spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kevin A. McGrail" <KMcGr...@PCCC.com>
Subject Re: Yahoo single-link spam common elements
Date Fri, 01 Mar 2013 17:49:36 GMT
On 3/1/2013 12:43 PM, David F. Skoll wrote:
> These are the common elements as far as I can see in the text/plain part
> of the spam:
>
> 1) The URL always matches this regex:
>
>     http://\S+/\S+\.\s+\?
>
> In other words, there's always a dot in the URL (not counting the dots
> in the domain name itself) and a question mark.
>
> 2) The URL is then followed by possible whitespace and the name or address
> of the sender.
>
> 3) This is followed by more possible whitespace and then the date and
> time in a format that matches this regex:
>
>        \d{1,2}/\d{1,2}/\d{4} \d{1,2}:\d{1,2}:\d{1,2} [AP]M
>
> Can others confirm this pattern?
I can confirm this is ONE of the patterns we've seen but we have seen 
other variations.

For example, here's one from yesterday that you'll note forges my 
brother as the sender:

Return-Path: <rasiel_mongado29@yahoo.com>
Received: from nm7.bullet.mail.gq1.yahoo.com (nm7.bullet.mail.gq1.yahoo.com [98.136.218.72])
	by intel1.peregrinehw.com (8.14.5/8.14.5) with SMTP id r1SI2WHg008621
	for <kmcgrail@peregrinehw.com>; Thu, 28 Feb 2013 13:02:33 -0500
Received: from [98.137.12.61] by nm7.bullet.mail.gq1.yahoo.com with NNFMP; 28 Feb 2013 18:02:31
-0000
Received: from [208.71.42.212] by tm6.bullet.mail.gq1.yahoo.com with NNFMP; 28 Feb 2013 18:02:31
-0000
Received: from [127.0.0.1] by smtp223.mail.gq1.yahoo.com with NNFMP; 28 Feb 2013 18:02:31
-0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1362074551;
bh=O2aFzcTOvDvCQALZoONOlZmCJiqlFu6WnhUAJG1clGI=; h=X-Yahoo-Newman-Id:Message-ID:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:From:Reply-To:Subject:Date:To;
b=5sIC6wpAChfKFdhlWmr4OhjWCpNoMhTdxsbWPAIXYyD3f+O4QKMatwXxL7uvHeFc5TD//q4hW0HQDVJ+f/XJq71XHuBeWLySuYceP9ZP5gMRMnAR8uM9o9rWw0vnwSd7+3H3ff1rCd2FunGswYwlNAG5yz79uYE7xe+sXw5qs3c=
X-Yahoo-Newman-Id: 533489.47072.bm@smtp223.mail.gq1.yahoo.com
Message-ID: <533489.47072.bm@smtp223.mail.gq1.yahoo.com>
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: jRlM9PUVM1m1fvPhWPzSnQEReLcFyK.eiCoVEK16XkMJTsp
  FUuOvETyd8ee4KmT2FuoE1n9krae3pEbGP2MbvtNXR6sdYnhJIxvfdiuEtob
  wr1ipSssPLDugG_B3KfoWpLJZs0YjG5TMqqVzDGih3D11pGQfAY6w.mgoOWY
  Vemeo4DqHYY8XYokWdUpIh65s1dDZlNaYvlqfF1MZudo2pV6wlPm_rMDWHvP
  DNawGoHaZr3qyELnp7ElYqt8BCCs0hushH3dTtn.mVpUMrTv3GzPnkMMGCvR
  O9U8mO_UIFwTMrWvkkzLcMKqdKdukq8.cPSh8VY5TRg_Xih7mDsVxksEIVcE
  OCOEMbBw9uApP4oRpc.pBlu9eDntaPpiUUPhpb9xxkQw4lcLJkx0RTt0GYD3
  uAMLNtukwnvce54PkLZl3JrIDGhvQuhKnZxYyRsne49aNjP11_3wZUo8wlvg
  guHiLuHcqkFb6lusTYz41fCHrSJ6VTYxwqlQcA0DioWPWPDZmkjLtrc2aER1
  MbKjYki6ceeLXQT21DGdb9Gui.eE43RA2Ix6qqTYRddM-
X-Yahoo-SMTP: bHYtILuswBDzs9L.FhYpFEHr7NQ0kndD9GjKbx8-
Received: from localhost (rasiel_mongado29@200.121.59.161 with login)
         by smtp223.mail.gq1.yahoo.com with SMTP; 28 Feb 2013 10:02:31 -0800 PST
From: TOBY MCGRAIL <rasiel_mongado29@yahoo.com>
Reply-To: TOBY MCGRAIL <tvfdkmnumh@yahoo.com>
Subject: KEVIN
Date: Thu, 28 Feb 2013 10:05:47 -0800 (PST)
To: Kevin <kmcgrail@peregrinehw.com>

kevin, hey. look what I found!            http://www.deguciumd-munged.lt/answerbabykevingreen/


regards,
KAM

Mime
View raw message