available, most admins will be able to mash > that into a header check for their particular MTA (which is what I've done > for my machines).
Here's a spamassassin check that was posted on one of the rulesemporium forums that is working well for me here, in case its of use to anyone: # German sober.q test header SOBER_Q_SUBJECT Subject =~ /4,8 Mill\. Osteuropaeer durch Fischer-Volmer Erlass|Auf Streife durch den Berliner Wedding|Auslaender bevorzugt|Deutsche Buerger trauen sich nicht \.\.\.|Auslaenderpolitik|Blutige Selbstjustiz|Deutsche werden kuenftig beim Arzt ?abgezockt|Paranoider Deutschenmoerder kommt in Psychiatrie|Du wirst zum Sklaven gemacht!!!|Dresden 1945|Massenhafter Steuerbetrug durch auslaendische Arbeitnehmer|Gegen das Vergessen|Tuerkei in die EU|Hier sind wir Lehrer die einzigen Auslaender|Multi-Kulturell = Multi-Kriminell|Verbrechen der deutschen Frau|S\.O\.S\. Kiez! Polizei schlaegt Alarm|Transparenz ist das Mindeste|Trotz Stellenabbau|Vorbildliche Aktion|Augen auf|Du wirst ausspioniert \.\.\.\.!|Volk wird nur zum zahlen gebraucht!|60 Jahre Befreiung: Wer feiert mit\?|Graeberschaendung auf bundesdeutsche Anordnung|Schily ueber Deutschland|The Whore Lived Like a German|Turkish Tabloid Enrages Germany with Nazi Comparisons|Dresden Bombing Is To Be Regretted Enormously|Armenian Genocide Plagues Ankara 90 Years On/i describe SOBER_Q_SUBJECT Contains a known Sober.Q subject score SOBER_Q_SUBJECT 10.0 I believe it was derived from the Symantec analysis of the virus. Sorry - don't have the URL handy right now. Cheers, Gavin -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
