I've discovered (or perhaps, rediscovered?) a potentially useful anomoly
in the Message-ID: field.
The following form seems only to be used by spammers:
Message-ID: <001301e2ab43$adc35361$07670866(_at_)cbgjevg(_dot_)xca>
The form is always:
6 digits
1 character
1 digit
2 characters
2 digits
dollar sign
3 characters
5 digits
dollar sign
8 digits
@ symbol
7 characters (one instance of 12 characters)
dot
3 characters (multiple instances of 1, 2, 3 and 4 characters)
So far I've only seen it used where ID is capatalized (for whatever that's
worth).
Running the following grep against over a thousand known spam messages and over
several
thousand personal messages resulted in hits ONLY on spam messages.
[~/]$ grep "[0-9][0-9][0-9][0-9][0-9][0-9]\
[a-z][0-9][a-z][a-z][0-9][0-9]\$\
[a-z][a-z][a-z][0-9][0-9][0-9][0-9][0-9]\$\
[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" *
This gets kind of lengthy as a procmail recipe - is there a way to say
something like
[0-9]x5 etc.? (where x="times")
The spam messages tested against were collected over the past 15 days and there
are about 40
hits on this form. Is it possible this is the work of one individual?
- fleet -
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail