On Tue, 5 Aug 2014, Andy Balholm wrote:
The last few days, I’ve been getting a lot of spams that have a similar
pattern. They are plain-text messages, and each one ends with a paragraph from
a restaurant review (apparently to confuse bayesian filters), with some numbers
inserted. There is an 8-digit decimal number and a 32-digit hex one. Each
number appears two or three times. This is a consistent enough pattern that I
wrote a rule to match it:
body REPEATED_TRACKING_NUMBERS / (\d{8}) .* ([0-9a-f]{32}) .*\g1.*\g2/
score REPEATED_TRACKING_NUBMERS 1
describe REPEATED_TRACKING_NUMBERS A large number and a hex hash, each showing
up at least twice.
The spaces in the regex are necessary to avoid matching notification emails
from eBay.
There's already a rule for this sort of thing in the sandbox.
http://ruleqa.spamassassin.org/20140804-r1615505-n/HEXHASH_WORD/detail
Technically speaking, unless they appear in a URI they aren't "tracking"
information, as there's nothing done with them that a third party can
observe. They're just there to interfere with known-text pattern matching
and things like Razor checksums.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
[email protected] FALaholic #11174 pgpk -a [email protected]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Yet another example of a Mexican doing a job Americans are
unwilling to do. -- Reno Sepulveda, on UniVision reporters asking
President Obama some pointed questions about
the BATFE Fast and Furious scandal.
-----------------------------------------------------------------------
Today: the 279th anniversary of John Peter Zenger's acquittal
