Author: Russell King Date: To: W B Hacker CC: exim users Subject: Re: [exim] bank spam
On Sat, Feb 23, 2008 at 10:49:08AM +0000, W B Hacker wrote: > Russell King wrote:
> > Has anyone generated a regexp to detect this bank-based stuff, such as:
> >
> > c_support.id2213153140119NOF@???
> > mailing.id09177-3682385694NOF@???
> > onlinesecurity@???
> > generatednotify.id6846-7793428NOF@???
> > generator.id3785384784762NOF@???
> > clientcareservice.id6468433113BIB@???
> >
> > etc?
> >
> > I'm currently using:
> >
> > ^(?:auto|c(?:are|lient(?:care)?|ustomer)?|generated|(?:gen|e)?mail(?:system)?|mailings|message|post|service|system|tech)[-._]?(?:re)?(?:center|id|mail|message|notify|post|reminder|robot|serv(?:er|ice)|support|team).*@(?:citi(?:bank)?|hsbc|if|natwest)\.co(?:m|\.uk)
> >
> > which detects quite a bit, but is less than perfect.
> >
>
> We haven't seen much of that.
>
> Hard to scan what we don't even accept..
>
> Are you checking for valid rDNS, PTR RR, proper FQDN in HELO, not in
> dynamic-IP RBL's, not trying to pipeline when it should not, valid
> addressee on your server, not forged, proper format, encoding, mime
> usage ... and so on....?
Most of that - but I'm trying to detect these earlier than the DATA
phase so I can avoid some of the more expensive checks.