Justin Mason wrote:
[snip]
On 01.07.08 10:50, Justin Mason wrote:
no -- this is real spam, not a bounce in any way.
same here. not a bounce in any way.
Are you sure it's not just virus message sent by someone and cured by
intermediate relay?
Yes, seeing lots of this exact wording, in high volume, throughout our
traps.
the few ones I checked only contain the cited text followed by noise
(random text to poison bayes or whatever).
The following catches them, but JM_SOUGHT, RAZOR and Bayes should catch
them already.
body __FAKE_VIR_1 /This letter contains a virus/
body __FAKE_VIR_2 /successfully detected and cured/
header __FAKE_VIR_SUBJ Subject =~ /^\S{1,20}\s+\S{1,20}$/
header __FAKE_VIR_MUA X-Mailer =~ /^The Bat/
header __FAKE_VIR_REPLYTO Reply-To =~ /\S/
score __FAKE_VIR_1 0.01
score __FAKE_VIR_2 0.01
score __FAKE_VIR_SUBJ 0.01
score __FAKE_VIR_MUA 0.01
score __FAKE_VIR_REPLYTO 0.01
meta FAKE_VIR_LETTER (__FAKE_VIR_1 && __FAKE_VIR_2 && __FAKE_VIR_SUBJ
&& __FAKE_VIR_MUA && __FAKE_VIR_REPLYTO)
score FAKE_VIR_LETTER 5.0
describe FAKE_VIR_LETTER Fake detected and cured virus letter
