On Sun, Oct 07, 2001 at 09:46:43PM -0700,
Marc Perkel <marc@???> is thought to have said:
> OK - beginning to get this regular expression stuff figured out evough
> to do a spam filter. Here's what I have so far. it's crude - but it
> catches a lot of spam. I'm in the process of adding to it and cleaning
> it up.
>
> I'm posting this for ideas and I encourage all of you to give me spam
> word phrases and combinations to catch as spam.
>
> Who wants to help?
My most effective spam filter entries are the ones that filter on various
signatures from the spamware products. A few examples:
Bad spamware timestamps:
$h_received matches "(400 ${rxquote:(EST)}|600 ${rxquote:(EST)}|600
${rxquote:(EDT)}|700 ${rxquote:(EST)}|700 ${rxquote:(EDT)}|6000 ${rxquote:(})" or
Spamware x-mailers (note the OE and Mozilla entries are for non-existant
versions:
$h_x-mailer matches "(diffondi|Prospect Mailer|Aureate Group Mail|Microsoft Outlook Express 4.72.1712.3|CyberCreek Avalanche|Super-Duper-FastMail|commercialmail|Mozilla 4.55|Sparc12|Dynamic Opt-In
Emailer|Floodgate|Extractor|Aristotle|MassE-Mail|e-Merge|Inet_Mail_Out|MailKing|PLAUZIUM|DMailer|jfmailer|Opt-In
Lightning|E-mail sender|Power CGI Bulk System|MultiMailer|Copia emailFacts)" or
Some of the attributes of Pegasus without all of them:
($h_comments contains "authenticated sender" and not $h_x-mailer
contains "pegasus") or
I also have quite a bit of success with those spamware products that add a
string at the end of a subject with a bunch of spaces, using a subject
match on "\\\\s{10,}\\\\[?\\\\w{3,}\\\\]?"
Other successful spamfilter entries for me are body-based, looking for
specific phone numbers, URLs, variations on the Murkowski text, and other
specific strings.
HTH
Tabor
--
--------------------------------------------------------------------
Tabor J. Wells twells@???
Fsck It! Just another victim of the ambient morality
