On 09/19/2017 07:23 AM, Kevin A. McGrail wrote:
Is it purposeful extra space though that might indicate spaminess? Spample?
Regards,
KAM
On September 19, 2017 8:13:09 AM EDT, RW <rwmailli...@googlemail.com> wrote:
On Tue, 19 Sep 2017 09:27:13 +0100
Sebastian Arcus wrote:
I've had a number of emails with no subject not triggering the
MISSING_SUBJECT rule - only to discover that the spammers have added
a white space after 'Subject:' - which appears to fool the code
into
thinking that there is an actual subject. Would it be possible to
'smarten up' the code a bit to recognise this?
The space doesn't make a difference.
The test is for a missing subject not an empty subject. Some people
send emails without setting a subject but the client will normally
still add the header.
I have had these in place for years. Maybe Kevin can consolidate and
integrate this into his KAM.cf so I could remove them or we could
eventually get them into the default SA ruleset after some testing.
header ENA_SUBJ_IS_SPACE Subject =~ /^ $/
describe ENA_SUBJ_IS_SPACE Subject is a space
score ENA_SUBJ_IS_SPACE 3.2
header ENA_SUBJ_ONLY_SPACES Subject =~ /^\s+$/
describe ENA_SUBJ_ONLY_SPACES Subject is empty or only spaces
commonly used by spammers to get around subject checks
score ENA_SUBJ_ONLY_SPACES 2.2
header ENA_SUBJ_ONLY_FWD Subject =~
/(^Fw:\s+$|^Fw\s+$|^Fwd:\s+$|^Fwd\s+$|^Fwd: \(\d\)$|^Fwd: \[\d\]$)/i
describe ENA_SUBJ_ONLY_FWD Subject is only "Fwd:"
score ENA_SUBJ_ONLY_FWD 2.2
header ENA_SUBJ_ONLY_RE Subject =~
/(^Re:\s+$|^Re\s+$|^Re: \(\d\)$|^Re: \[\d\]$)/i
describe ENA_SUBJ_ONLY_RE Subject is only "Re:"
score ENA_SUBJ_ONLY_RE 2.2
header ENA_SUBJ_LONG_WORD Subject =~
/\b[^[:space:][:punct:]]{30}/
describe ENA_SUBJ_LONG_WORD Subject has a very long word
score ENA_SUBJ_LONG_WORD 2.2
header ENA_SUBJ_ODD_CASE Subject =~
/(?:[[:lower:]][[:upper:]].{0,15}){3}/
describe ENA_SUBJ_ODD_CASE Subject has odd case
score ENA_SUBJ_ODD_CASE 3.2
--
David Jones
