On Wed, 2010-05-05 at 15:39 -0700, Kelson Vibber wrote:
> We're seeing FPs Twitter's "So-and-so is now following you on Twitter"
> notices, pushed over by JM_SOUGHT_3's 4 points. It appears to be
> matching on __SEEK_O1OO80, which contains a large chunk of Twitter's
> email footer.
>
> If I were to guess, it's probably due to the phishing campaign that's
> been targeting Twitter users over the last few weeks, faking a message
> from Twitter support. I've seen several of those phish land in our own
> spamtraps and abuse mailbox.
>
> I can send a ham sample if that would help.
It does indeed. The sought rule-set's seek sub-rules are cross checked
against a ham corpus. No twitter ham in the corpus results in forged
twitter messages to be picked up in a seek, if the volume in the traps
is high enough.
Please send us a ham sample. Obfuscating identifying data is ok, but
please keep it to a minimum needed, and make it obvious. Raw message
attached preferred. Feel free to send it directly to me and/or Justin,
rather than the list. Thanks!
Quick interim fix. In your local.cf, add this to stop the FPs.
meta __SEEK_O1OO80 (0)
guenther
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
