You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by NFN Smith <wo...@sacbeemail.com> on 2007/10/26 02:00:46 UTC

mailmerged spam

On the male enhancement spam that's hitting my spamtraps, I'm noticing 
that nearly all the messages (presumably a single spammer), are 
following a fairly regular pattern -- in particular, where either the 
first or second line of text shows some sort of colloquial greeting 
(e.g., "hi there" or "wazzup", or "good morning", etc.) followed by the 
the user portion of the target address.  This is the spammer that's 
doing subject lines with a single "word", made up of random alpha 
characters.

Is there a way of constructing one or more SA rules that can extract the 
user portion of the address, and then check the message body for a 
repeat of that string (without the domain portion of the address)?

Smith

Re: mailmerged spam

Posted by Matt Kettler <mk...@verizon.net>.

NFN Smith wrote:
> On the male enhancement spam that's hitting my spamtraps, I'm noticing
> that nearly all the messages (presumably a single spammer), are
> following a fairly regular pattern -- in particular, where either the
> first or second line of text shows some sort of colloquial greeting
> (e.g., "hi there" or "wazzup", or "good morning", etc.) followed by
> the the user portion of the target address.  This is the spammer
> that's doing subject lines with a single "word", made up of random
> alpha characters.
>
> Is there a way of constructing one or more SA rules that can extract
> the user portion of the address, and then check the message body for a
> repeat of that string (without the domain portion of the address)?
Not with any simple combination of normal SA rules. You'd have to write
a plugin.