procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Body content filter work on html alt content?

2003-01-15 11:38:28
from [dman] [Permanent Link] 
fleet(_at_)teachout(_dot_)org wrote:


For that bunch, this works for me:



:0 HB
* ()\/(360cn\.com|\
       3dpageturningebook|\
       ......)



I tend toward a "brute strength and ignorance" approach.  When these
clowns switched from .com to .net, I just removed the domain extention.


Uh.  I get tons of those -- four or five so far today -- and I have 
never even *looked* in the body.  As Ruud says, there is plenty in the
heads on those to get them there.  Here's from my last 100 spam messages
(I've massaged the output for readable line-length):

 6:53pm [~/Mail/.myspam] 223[0]> grep -l 3dpage * | xargs grep -h ^X-Recipe-ID:

X-Recipe-ID: UBE.TRUST<LOWEST, UBE.RC.<=MIN+TO.!ME+ID.!FOGGY,
        UBE.ID.FAKE, UBE.FR.4+NUMS, UBE.FR.HOTHOO+(RC|ID).!HOTHOO,
        UBE.RP.3+NUMS+TO.!ME, UBE.OH.RETROFIT-MUA

X-Recipe-ID: UBE.RC.<=MIN+TO.!ME+ID.!FOGGY, UBE.ID.FAKE,
        UBE.FR.4+NUMS, UBE.FR.HOTHOO+(RC|ID).!HOTHOO, UBE.RP.3+NUMS+TO.!ME,
        UBE.OH.RETROFIT-MUA, UBE.VH.TOO_SHORT|LONG

X-Recipe-ID: UBE.RC.<=MIN+TO.!ME+ID.!FOGGY, UBE.ID.FAKE, UBE.FR.4+NUMS,
        UBE.FR.HOTHOO+(RC|ID).!HOTHOO, UBE.RP.3+NUMS+TO.!ME, UBE.OH.RETROFIT-MUA

X-Recipe-ID: UBE.RC.<=MIN+TO.!ME+ID.!FOGGY, UBE.ID.FAKE, UBE.FR.4+NUMS,
        UBE.FR.HOTHOO+(RC|ID).!HOTHOO, UBE.RP.3+NUMS+TO.!ME

X-Recipe-ID: UBE.RC.<=MIN+TO.!ME+ID.!FOGGY, UBE.ID.FAKE, UBE.FR.4+NUMS,
        UBE.FR.HOTHOO+(RC|ID).!HOTHOO, UBE.RP.3+NUMS+TO.!ME, UBE.OH.RETROFIT-MUA

Every one of those is a different header-only recipe that snagged that
crap.  Each one today includes a spoofed hotmail or yahoo source -- that
looks like a good bet for catching these only with headers.  I'll post
more samples of recipes I use as time goes on; but right now, I've got
to run off and teach a class.



"dman" helped me set up a filter for those "encrypted" URLs:


I did?  Oh, well, glad to hear it.  :-)  I didn't remember.


I'm sure this message will wind up in everyone's spam folder - and maybe
even in dman's "edupage" folder. :)


Nope.  Just in procmail . . .  :-)

-- 
dman


_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Body content filter work on html alt content?, Jefferis Peterson
Next by Date:  Re: strlen() in procmail, Bart Schaefer
Previous by Thread:  Re: Body content filter work on html alt content?, Professional Software Engineering
Next by Thread:  Similar question on hidden text, Jefferis Peterson
Indexes:  [Date] [Thread] [Top] [All Lists]