You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by UxBoD <ux...@splatnix.net> on 2007/10/18 19:45:06 UTC
MP3 Spam
Does anybody have one of these, or different one, that you could upload somewhere so can do some analysis ?
Regards,
--[ UxBoD ]--
// PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B
// Keyserver: www.keyserver.net Key-ID: 0x5DB5687B
// Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Re: MP3 Spam
Posted by Michelle Konzack <li...@freenet.de>.
Am 2007-10-18 20:24:35, schrieb Justin Mason:
>
> UxBoD writes:
> > Does anybody have one of these, or different one, that you could upload somewhere so can do some analysis ?
>
> sure: http://taint.org/x/2007/mp3spam.txt
> anyway, these rules catch them as far as I can tell:
>
> ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
> mimeheader __CTYPE_STORM_MP3_1 Content-Type:raw =~ /^audio\/mpeg;\n name=\"[a-z]+\.mp3\"$/s
> mimeheader __CDISP_STORM_MP3_1 Content-Disposition:raw =~ /^inline;\n filename=\"[a-z]+\.mp3\"$/s
> mimeheader __CTYPE_STORM_MP3_2 Content-Type:raw =~ /^audio\/mpeg;\n\tname=\"[a-z]+\.mp3\"$/s
> mimeheader __CDISP_STORM_MP3_2 Content-Disposition:raw =~ /^attachment;\n\tfilename=\"[a-z]+\.mp3\"$/s
>
> meta JM_STORM_MP3 ((__CTYPE_STORM_MP3_1&&__CDISP_STORM_MP3_1) || (__CTYPE_STORM_MP3_2&&__CDISP_STORM_MP3_2))
I have tried this in a sandboy on a archive (87 messages) of such
spam and I had not a singel hit.
Mabe because it is
----( 1 )-------------------------------------------------------
<header>
Content-Type: audio/mpeg; filename="I love mpegs.mp3"
Content-Disposition: inline
Content-Transfer-Encoding: base64
<NL>
...here the mp3...
----------------------------------------------------------------
or
----( 2 )-------------------------------------------------------
<header>
Content-Type: audio/mpeg;
filename="I love mpegs.mp3"
Content-Disposition: inline
Content-Transfer-Encoding: base64
<NL>
...here the mp3...
----------------------------------------------------------------
or
----( 3 )-------------------------------------------------------
<header>
Content-Type: multipart/mixed; boundary="J/dobhs11T7y2rNN"
<NL>
--J/dobhs11T7y2rNN
Content-Type: audio/mpeg; filename="I love mpegs.mp3"
Content-Disposition: attachment
Content-Transfer-Encoding: base64
...here the mp3...
--J/dobhs11T7y2rNN--
----------------------------------------------------------------
Thanks, Greetings and nice Day
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack Apt. 917 ICQ #328449886
50, rue de Soultz MSN LinuxMichi
0033/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)