spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex <>
Subject Re: Whatsapp spam
Date Thu, 02 Jul 2015 02:23:37 GMT

>> I've been receiving a handful of spam claiming to be from whatsapp,
>> and I can't figure out how to block it.
>> What does a legitimate whatsapp email look like? I've searched their
>> site, and their DNS entry doesn't even have an MX record, let alone
>> any indication of SPF, etc.
>> Bayes is obviously a problem, but my bayes db generally performs well.
>> I'm sure the domains in the body would be listed now, and probably the
>> source addresses too.
>> Ideas greatly appreciated.
> It looks like they are doing unicode obfuscation of text in the body:
> WhatsApp W=C3=A8b     You h=C3=A4ve a new message   D=C3=A8tails:
> Not sure if the Unicode replace stuff will catch it, but you might try this:
>   body          FUZZY_DETAILS  /<D>(?:etails)<E><T><A><I><L><S>/i
>   replace_rules FUZZY_DETAILS

It doesn't catch it, and I don't know enough about replace_rules to
figure it out. Is there supposed to be an existing FUZZY_DETAILS rule?
It appears to lint okay.

It's also interesting that the domains listed in both samples aren't
already blacklisted.

View raw message