Hi, >> I've been receiving a handful of spam claiming to be from whatsapp, >> and I can't figure out how to block it. >> >> http://pastebin.com/8E66QRkn >> http://pastebin.com/KrTgKGh1 >> >> What does a legitimate whatsapp email look like? I've searched their >> site, and their DNS entry doesn't even have an MX record, let alone >> any indication of SPF, etc. >> >> Bayes is obviously a problem, but my bayes db generally performs well. >> I'm sure the domains in the body would be listed now, and probably the >> source addresses too. >> >> Ideas greatly appreciated. > > > It looks like they are doing unicode obfuscation of text in the body: > > WhatsApp W=C3=A8b You h=C3=A4ve a new message D=C3=A8tails: > > Not sure if the Unicode replace stuff will catch it, but you might try this: > > body FUZZY_DETAILS /<D>(?:etails)<E><T><A><I><L><S>/i > replace_rules FUZZY_DETAILS
It doesn't catch it, and I don't know enough about replace_rules to figure it out. Is there supposed to be an existing FUZZY_DETAILS rule? It appears to lint okay. It's also interesting that the domains listed in both samples aren't already blacklisted.