Here's my current version -- note that the "evil" ones have a space after each
word, even the last one:
header RANDMAILER X-Mailer =~ /^([a-z]{4,15} ){1,5}$/
describe RANDMAILER random words in X-Mailer field
score RANDMAILER 2.0
Works well for me...
Pierre Thomson
BIC
-----Original Message-----
From: Bob Apthorpe [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 17, 2004 10:29 AM
To: [EMAIL PROTECTED]
Subject: Re: Another spammer sign to catch
Hi,
On Tue, 17 Feb 2004 09:07:34 -0500 "Pierre Thomson" <[EMAIL PROTECTED]> wrote:
> There is at least one evil mailer that uses random lowercase words in
> the X-mailer field. I have a rule to match these; it's part of an
> upcoming "randoms" ruleset...
>
> A few from my recent quarantine:
>
> >X-Mailer: efodvcvak nriadibn
> >X-Mailer: baboon divulge erato
> >X-Mailer: contributor penates bobbie
I've found low FPs looking for "/^X-Mailer: [a-z ]*/"
Ham (4):
2 X-Mailer: nmh
1 X-Mailer: sendhtml
1 X-Mailer: nc
Spam (23):
7 X-Mailer: mailer
4 X-Mailer:
2 X-Mailer: artemis
1 X-Mailer: wwnjknm pwdaymrl
1 X-Mailer: wsixm camelback
1 X-Mailer: upgrade cider
1 X-Mailer: qrplz trance
1 X-Mailer: postscript salsify
1 X-Mailer: folklore collegiate obeisant
1 X-Mailer: bodovsky
1 X-Mailer: boccio
1 X-Mailer: billionaire
1 X-Mailer: arkadiy
Would the following work?:
header T_LCASED_XMAILER X-Mailer =~ /^[a-z ]*$/
describe T_LCASED_XMAILER X-Mailer contains only lowercase words
score T_LCASED_XMAILER 0.5
-- Bob
