On Wed, 12 Feb 2014, Joe Quinn wrote:
On 2/12/2014 3:15 PM, John Hardin wrote:
On Wed, 12 Feb 2014, Joe Quinn wrote:
> This pattern has been showing up in a good 80% of spam I have looked at
> in the past month.
>
> Spammers take a few paragraphs out of a large body of text and put it at
> the end of their email. My favorite is one that had the scene where
> Daisy first meets Jay Gatsby.
>
> Sometimes they add some munging, or like in this example they insert
> base64-encoded hashes. We have a rule for the plaintext hashes, but does
> anyone on the list have a good way of detecting this?
Bayes.
Any ideas outside of Bayes? We don't currently have it configured, and the
setup involved is more than we would like to do for just one rule, if at all
possible.
Bayes is very useful, you should reconsider.
Perhaps something like this:
body __HEXHASHWORD /\b[0-9a-f]{30,}\s[a-z]{1,10}\b/
tflags __HEXHASHWORD multiple maxhits=5
meta HEXHASH_WORD __HEXHASHWORD > 4
describe HEXHASH_WORD Hexadecimal hash followed by a word
Added to my sandbox, just in case.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Mine eyes have seen the horror of the voting of the horde;
They've looted the fromagerie where guv'ment cheese is stored;
If war's not won before the break they grow so quickly bored;
Their vote counts as much as yours. -- Tam
-----------------------------------------------------------------------
Today: Abraham Lincoln's and Charles Darwin's 205th Birthdays
