Re: [exim] bank spam

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] bank spam
Russell King wrote:
> Has anyone generated a regexp to detect this bank-based stuff, such as:
>
> c_support.id2213153140119NOF@???
> mailing.id09177-3682385694NOF@???
> onlinesecurity@???
> generatednotify.id6846-7793428NOF@???
> generator.id3785384784762NOF@???
> clientcareservice.id6468433113BIB@???
>
> etc?
>
> I'm currently using:
>
> ^(?:auto|c(?:are|lient(?:care)?|ustomer)?|generated|(?:gen|e)?mail(?:system)?|mailings|message|post|service|system|tech)[-._]?(?:re)?(?:center|id|mail|message|notify|post|reminder|robot|serv(?:er|ice)|support|team).*@(?:citi(?:bank)?|hsbc|if|natwest)\.co(?:m|\.uk)
>
> which detects quite a bit, but is less than perfect.
>


We haven't seen much of that.

Hard to scan what we don't even accept..

Are you checking for valid rDNS, PTR RR, proper FQDN in HELO, not in
dynamic-IP RBL's, not trying to pipeline when it should not, valid
addressee on your server, not forged, proper format, encoding, mime
usage ... and so on....?

Bill