Re: TVD_SILLY_URI_OBFU

[Justin Mason <jm...@jmason.org>]

Chris Santerre writes:
> I'm with Theo on this one. The obfuscation is a red herring. And its working
> for them. Don't even bother to look at. I honestly haven't put much effort
> into these spams yet. Been too buys with $dayjob. I'll start looking into
> these. But I won't waste my time directly attacking their OBFU. Its
> pointless. 
> 
> Find other spam flags. 

yep, exactly.

--j.

Re: TVD_SILLY_URI_OBFU

[Richard Bollinger <ra...@gmail.com>]

My 2p.  YMMV and of course the spammers will continue to make minor
changes to avoid it and some ham will no doubt be hit as well:

/etc/mail/spamassassin/important_remove.cf

body     __IR_IMPO /\bimpor*tant/i
body     __IR_REMO /\bremove/i
body     __IR_LINK /\blink/i
body     __IR_REPL /\breplace/i
body     __IR_WITH /\bwith/i
body    __BANG_URI m!https?://[a-z0-9-.]*[\!\@\#\$\%\^\&\*\(\)\_\+\=\,][a-z0-9-.
]*(\s|/)!i
body    __DASH_URI m!https?://[a-z0-9-.]*[,-][a-z0-9]*(\s|/)!i

meta    IMPO_REMO_LINK ((__IR_IMPO && __IR_REMO) || (__IR_REMO &&
__IR_LINK)) && TVD_SILLY_URI_OBFU
describe IMPO_REMO_LINK Contains "important remove" or "remove link"
and silly URI obfuscation
score   IMPO_REMO_LINK 3

meta    IMPO_REPL_WITH ((__IR_IMPO && __IR_REPL) || (__IR_REPL &&
__IR_WITH)) && (__BANG_URI || __DASH_URI)
describe IMPO_REPL_WITH Contains "important replace" or "replace with"
and bang or dash URI
score   IMPO_REPL_WITH 5