>From: fchan [mailto:fc...@molsci.org]
>Don't tempt them, I already get enough spam not
>only from these guys. Also they will flood the
>network with smtp useless connections and unless
>you have good network attack mitigation system so
>you don't have a DDoS, don't tempt them.
Pretty soon they will go on to a new scheme. This one is getting boring.
Might as well spur them on to give up all of their tricks.
>>Dnia 2009-07-11, sob o godzinie 00:18 +0200, Pawe¸ T«cza pisze:
>>
>> > I received very similar spam too. It also includes "www.ma29. net"
>>> domain. It's probably personal dedication from the spammers to me ;)
>>> Thank you! I know you're watching that mailing list.
>>
>>Hey spammers! ;)
>>
>>It's after midnight here, but I've updated my rules. So you have to
>>think up something new.
They have. They are using underscores, which are a [:punct:], but don't form a
\b break.
New rules:
body __MED_BEG_SP /\bw{2,3}[[:space:]][[:alpha:]]{2,6}\d{2,6}/i
body __MED_BEG_PUNCT /\bw{2,3}[[:punct:]]{1,3}[[:alpha:]]{2,6}\d{2,6}/i
body __MED_BEG_DOT /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}/i
body __MED_BEG_BOTH
/\bw{2,3}[[:punct:][:space:]]{2,5}[[:alpha:]]{2,6}\d{2,6}\b/i
body __MED_END_SP
/[[:alpha:]]{2,6}\d{2,6}[[:space:]](?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body __MED_END_PUNCT
/[[:alpha:]]{2,6}\d{2,6}[[:punct:]]{1,3}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body __MED_END_DOT
/[[:alpha:]]{2,6}\d{2,6}\.(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body __MED_END_BOTH
/[[:alpha:]]{2,6}\d{2,6}[[:punct:][:space:]]{2,5}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
meta AE_MED42 (__MED_BEG_SP || __MED_BEG_PUNCT || __MED_BEG_DOT ||
__MED_BEG_BOTH ) && (__MED_END_SP || __MED_END_PUNCT || __MED_END_DOT ||
__MED_END_BOTH) && ! (__MED_BEG_DOT && __MED_END_DOT )
describe AE_MED42 rule to catch still more spam obfuscation
score AE_MED42 4.0
