spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Hardin <jhar...@impsec.org>
Subject Re: Yahoo single-link spam common elements
Date Sun, 03 Mar 2013 20:02:14 GMT
On Sun, 3 Mar 2013, Alex wrote:

> Hi,
>
>> My latest attempt is this:
>>
>> header   __RP_D_00040_1 From:addr =~ /yahoo/i
>> header   __RP_D_00040_2 To =~ /(:?@.*?){5}/
>> body     __RP_D_00040_3 /http.{0,200}\d{1,2}:\d{1,2}:\d{1,2}/
>> meta     RP_D_00040 __RP_D_00040_1 &&__RP_D_00040_2 &&__RP_D_00040_3
>> describe RP_D_00040 Yahoo single-line URL spam
>
> I'm seeing variations on this that aren't being caught, and I hoped
> someone could help. I've pasted my example here:
>
> http://pastebin.com/ijb0PSep
>
> There are more than five recipients, and despite changing it higher,
> it still doesn't work. The URL in my example is:
>
> http-://www.mahmut64.com/nkewyzvy/3yvbqe0s7nab8dyg7udx5k.ki?fq98xcccm
>
> (remove the initial dash)
>
> I can't figure out how the above URL differs from some of the others
> that have been caught, such as:
> http-://www.misbusquedas.com/armn/sac2c9s6ar1azb1hij1r8a.zyy?x1sy9d9zj06u

The number in the domain name?

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Failure to plan ahead on someone else's part does not constitute
   an emergency on my part.                 -- David W. Barts in a.s.r
-----------------------------------------------------------------------
  7 days until Daylight Saving Time begins in U.S. - Spring Forward

Mime
View raw message