spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Hardin <>
Subject Re: No longer just embedded =9D characters in blackmail emails.
Date Wed, 05 Dec 2018 21:45:07 GMT
On Wed, 5 Dec 2018, Mark London wrote:

> No longer just embedded =9D characters.
> From: =?utf-8?B?bmlnaHRt0LByZQ==?= <>
> To: <>
> Subject: You are my  victim.
> Date: Tue, 4 Dec 2018 15:56:36 -0800
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="a0d0993ce53319101c19af03d5311b0976b26b"
> X-Scanned-By: MIMEDefang 2.79 on
> --a0d0993ce53319101c19af03d5311b0976b26b
> Content-Type: text/plain; charset="utf-8"
> Content-Transfer-Encoding: quoted-printable
> Hi, my pr=D0=B5y.
> This is my last warning.
> I write you inasmuch as I put a virus on the web page with porno which yo=
> u have viewed.
> My tr=D0=BEjan c=D0=B0=D1=80tured all y=D0=BEur =D1=80rivat=D0=B5 dat=D0=B0=
> =D0=B0nd switched on your c=D0=B0mer=D0=B0 which r=D0=B5=D1=81=D0=BErded=


Those aren't zero-width, those are just standard Unicode obfuscations of 
regular ASCII text. The _ZW rule isn't intended to catch that.

I've added a "too many [ascii][unicode][ascii]" rule based on that but I 
suspect it will be pretty FP-prone and will be pretty large if we want to 
avoid whack-a-mole syndrome. For this, normalize + bayes is probably the 
best bet.

I've added some of the new phrases from that to the bitcoin extort 

  John Hardin KA7OHZ              FALaholic #11174     pgpk -a
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
   The call to let 16-year-olds vote is a call to amplify the votes
   of teachers' unions. If you think political indoctrination in the
   schools is bad now, wait until it has the direct power to tip
   election results.                               -- Robert Tracinski
  2 days until The 77th anniversary of Pearl Harbor

View raw message