[PLUG] Procmail Recipie Ideas for New Spammer Trick?

Derek Loree drl at drloree.com
Sat Oct 18 18:33:01 UTC 2003 

On Sat, 2003-10-18 at 14:42, B. Thoen wrote:
> On Sat, 18 Oct 2003, Jeme A Brelin wrote:
> > On Sat, 18 Oct 2003, B. Thoen wrote:
> > > Trying to pick off spam messages, I'm seeing more of this sort of trick:
> > >
> > >  Vicod<klr5ed73hnt>in
> > >  Prescri<kxd1l6sdjir451>pti<knkm2xp3d8skk>on
> > >
> > > Does anyone have any ideas how or if one can deal with this new spammer
> > > trick with Procmail?
> > 
> > There's usually enough other stuff going on in those messages to trigger
> > spamassassin.  Are you finding otherwise?
> 
> Can't say; I'm not using SA yet. Before I get into that though I thought
> I'd explore what could be done with just Procmail first.
> 
> > One option, I suppose, would be just to s/<[^>[//g the whole message
> > before your filter sees it.  But that's pretty destructive.
> 
> Yes, I still get a lot of legitimate mail that's HTML formatted; don't 
> want to destroy that before I read it.

spamprobe ignores HTML tags for scoring purposes, to quote the man page:


Ignores HTML tags in emails for scoring purposes unless  the  -h
command line option is used.  Many spams use HTML and few humans
do so HTML tends to become a powerful recognizer of spams.  How-
ever  in  the author's opinion this also substantially increases
the likelihood of false positives if someone does  send  a  non-
spam  email containing HTML tags.  SpamProbe does pull urls from
inside of html tags however since those tend to be spammer  spe-
cific.

> 
> Fortunately, I haven't seen a lot of these yet, so it's not a desperate
> situation at this point. The trick seemed hard to counter with what I know
> about Procmail egrep filtering (which ain't much) so I'm hoping there's a 
> simple solution before I get swamped with the buggers. 
> 
> I imagine this could be tough for SpamAssassin, filling its database with
> lots of nonsense garbage. Or can it keep track of legitimate words vs. 
> randomly-generated strings?

I've been very impressed with spamprobe, it consistently filters around
98%, the other 1 or 2 percent are always the latest spam; I only ever
see them once.  After more than a couple thousand spams, I have gotten
no false positives.

Just a PLUG.

Derek Loree

More information about the PLUG mailing list