classiccmp list (sort of) help requested

Philip Pemberton classiccmp at philpem.me.uk
Wed Dec 13 17:45:28 CST 2006 

Jay West wrote:
> What concerns me is that 99% of the new spam making it through is 
> vaguely sensible english phrases (apparently automatically pulled from 
> online books, or from usenet post archives, etc.). If there was also an 
> advertisement text, Spamassassin could catch that. However, the text is 
> all just english phrases (I've noted them to be targeted phrases, like 
> having to do with computers, sometimes old ones) BUT... the 
> advertisement is a graphic attachment. Since SpamAssassin can't do OCR 
> on the small gif or jpg attachment that says "buy viagra here"... I am 
> not sure what to do about this. It comes from all over, not just a few 
> servers, etc.

I've been trying to deal with that crap for months. It's sent out by the 
Warezov and Sdbot viruses, which explains why it's coming from all over the place.

I wrote a spam filter to deal with it - HAMster - but every few days the spam 
signatures change and I have to play catchup. So far the only constant I've 
found is that the messages all have subject lines of the form:

Subject: something <from_firstname>
Subject: <from_firstname> something
Subject: something <from_lastname>
Subject: <from_lastname> something

Like I said - as soon as I add a new "ScoreRegexpSubjectField X Y" (add X to 
the score if regexp Y matches, replacing fields like $FIRSTNAME$ in the regexp 
with values from the headers) rule, the spam changes. My inbox is being 
stuffed full by this crap, and nothing seems to be able to stop it. I've 
counted nearly 1400MB of it in the past month, over six email accounts!

So far the only way I've found to deal with it is to spend a few hours 
analysing each message, then find something unique about it that will allow me 
to create a filter to block it. Then the spam changes again and it's "go 
directly to jail, do not pass Go, do not collect £200" once more...

-- 
Phil.                         |  (\_/)  This is Bunny. Copy and paste Bunny
classiccmp at philpem.me.uk      | (='.'=) into your signature to help him gain
http://www.philpem.me.uk/     | (")_(") world domination.

More information about the cctalk mailing list