Thanks Justin. Do they all follow the same patterns ? Regards,
--[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] ----- Original Message ----- From: "Justin Mason" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Sent: Thursday, October 18, 2007 8:24:35 PM (GMT) Europe/London Subject: Re: MP3 Spam UxBoD writes: > Does anybody have one of these, or different one, that you could upload > somewhere so can do some analysis ? sure: http://taint.org/x/2007/mp3spam.txt anyway, these rules catch them as far as I can tell: ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __CTYPE_STORM_MP3_1 Content-Type:raw =~ /^audio\/mpeg;\n name=\"[a-z]+\.mp3\"$/s mimeheader __CDISP_STORM_MP3_1 Content-Disposition:raw =~ /^inline;\n filename=\"[a-z]+\.mp3\"$/s mimeheader __CTYPE_STORM_MP3_2 Content-Type:raw =~ /^audio\/mpeg;\n\tname=\"[a-z]+\.mp3\"$/s mimeheader __CDISP_STORM_MP3_2 Content-Disposition:raw =~ /^attachment;\n\tfilename=\"[a-z]+\.mp3\"$/s meta JM_STORM_MP3 ((__CTYPE_STORM_MP3_1&&__CDISP_STORM_MP3_1) || (__CTYPE_STORM_MP3_2&&__CDISP_STORM_MP3_2)) --j. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.