You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Clifton Royston <cl...@lava.net> on 2006/10/17 22:15:45 UTC

Matching drug spam, etc. with meta rules

Justin:

  Here are a few samples of the rules I was telling you about to catch
drug spam.  The idea behind all of these, as I was mentioning, is to
match the intentionally obscured or misspelled forms of common drug
names used in spam, but only if the real word is *not* used in the
context of the same email.  This has worked quite well in practice for
several years in my installation, though I'm sure they can be improved
on.

  I developed these while I was working for Tiki Technologies, thus the
"TT_" prefix; the company is now disbanded, and I do not believe there
is any issue with my sharing them.  Feel free to experiment, improve,
and reimplement them.  (In particular, if you come up with an easy way
to implement a string match against a prototype string allowing for
these sets of letter substitutions, it would save a lot of cut-n-paste
and careful checking in rule writing.)

  The versions here are all implemented as header rules (which makes
them "cheap" computationally) but they can be applied to the body too.

  -- Clifton

## Subpatterns for obscured subject content, based on observations of actual
## spam which was bypassing "drug" tests.
# A = (a|A|\(a\)|4|@) V = (v|V|\\/) I = (i|I|1|\xef|\|) note: \xef = umlaut i
# O = (o|O|0)  G = (g|G)  M = (m|M|rn)  R = (r|R)  X = (x|X|><)  N = (n|N)
# S = (s|S|$|5)  L = (l|L|\|) U = (u|U|\(u\)) E = (e|E|3)  T=(t|T|7)
# Y = (y|Y)  C=(c|C)
# obscuring punctuation = [:^."%()*\[\\]

header __TT_VIAGRA              Subject =~ /VIAGRA/i
header __TT_OBSCURED_VIAGRA     Subject =~ /(v|V|\\\/)(i|I|1|\xef|\|)(a|A|\(a\)|4|@)(g|G)(r|R)(a|A|\(a\)|4|@)/
header __TT_BROKEN_VIAGRA       Subject =~ /V[:^."%()*\[\\]?I[:^."%()*\[\\]?A[:^."%()*\[\\]?G[:^."%()*\[\\]?R[:^."%()*\[\\]?A/i
meta TT_OBSCURED_VIAGRA         ( __TT_BROKEN_VIAGRA || __TT_OBSCURED_VIAGRA ) && ! __TT_VIAGRA
describe TT_OBSCURED_VIAGRA     Scora: obscured "VIAGRA" in subject

header __TT_XANAX               Subject =~ /XANAX/i
header __TT_OBSCURED_XANAX      Subject =~ /(x|X|><)(a|A|\(a\)|4|@)(n|N)(a|A|\(a\)|4|@)(x|X|><)/
header __TT_BROKEN_XANAX                Subject =~ /X[:^."%()*\[\\]?A[:^."%()*\[\\]?N[:^."%()*\[\\]?A[:^."%()*\[\\]?X/i
meta TT_OBSCURED_XANAX          ( __TT_BROKEN_XANAX || __TT_OBSCURED_XANAX ) && ! __TT_XANAX
describe TT_OBSCURED_XANAX      Scora: obscured "XANAX" in subject

header __TT_VALIUM              Subject =~ /VALIUM/i
header __TT_OBSCURED_VALIUM     Subject =~ /(v|V|\\\/)(a|A|\(a\)|4|@)(l|L|\|)(i|I|1|\xef|\|)(u|U|\(u\))(m|M)/
header __TT_BROKEN_VALIUM       Subject =~ /V[:^."%()*\[\\]?A[:^."%()*\[\\]?L[:^."%()*\[\\]?I[:^."%()*\[\\]?U[:^."%()*\[\\]?M/i
meta TT_OBSCURED_VALIUM         ( __TT_BROKEN_VALIUM || __TT_OBSCURED_VALIUM ) && ! __TT_VALIUM
describe TT_OBSCURED_VALIUM     Scora: obscured "VALIUM" in subject

  etc.

-- 
    Clifton Royston  --  cliftonr@iandicomputing.com / cliftonr@lava.net
       President  - I and I Computing * http://www.iandicomputing.com/
 Custom programming, network design, systems and network consulting services