spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Hardin <jhar...@impsec.org>
Subject Re: Can't keep up with spam from SolarVPS sites
Date Sat, 07 Jun 2014 02:02:49 GMT
On Sat, 7 Jun 2014, Karsten Bräckelmann wrote:

> On Fri, 2014-06-06 at 18:36 -0600, Philip Prindeville wrote:
>> On Jun 6, 2014, at 3:50 PM, Axb <axb.lists@gmail.com> wrote:
>>
>>> If you have to post a spam sample, pls use pastebin and post the full msg
>>
>> Here’s a prototype:
>> http://ur1.ca/hgxkx
>
> That Return-Path really sticks out. It's basically the From: address
> with embedded To: address.
>
> The following rule (beware, entirely untested) would match that pattern.
> A camel-cased string, hyphen, email address with equal sign substituted
> for "@", followed by @ (and an arbitrary domain).
>
>  header  CAMEL_CASE  Return-Path:addr =~ /^(?:[A-Z][a-z]+){3,}-user=recipient\.net@/
>
> You will of course have to substitute your address. If there are
> multiple valid user names, you could use something like /[a-z]+/ instead
> of an actual user name.

It would be possible to do a multiple-header rule with captures and 
backreferences to capture the camel-case, destination email and source 
domain parts and verify that the Return-Path+From+To header triplet 
matches this pattern.

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   When I say "I don't want the government to do X", do not
   automatically assume that means I don't want X to happen.
-----------------------------------------------------------------------
  Today: the 70th anniversary of D-Day
Mime
  • Unnamed multipart/mixed (inline, None, 0 bytes)
View raw message