Tag Archives: rules

Catching spam with repeated phrases

This is more of a ‘for future reference’ post than anything else.

Recently my mailing lists have been getting hit with stupid spam (what spam isn’t) that invokes bible related conspiracy spam. The messages reference bible verses multiple times.

To catch the spam, I put in a rule that matches bible references.

It’s a pretty simple rule … it looks for specific bible chapters followed by a number colon number.

body LM_BIBLE_MULTI /\s(matthew|revelation|john|corinthians|thessalonians|luke|romans|ezekiel|mark)\s+\d+:\d+/i
describe LM_BIBLE_MULTI Contains bible verses
score LM_BIBLE_MULTI 0.5

The thing about the spam I’m trying to catch is that it references the bible verses multiple times. The above rule only catches a single bible verse reference and adds the score.

To increase the score for each individual hit of the rule, you need to add the following to the rule:

tflags LM_BIBLE_MULTI multiple

This way, every time the LM_BIBLE_MULTI rule is hit, the score increases by 0.5. The more bible references in the email, the higher the spam score.

The multiple modifier for tflags is available in SpamAssassin 3.2 & higher.

DKIM Rule – SpamAssassin

I put together a new SpamAssassin rule that will help identify spam from spoofed email addresses.

Some email providers always sign email with DKIM or DomainKeys … based on this assumption, if you get a message from one of those domains and it isn’t signed, you can assume its more likely to be spam.

This particular rule operates on the assumption that all mail from Yahoo & Gmail will be signed.  It does not, however, raise the score a huge amount … because it’s just more LIKELY to be spam if it’s not signed … it’s not guaranteed to be spam. Some people may use the Yahoo or Gmail account’s in the from address, but not actually send from that service.
Continue reading

Confidential Information

I saw a very interesting mail reject message today on one of my mailing lists …

You are receiving this message because you have attempted to send an e-mail containing confidential information. Examples of confidential information include, but are not limited to social security numbers, birth dates, account numbers, policy numbers, medical history, financial history, personal phone numbers and user IDs. Another example of sending confidential information would be combining any two or more of the following: name, address, identification numbers (employee number, phone number), organizational affiliation (place of employment). This information may be contained in the body of the message or any attachments.

I looked at the body of the message it was rejecting (which was included in it’s entirety), and noticed that the message referenced dummy social security numbers (the message discusses SQL techniques).

Of course, based on the warning message, it would probably reject ANY numeric text that was included in a message at all.

I suspect that the company, who’s server rejected the message, does not have a problem with email volume … since the majority of email sent to them is probably rejected.

I really wonder about companies that have such incredibly draconian content rules.  How do they stay in business?