[Mimedefang] got my mojo working

Dave Helton dave at kd0yu.com
Mon Feb 23 14:49:18 EST 2004 

Hi,

  I've had the same problems not being able to filter Xanax, Valium, and
other drug obfuscations.  And.... this junk is getting a little long in
the tooth.

  I've had the following code running for the last couple days.  It's
stable and has caught a few more bad emails than I expected.  I would
think this script would be a real performance hit on larger systems
although I can't confirm it.

  There are certainly better ways of doing this. There is probably a
better place to call this than in sub filter... Please feel free to
mangle and post your modifications or suggestions.

  Works for me... YMMV


#***********************************************************************
# %PROCEDURE: subject_obfuscation
# %ARGUMENTS: None
# %RETURNS:   1 - subject line has words we key on, 0 - pass
# %DESCRIPTION: Called last in "sub filter"
#***********************************************************************
sub subject_obfuscation {
   my ($subj, $line, $subscore, $local_debug);

   if (open (INF, "./HEADERS")) {
        $line = 0;
        $local_debug = 1;

        while ($line = <INF>) {
                if ($line =~ /^Subject:/) {
                        $subj = $line;
                        last;
                }
        } ## end while

        close(INF);

	# blank subject line ?
	if(chop($subj) eq "") {$subj = "No Subject"};

	# decode the "=?ISO-8859-1?blah blah blah line?=
        $line = decode_mimewords($subj); ## thank ya David
        $subscore = 0;

        if ($line =~ /^FWD:/) {$subscore = 3};
        if ($line =~ /[Mm][Ee][Dd][Ss]/) {$subscore += 6};
        if ($line =~ /[Pp][Ii][Ll][Ll][Ss]/) {$subscore += 6};
        $line =~ s/@/a/g; 
        $line =~ s/1/i/g;
        $line =~ s/[[:punct:]]//g; ## remove punctuations
        if ($line =~ /[Vv][Ii][Aa][Gg][Rr][Aa]/) {$subscore += 3};
        if ($line =~ /[Vv][Aa][Ll][Ii][Uu][Mm]/) {$subscore += 3};
        if ($line =~ /[Xx][Aa][Nn][Aa][Xx]/) {$subscore += 6};

        if($local_debug) {
		if($subscore) {
			md_graphdefang_log('subject_obfuscation_before', $subj, $subscore);
			md_graphdefang_log('subject_obfuscation_after', $line, $subscore);
        	}
	}

        if ($subscore > 5) {
                # 5 seems to be a good score... two test hits
                action_change_header('Subject', "[SPAM] $subj");
                return 1;  ## hit!
        } else {
                return 0;  ## no hit
        }

   } else {
        md_graphdefang_log('subject_obfuscation: can\'t open HEADER
file.');
        return 0;
   } ## end if

}


#####################
at the end of "sub filter"

    # always accept the email, client can filter on the subject now
    # that it's marked as "[SPAM] $Subject".
    if (subject_obfuscation()) { return action_accept(); };

    return action_accept();
}


-- 
Dave Helton, KD0YU <dave at kd0yu.com>
Real World Computing
Davenport, IA, US
563-386-4041
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20040223/f0466fd7/attachment.sig>

More information about the MIMEDefang mailing list