spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex <mysqlstud...@gmail.com>
Subject Re: Whatsapp spam
Date Thu, 02 Jul 2015 02:23:37 GMT
Hi,

>> I've been receiving a handful of spam claiming to be from whatsapp,
>> and I can't figure out how to block it.
>>
>> http://pastebin.com/8E66QRkn
>> http://pastebin.com/KrTgKGh1
>>
>> What does a legitimate whatsapp email look like? I've searched their
>> site, and their DNS entry doesn't even have an MX record, let alone
>> any indication of SPF, etc.
>>
>> Bayes is obviously a problem, but my bayes db generally performs well.
>> I'm sure the domains in the body would be listed now, and probably the
>> source addresses too.
>>
>> Ideas greatly appreciated.
>
>
> It looks like they are doing unicode obfuscation of text in the body:
>
> WhatsApp W=C3=A8b     You h=C3=A4ve a new message   D=C3=A8tails:
>
> Not sure if the Unicode replace stuff will catch it, but you might try this:
>
>   body          FUZZY_DETAILS  /<D>(?:etails)<E><T><A><I><L><S>/i
>   replace_rules FUZZY_DETAILS

It doesn't catch it, and I don't know enough about replace_rules to
figure it out. Is there supposed to be an existing FUZZY_DETAILS rule?
It appears to lint okay.

It's also interesting that the domains listed in both samples aren't
already blacklisted.

Mime
View raw message