Slash Boxes
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
More | Login | Reply
Loading... please wait.
  • It was on my to do list to do the exact same thing. Stuipd "RE: XXX" spams :)


    • by vsergu (505) on 2004.01.21 16:11 (#27605) Journal

      I'm currently using this for those spams:

      # New flood of spam with subject lines like "Re: SYACZAS, you can believe"
      # (The word "woland" happened to occur in a couple of the subject lines)
      header __L_SUBJ_WOLAND  Subject =~ /^Re: [A-Z]{2,8},( [a-z]{2,16}[.?'!]{0,2}){3}$/
      header __L_MUA_MPOP X-Mailer =~ /^mPOP Web-Mail 2\.19$/
      header __L_MIME_BOUND_ALT  Content-Type =~ /boundary="--ALT--[A-Z]{4}\d{14}"/
      describe L_WOLAND_SPAM  Subject, mailer, and MIME boundary match "Woland"-style spam
      score L_WOLAND_SPAM  5

      It's overly conservative (for example, there are some different MIME boundaries occasionally, and the subject sometimes has some other punctuation), but I haven't gone back to tweak it. The mailer is a pretty good enough sign on its own, but there are apparently people out there using it for real mail.