Jay West wrote:
What concerns me is that 99% of the new spam making it
through is
vaguely sensible english phrases (apparently automatically pulled from
online books, or from usenet post archives, etc.). If there was also an
advertisement text, Spamassassin could catch that. However, the text is
all just english phrases (I've noted them to be targeted phrases, like
having to do with computers, sometimes old ones) BUT... the
advertisement is a graphic attachment. Since SpamAssassin can't do OCR
on the small gif or jpg attachment that says "buy viagra here"... I am
not sure what to do about this. It comes from all over, not just a few
servers, etc.
I've been trying to deal with that crap for months. It's sent out by the
Warezov and Sdbot viruses, which explains why it's coming from all over the place.
I wrote a spam filter to deal with it - HAMster - but every few days the spam
signatures change and I have to play catchup. So far the only constant I've
found is that the messages all have subject lines of the form:
Subject: something <from_firstname>
Subject: <from_firstname> something
Subject: something <from_lastname>
Subject: <from_lastname> something
Like I said - as soon as I add a new "ScoreRegexpSubjectField X Y" (add X to
the score if regexp Y matches, replacing fields like $FIRSTNAME$ in the regexp
with values from the headers) rule, the spam changes. My inbox is being
stuffed full by this crap, and nothing seems to be able to stop it. I've
counted nearly 1400MB of it in the past month, over six email accounts!
So far the only way I've found to deal with it is to spend a few hours
analysing each message, then find something unique about it that will allow me
to create a filter to block it. Then the spam changes again and it's "go
directly to jail, do not pass Go, do not collect ?200" once more...
--
Phil. | (\_/) This is Bunny. Copy and paste Bunny
classiccmp at philpem.me.uk | (='.'=) into your signature to help him gain
http://www.philpem.me.uk/ | (")_(") world domination.