PDA

View Full Version : procmail recipe to fight the "Free Cable TV" spam



dansroka
12-23-2003, 11:04 AM
Hi everyone,
I have been getting swamped lately with this specific spam, offering free Cable. It is a simple email, so it slips right by Spam Assassin, so I want to create a procmail recipe to target it specifically.

THE SPAM: The spam subject is usually "Re:" followed by 6-8 all capital letters (random) and three random words. The body of the email always has a specific pattern of works spelling "free cable tv", followed by an image, and a series of random words. The text is strewn with HTML comment tags filled with random words.

I have noticed two predictable patterns in the body of the mail. First, the text describing free cable aways looks something like:

Fr</abate>ee Ca</doldrums>ble& TV
The actual fake HTML always changes, but the pattern is always: "Fr" + fake HTML tag + "ee Ca" + fake HTML tag + "ble" + 1 or 2 characters + "TV".

So I made the following script.


:0B:
* Fr.+ee Ca.+ble.+TV
/var/spool/mail/bulk


(/var/spool/mail/bulk is my bulk mail account). This script seems to work for every pattern I received, although I am still testing it.

Second, I also noticed that the link always goes to a URL that is "www" + a number + a word + ".com/cable/". I haven't tried to make a recipe for this, but maybe this would be "safer" to filter for"

Anyone see anything wrong with my logic? Any suggestions? I am also curious if using procmail to filter the body of an email is wise. My procmail only serves me and a couple family members for email, so I am not too worried about taxing the system.

Thanks for your thoughts,
Dan

jalal
12-24-2003, 02:23 AM
I have the following in my ~/.spamassassin/user_prefs

body 5300000X_SITE /530000x\.com/
describe 530000X_SITE Links to 530000x.com cable site.
score 530000X_SITE 0.0

because most of them reference an image on the 530000.com servers.

dansroka
12-24-2003, 09:52 AM
Interesting - I didn't think of adding it to the spamassassin scores. I'll have to read up on that. Do you know if SA process regular expressions?

jalal
12-24-2003, 09:59 AM
Well, yes... its a Perl script so its very, very good at parsing RegEx's.

I've had to add 2004hosting.net as well....

dansroka
12-24-2003, 10:04 AM
Of course it does RE, you're right... (it's early here and I haven't had my coffee yet).

I just checked a backlog of spam and those two servers seem to be responsible for most of this type of spam. Thanks for the help.

jalal
12-24-2003, 10:19 AM
Whoops, update... the above doesn't work correctly.

the correct lines should read something like:


body A5300000X_SITE /530000x\.com/
describe A530000X_SITE Links to 530000x.com cable site.
score A530000X_SITE 3.0


The lables need to start with an alphabetic character... and a higher score
8)

dansroka
12-24-2003, 10:53 AM
Thanks! And I assume a score higher than 0? :-)