[PLUG] Procmail Recipie Ideas for New Spammer Trick?
Derek Loree
drl at drloree.com
Sat Oct 18 18:33:01 UTC 2003
On Sat, 2003-10-18 at 14:42, B. Thoen wrote:
> On Sat, 18 Oct 2003, Jeme A Brelin wrote:
> > On Sat, 18 Oct 2003, B. Thoen wrote:
> > > Trying to pick off spam messages, I'm seeing more of this sort of trick:
> > >
> > > Vicod<klr5ed73hnt>in
> > > Prescri<kxd1l6sdjir451>pti<knkm2xp3d8skk>on
> > >
> > > Does anyone have any ideas how or if one can deal with this new spammer
> > > trick with Procmail?
> >
> > There's usually enough other stuff going on in those messages to trigger
> > spamassassin. Are you finding otherwise?
>
> Can't say; I'm not using SA yet. Before I get into that though I thought
> I'd explore what could be done with just Procmail first.
>
> > One option, I suppose, would be just to s/<[^>[//g the whole message
> > before your filter sees it. But that's pretty destructive.
>
> Yes, I still get a lot of legitimate mail that's HTML formatted; don't
> want to destroy that before I read it.
spamprobe ignores HTML tags for scoring purposes, to quote the man page:
Ignores HTML tags in emails for scoring purposes unless the -h
command line option is used. Many spams use HTML and few humans
do so HTML tends to become a powerful recognizer of spams. How-
ever in the author's opinion this also substantially increases
the likelihood of false positives if someone does send a non-
spam email containing HTML tags. SpamProbe does pull urls from
inside of html tags however since those tend to be spammer spe-
cific.
>
> Fortunately, I haven't seen a lot of these yet, so it's not a desperate
> situation at this point. The trick seemed hard to counter with what I know
> about Procmail egrep filtering (which ain't much) so I'm hoping there's a
> simple solution before I get swamped with the buggers.
>
> I imagine this could be tough for SpamAssassin, filling its database with
> lots of nonsense garbage. Or can it keep track of legitimate words vs.
> randomly-generated strings?
I've been very impressed with spamprobe, it consistently filters around
98%, the other 1 or 2 percent are always the latest spam; I only ever
see them once. After more than a couple thousand spams, I have gotten
no false positives.
Just a PLUG.
Derek Loree
More information about the PLUG
mailing list