You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by NFN Smith <wo...@sacbeemail.com> on 2007/10/26 02:00:46 UTC
mailmerged spam
On the male enhancement spam that's hitting my spamtraps, I'm noticing
that nearly all the messages (presumably a single spammer), are
following a fairly regular pattern -- in particular, where either the
first or second line of text shows some sort of colloquial greeting
(e.g., "hi there" or "wazzup", or "good morning", etc.) followed by the
the user portion of the target address. This is the spammer that's
doing subject lines with a single "word", made up of random alpha
characters.
Is there a way of constructing one or more SA rules that can extract the
user portion of the address, and then check the message body for a
repeat of that string (without the domain portion of the address)?
Smith
Re: mailmerged spam
Posted by Matt Kettler <mk...@verizon.net>.
NFN Smith wrote:
> On the male enhancement spam that's hitting my spamtraps, I'm noticing
> that nearly all the messages (presumably a single spammer), are
> following a fairly regular pattern -- in particular, where either the
> first or second line of text shows some sort of colloquial greeting
> (e.g., "hi there" or "wazzup", or "good morning", etc.) followed by
> the the user portion of the target address. This is the spammer
> that's doing subject lines with a single "word", made up of random
> alpha characters.
>
> Is there a way of constructing one or more SA rules that can extract
> the user portion of the address, and then check the message body for a
> repeat of that string (without the domain portion of the address)?
Not with any simple combination of normal SA rules. You'd have to write
a plugin.