You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by UxBoD <ux...@splatnix.net> on 2007/10/18 19:45:06 UTC

MP3 Spam

Does anybody have one of these, or different one, that you could upload somewhere so can do some analysis ?

Regards,

--[ UxBoD ]--
// PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: C759 8F52 1D17 B3C5 5854  36BD 1FB1 B02F 5DB5 687B
// Keyserver: www.keyserver.net Key-ID: 0x5DB5687B
// Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: MP3 Spam

Posted by Michelle Konzack <li...@freenet.de>.

Am 2007-10-18 20:24:35, schrieb Justin Mason:
> 
> UxBoD writes:
> > Does anybody have one of these, or different one, that you could upload somewhere so can do some analysis ?
> 
> sure: http://taint.org/x/2007/mp3spam.txt
> anyway, these rules catch them as far as I can tell:
> 
>   ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
>   mimeheader __CTYPE_STORM_MP3_1 Content-Type:raw =~ /^audio\/mpeg;\n name=\"[a-z]+\.mp3\"$/s
>   mimeheader __CDISP_STORM_MP3_1 Content-Disposition:raw =~ /^inline;\n filename=\"[a-z]+\.mp3\"$/s
>   mimeheader __CTYPE_STORM_MP3_2 Content-Type:raw =~ /^audio\/mpeg;\n\tname=\"[a-z]+\.mp3\"$/s
>   mimeheader __CDISP_STORM_MP3_2 Content-Disposition:raw =~ /^attachment;\n\tfilename=\"[a-z]+\.mp3\"$/s
> 
>   meta JM_STORM_MP3      ((__CTYPE_STORM_MP3_1&&__CDISP_STORM_MP3_1) || (__CTYPE_STORM_MP3_2&&__CDISP_STORM_MP3_2))

I have tried this in a sandboy on a archive (87 messages) of such
spam and I had not a singel hit.

Mabe because it is

----( 1 )-------------------------------------------------------
<header>
Content-Type: audio/mpeg; filename="I love mpegs.mp3"
Content-Disposition: inline
Content-Transfer-Encoding: base64
<NL>
...here the mp3...
----------------------------------------------------------------

or

----( 2 )-------------------------------------------------------
<header>
Content-Type: audio/mpeg;
	filename="I love mpegs.mp3"
Content-Disposition: inline
Content-Transfer-Encoding: base64
<NL>
...here the mp3...
----------------------------------------------------------------

or

----( 3 )-------------------------------------------------------
<header>
Content-Type: multipart/mixed; boundary="J/dobhs11T7y2rNN"
<NL>

--J/dobhs11T7y2rNN
Content-Type: audio/mpeg; filename="I love mpegs.mp3"
Content-Disposition: attachment
Content-Transfer-Encoding: base64

...here the mp3...

--J/dobhs11T7y2rNN--
----------------------------------------------------------------


Thanks, Greetings and nice Day
    Michelle Konzack
    Systemadministrator
    Tamay Dogan Network
    Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack   Apt. 917                  ICQ #328449886
                   50, rue de Soultz         MSN LinuxMichi
0033/6/61925193    67100 Strasbourg/France   IRC #Debian (irc.icq.com)