Am 2007-10-18 20:24:35, schrieb Justin Mason: > > UxBoD writes: > > Does anybody have one of these, or different one, that you could upload > > somewhere so can do some analysis ? > > sure: http://taint.org/x/2007/mp3spam.txt > anyway, these rules catch them as far as I can tell: > > ifplugin Mail::SpamAssassin::Plugin::MIMEHeader > mimeheader __CTYPE_STORM_MP3_1 Content-Type:raw =~ /^audio\/mpeg;\n > name=\"[a-z]+\.mp3\"$/s > mimeheader __CDISP_STORM_MP3_1 Content-Disposition:raw =~ /^inline;\n > filename=\"[a-z]+\.mp3\"$/s > mimeheader __CTYPE_STORM_MP3_2 Content-Type:raw =~ > /^audio\/mpeg;\n\tname=\"[a-z]+\.mp3\"$/s > mimeheader __CDISP_STORM_MP3_2 Content-Disposition:raw =~ > /^attachment;\n\tfilename=\"[a-z]+\.mp3\"$/s > > meta JM_STORM_MP3 ((__CTYPE_STORM_MP3_1&&__CDISP_STORM_MP3_1) || > (__CTYPE_STORM_MP3_2&&__CDISP_STORM_MP3_2))
I have tried this in a sandboy on a archive (87 messages) of such spam and I had not a singel hit. Mabe because it is ----( 1 )------------------------------------------------------- <header> Content-Type: audio/mpeg; filename="I love mpegs.mp3" Content-Disposition: inline Content-Transfer-Encoding: base64 <NL> ...here the mp3... ---------------------------------------------------------------- or ----( 2 )------------------------------------------------------- <header> Content-Type: audio/mpeg; filename="I love mpegs.mp3" Content-Disposition: inline Content-Transfer-Encoding: base64 <NL> ...here the mp3... ---------------------------------------------------------------- or ----( 3 )------------------------------------------------------- <header> Content-Type: multipart/mixed; boundary="J/dobhs11T7y2rNN" <NL> --J/dobhs11T7y2rNN Content-Type: audio/mpeg; filename="I love mpegs.mp3" Content-Disposition: attachment Content-Transfer-Encoding: base64 ...here the mp3... --J/dobhs11T7y2rNN-- ---------------------------------------------------------------- Thanks, Greetings and nice Day Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ ##################### Debian GNU/Linux Consultant ##################### Michelle Konzack Apt. 917 ICQ #328449886 50, rue de Soultz MSN LinuxMichi 0033/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)
signature.pgp
Description: Digital signature