On 2004-01-12 03:09:30 -0800 Rory Campbell-Lange
<rory@???> wrote:
> I am using exim4 and exiscan.
>
> I have seen a large increase in emails with subjects like "annoy idea
> handsome" and bodies such as "peace euphorbia lillian scout b
> centerline
> cleat scapular citron pacify centigrade icicle eh imperate cupid
> fireplace gentlemen cocaine". Presumably the sender is trying to
> generate a response?
>
> Many of these spam senders have the following X-Mailer listed:
> X-Mailer: mPOP Web-Mail 2.19
>
> Is this possible to generate an SMTP-time rejection of a message based
> on its X-Mailer? Is this sensible?
I've been getting many of these messages recently as well. Hadn't
noticed the X-Mailer.
These mails have a few other distinctive features as well. One is the
structure of the subject line:
Subject: Re: QCQCWLZ, the procurator began
Subject: Re: RPJBIMP, i
don't even
Subject: Re: IFOYTBHE, throwing a wave
Subject: Re: NMRFNK,
dressinggown a completely
Subject: Re: WXMQDEQ, of haze
before
Subject: Re: UTSPZNR, asphalt path under
or occasionally
Subject: Re: %RND_UC_CHAR[2-8], then the slain
You could add a condition like
condition = ${if or{ \
{match{$header_subject:}{\N(?s)[Rr][Ee]\:\s*([A-Z]{2,8})\,(\s+[a-z]+){3}\N}}
\
{match{$header_subject:}{\N^(?s).*\%RND_UC_CHAR\N}} \
} {yes} {no}}
to your deny block in addition to your X-Mailer check to increase
confidence that you're actually rejecting spam. Or add something
similar to SpamAssassin if you're going that route.
Also these multipart mails contain a plain text part that contains
only a list of random words. Haven't come up with a reasonable test
for this yet, but Tom Kistner, the author of exiscan, is apparently
working on a acl_smtp_mime addition that will make this easier.
Best Regards,
Brad
