RE: spam with different "Received" and "To" headers

Tue, 07 Dec 2010 07:54:09 -0800 

Thank you for the answers.

@Jason Bertoch - I'll try to upgrade, although it will be a difficult task 
(many corporate mails).
@Daniel McDonald - Nice rules, I'm going to integrate it too and see what 
happens. Funny keywords :D - thanks.
@John Hardin - Your suggestion led me to a very good link: 
http://www.owlriver.com/spam/stop-spam.html



-----Original Message-----
From: Daniel McDonald []
Sent: Tuesday 07, December 12, 2010 16:46
To: spamassassin
Subject: Re: spam with different "Received" and "To" headers


On 12/7/10 8:20 AM, "Florescu, Dan Alexandru"
<> wrote:

> Hi,
>
> In the last few days some spam messages have been able to elude the filters I
> use. Upon checking the headers, it seems to be following the same pattern.

>
> I just earned $31 in a few hours at home on the computer! I went to - Business
> Week Journal* You will thank me
> -----
> * this is a <a href=virus_link>Business Week Journal</a> link
>
> My question is: shouldn't there be a rule to verify that the mail specified at
> "To:" header actually corresponds to the one at "Received: [...] for <>"?
> This would be a very effective spam catching rule.

No, it would be a really bad rule, for lots of reasons.

I am trying to catch these by looking for the body pattern:
I {verbed} {money} {verbing} {uri} {salutation}

Here is my current rule.  I'd love to get more verbs to add to it, based on
more examples.  They seem to have a pretty good thesaurus...

body    __SOME_MONEY_HUNDREDS   /\$\d{2,3}\b/
describe __SOME_MONEY_HUNDREDS          Has a dollar amount up to $one
thousand

body    __EASY_MONEY
/\bI\b.{0,10}(?:racked|pulled|scored|made|profited|earned)/
describe __EASY_MONEY           talks about making easy money

body    __EASY_WORK             /(?:being
online|doing\s(?:(?:simple|easy)\s)?(?:tasks|things|stuff)|working at
home|on the computer)/
describe __EASY_WORK            talks about the work being simple

meta    AE_WORKFROM_HOME        __EASY_MONEY && __SOME_MONEY_HUNDREDS &&
__EASY_WORK && __DOS_HAS_ANY_URI
describe AE_WORKFROM_HOME       work from home spam
score  AE_WORKFROM_HOME         1.00

--
Daniel J McDonald, CCIE # 2495, CISSP # 78281


The information contained herein is intended for its addressee(s) only and it 
is privileged or otherwise confidential. Any unauthorized distribution, 
amendment or disclosure hereof is strictly forbidden by the law. Please find 
complete and translated versions at http://www.rompetrol.com/disclaimer.html

Reply via email to