>From: fchan [mailto:fc...@molsci.org]
>Don't tempt them, I already get enough spam not >only from these guys. Also they will flood the >network with smtp useless connections and unless >you have good network attack mitigation system so >you don't have a DDoS, don't tempt them. Pretty soon they will go on to a new scheme. This one is getting boring. Might as well spur them on to give up all of their tricks. >>Dnia 2009-07-11, sob o godzinie 00:18 +0200, Pawe¸ T«cza pisze: >> >> > I received very similar spam too. It also includes "www.ma29. net" >>> domain. It's probably personal dedication from the spammers to me ;) >>> Thank you! I know you're watching that mailing list. >> >>Hey spammers! ;) >> >>It's after midnight here, but I've updated my rules. So you have to >>think up something new. They have. They are using underscores, which are a [:punct:], but don't form a \b break. New rules: body __MED_BEG_SP /\bw{2,3}[[:space:]][[:alpha:]]{2,6}\d{2,6}/i body __MED_BEG_PUNCT /\bw{2,3}[[:punct:]]{1,3}[[:alpha:]]{2,6}\d{2,6}/i body __MED_BEG_DOT /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}/i body __MED_BEG_BOTH /\bw{2,3}[[:punct:][:space:]]{2,5}[[:alpha:]]{2,6}\d{2,6}\b/i body __MED_END_SP /[[:alpha:]]{2,6}\d{2,6}[[:space:]](?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i body __MED_END_PUNCT /[[:alpha:]]{2,6}\d{2,6}[[:punct:]]{1,3}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i body __MED_END_DOT /[[:alpha:]]{2,6}\d{2,6}\.(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i body __MED_END_BOTH /[[:alpha:]]{2,6}\d{2,6}[[:punct:][:space:]]{2,5}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i meta AE_MED42 (__MED_BEG_SP || __MED_BEG_PUNCT || __MED_BEG_DOT || __MED_BEG_BOTH ) && (__MED_END_SP || __MED_END_PUNCT || __MED_END_DOT || __MED_END_BOTH) && ! (__MED_BEG_DOT && __MED_END_DOT ) describe AE_MED42 rule to catch still more spam obfuscation score AE_MED42 4.0