You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Martin Gregorie <ma...@gregorie.org> on 2010/01/26 17:20:41 UTC
New medspam format
I just received medspam with a new approach I've not seen before. Both
the subject and the plaintext body contain gibberish with the payload
(an advertising phrase and web URL) travelling as the personal name part
of the sender's address. I have no idea whether the sender's address was
forged. Fortunately this stuff is trivial to spot and flag as spam by a
simple extension of existing private rules.
Has anybody else seen this format yet?
Martin
Re: New medspam format
Posted by RW <rw...@googlemail.com>.
On Tue, 26 Jan 2010 16:20:41 +0000
Martin Gregorie <ma...@gregorie.org> wrote:
> I just received medspam with a new approach I've not seen before. Both
> the subject and the plaintext body contain gibberish with the payload
> (an advertising phrase and web URL) travelling as the personal name
> part of the sender's address. I have no idea whether the sender's
> address was forged. Fortunately this stuff is trivial to spot and
> flag as spam by a simple extension of existing private rules.
>
> Has anybody else seen this format yet?
I've not seen one with a url, but spammers have been using the from
name as an alternate subject for a long time.
IMO it should be included as a body paragraph, as the subject
currently is, and subject tests should be migrated over to a new
combined subject/from pseudo-header.
Re: New medspam format
Posted by Adam Katz <an...@khopis.com>.
Martin Gregorie wrote:
> I just received medspam with a new approach I've not seen before.
> Both the subject and the plaintext body contain gibberish with the
> payload (an advertising phrase and web URL) travelling as the
> personal name part of the sender's address. I have no idea whether
> the sender's address was forged. Fortunately this stuff is trivial
> to spot and flag as spam by a simple extension of existing private
> rules.
>
> Has anybody else seen this format yet?
Yes. I reported it to SpamCop, Razor, et al. and wrote two rules for
it that for my sandbox last night.
http://ruleqa.spamassassin.org/20100126/?rule=/FROM_W&srcpath=khop
Either it's too new or it's just not worthwhile to check for. We'll see.