Re: Help with blocking Chinese Spam

Tue, 13 Mar 2012 06:06:10 -0700 

13.3.2012 14:40, Jenny Lee kirjoitti:
>> Date: Tue, 13 Mar 2012 08:25:21 -0400
>> From: d...@roaringpenguin.com
>> To: users@spamassassin.apache.org
>> Subject: Re: Help with blocking Chinese Spam
>>
>> On Tue, 13 Mar 2012 09:48:37 +0000
>> Jenny Lee <bodycar...@live.com> wrote:
>>
>> > I am getting this chinese spam every hour. I tried, ok_locales,
>> > ok_languages with texcat plugin... I tried matching the subject...
>> > but these people are always getting through.
>> > http://www.pastebin.ca/2127622
>> > What rules/modifications do I need to do to get rid of this?
>>
>> We use this rule, but it's aggressive. It will block any Chinese message
>> with a Word or Excel attachment. For our user-base, that's fine, but YMMV.
>>
>> Regards,
>>
>> David.
>>
>> # Chinese spams
>> header __RP_SUBJ_UTF8 Subject:raw =~/=\?utf-8\?B/i
>> header __RP_SUBJ_GB2312 Subject:raw =~ /=\?gb2312\?B/i
>> header __RP_SUBJ_CJK Subject =~ /[\xe4-\xe9]/
>> full __RP_8BIT_FNAME /name=.{0,30}[\x80-\xff]/
>> full __RP_EXCEL /application\/vnd.ms-excel/i
>> full __RP_DOC /application\/msword/i
>> full __RP_GB2312_FNAME /name=.?=\?gb2312\?/i
>> meta RP_D_00032 (__RP_SUBJ_UTF8 && __RP_SUBJ_CJK && (__RP_EXCEL ||
> __RP_DOC || __RP_8BIT_FNAME)) || (__RP_SUBJ_GB2312 && (__RP_GB2312_FNAME
> || __RP_EXCEL || __RP_DOC || __RP_8BIT_FNAME))
>> describe RP_D_00032 Looks like a Chinese spam
>> score RP_D_00032 5.0
>>
> 
> Thank you David.
>  
> Will give this a go. What I don't understand is that... Why is this not
> catching this 'utf' which is on the subject?
>  
> I used this for testing purposes. It catches other botnet headers like
> 'Experian', etc.
>  
> header XX_CUSTOM_HEADER Subject =~ /Experian|\$1500|to your account on
> file today|into your account today|video|clip|movie| vid|episode|utf/i
> score XX_CUSTOM_HEADER 8.0
> describe XX_CUSTOM_HEADER XX Custom Rules - Header
>  
> J

Subject:raw catches the UTF format, Subject catches a subject containing
text "utf".



-- 

Today's weirdness is tomorrow's reason why.
                -- Hunter S. Thompson

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to