dansroka
12-23-2003, 12:04 PM
Hi everyone,
I have been getting swamped lately with this specific spam, offering free Cable. It is a simple email, so it slips right by Spam Assassin, so I want to create a procmail recipe to target it specifically.
THE SPAM: The spam subject is usually "Re:" followed by 6-8 all capital letters (random) and three random words. The body of the email always has a specific pattern of works spelling "free cable tv", followed by an image, and a series of random words. The text is strewn with HTML comment tags filled with random words.
I have noticed two predictable patterns in the body of the mail. First, the text describing free cable aways looks something like:
Fr</abate>ee Ca</doldrums>ble& TV
The actual fake HTML always changes, but the pattern is always: "Fr" + fake HTML tag + "ee Ca" + fake HTML tag + "ble" + 1 or 2 characters + "TV".
So I made the following script.
:0B:
* Fr.+ee Ca.+ble.+TV
/var/spool/mail/bulk
(/var/spool/mail/bulk is my bulk mail account). This script seems to work for every pattern I received, although I am still testing it.
Second, I also noticed that the link always goes to a URL that is "www" + a number + a word + ".com/cable/". I haven't tried to make a recipe for this, but maybe this would be "safer" to filter for"
Anyone see anything wrong with my logic? Any suggestions? I am also curious if using procmail to filter the body of an email is wise. My procmail only serves me and a couple family members for email, so I am not too worried about taxing the system.
Thanks for your thoughts,
Dan
I have been getting swamped lately with this specific spam, offering free Cable. It is a simple email, so it slips right by Spam Assassin, so I want to create a procmail recipe to target it specifically.
THE SPAM: The spam subject is usually "Re:" followed by 6-8 all capital letters (random) and three random words. The body of the email always has a specific pattern of works spelling "free cable tv", followed by an image, and a series of random words. The text is strewn with HTML comment tags filled with random words.
I have noticed two predictable patterns in the body of the mail. First, the text describing free cable aways looks something like:
Fr</abate>ee Ca</doldrums>ble& TV
The actual fake HTML always changes, but the pattern is always: "Fr" + fake HTML tag + "ee Ca" + fake HTML tag + "ble" + 1 or 2 characters + "TV".
So I made the following script.
:0B:
* Fr.+ee Ca.+ble.+TV
/var/spool/mail/bulk
(/var/spool/mail/bulk is my bulk mail account). This script seems to work for every pattern I received, although I am still testing it.
Second, I also noticed that the link always goes to a URL that is "www" + a number + a word + ".com/cable/". I haven't tried to make a recipe for this, but maybe this would be "safer" to filter for"
Anyone see anything wrong with my logic? Any suggestions? I am also curious if using procmail to filter the body of an email is wise. My procmail only serves me and a couple family members for email, so I am not too worried about taxing the system.
Thanks for your thoughts,
Dan