procmail
[Top] [All Lists]

restricted form

2003-01-30 21:17:38
I've discovered (or perhaps, rediscovered?) a potentially useful anomoly
in the Message-ID:  field.

The following form seems only to be used by spammers:

Message-ID: <001301e2ab43$adc35361$07670866(_at_)cbgjevg(_dot_)xca>

The form is always:
 6 digits
 1 character
 1 digit
 2 characters
 2 digits
 dollar sign
 3 characters
 5 digits
 dollar sign
 8 digits
 @ symbol
 7 characters (one instance of 12 characters)
 dot
 3 characters (multiple instances of 1, 2, 3 and 4 characters)

So far I've only seen it used where ID is capatalized (for whatever that's 
worth).

Running the following grep against over a thousand known spam messages and over 
several
thousand personal messages resulted in hits ONLY on spam messages.

[~/]$ grep "[0-9][0-9][0-9][0-9][0-9][0-9]\
[a-z][0-9][a-z][a-z][0-9][0-9]\$\
[a-z][a-z][a-z][0-9][0-9][0-9][0-9][0-9]\$\
[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" *

This gets kind of lengthy as a procmail recipe - is there a way to say 
something like
[0-9]x5 etc.?  (where x="times")

The spam messages tested against were collected over the past 15 days and there 
are about 40
hits on this form.  Is it possible this is the work of one individual?

                                - fleet -


_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

<Prev in Thread] Current Thread [Next in Thread>