spamassassin-users October 2010 archive
Main Archive Page > Month Archives  > spamassassin-users archives
spamassassin-users: Re: Help! Filter spam with "less than&q

Re: Help! Filter spam with "less than" symbol in recipient

From: Martin Gregorie <martin_at_nospam>
Date: Fri Oct 15 2010 - 13:34:24 GMT
To: Spamassassin users list <users@spamassassin.apache.org>

On Fri, 2010-10-15 at 05:18 -0700, Niente0 wrote:
>
> Yet Another Ninja wrote:
> >
> > On 2010-10-15 12:58, Niente0 wrote:
> > pls post a spam sample on pastebin.com and send the link to the list
> >
>
> Hi, I tried with 3 different browsers but pastebin.com shows only a blank
> page after submitting text. So I posted it here:
>
> http://snipt.org/koRn/
>
That gets a score of 10.0 here:

 0.0 HAS_SHORT_URL Message contains one or more shortened URLs
 3.4 RCVD_ILLEGAL_IP Received: contains illegal IP address
 3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
                            [115.240.47.73 listed in zen.spamhaus.org]
 1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT
                            [115.240.47.73 listed in
bb.barracudacentral.org]
 0.1 MG_OPTOUT BODY: Opting out required
 0.0 HTML_MESSAGE BODY: HTML included in message
 1.3 RDNS_NONE Delivered to internal network by a host with
no rDNS
 0.0 MG_WRONG_DOMAIN Message not received via example.com

HAS_SHORT_URL is a rule related to the DecodeShortURLs 3rd party plugin

My private rules (MG_OPTOUT, MG_WRONG_DOMAIN) have little effect on it
because their scores are low (they are used as part of meta rules):

body MG_OPTOUT /(if you do not want to receive|se
non.{1,20}ricevere|not interested anymore.{1,60}unsubscribe)/i

header __MG_WDD1 To !~ /example\.com/
header __MG_WDD2 List-id =~ /<\S{1,40}>/
meta MG_WRONG_DOMAIN (__MG_WDD1 && !__MG_WDD2)

I tested a slight variant, which allows whitespace after "<", on Yet
Another Ninja's suggested rule, mainly because I'd previously guessed
that the same regex would do the job and wanted to see if my guess was
right:

describe MG_MUNGE_TOUT 'To:' header contains "<"
header MG_MUNGE_TOUT To =~ /^\"\<\"\s*\</
score MG_MUNGE_TOUT 2.0

and this works as advertised.

Martin