[Mimedefang] German spam (related to new worm Sober.q)

Jan Pieter Cornet johnpc at xs4all.nl
Sun May 15 19:30:22 EDT 2005


On Sun, May 15, 2005 at 06:00:33PM -0400, Joseph Brennan wrote:
> I wish I had time to implement greylisting right now.  What are you
> folks using on large systems?  Can you point me to a web page?

We operate a largish system, handling around 5 to 10 million emails/day,
for around a million unique email addresses. I've added a bunch of
custom spamassassin rulesets, since we use spamassassin anyway.

Most other folks I've seen block on only the subjects, but I find that
scary, especially for a large ISP such as ourselves, where a number of
our customers likely routinely receive emails in German. Some of
the subjects look like they are general enough to also appear in
legitimate mails.

There are several other properties of the virus that are usable for
blocking. The number of different body texts is also fairly limited,
so I'm using that too. And the header structure is quite unique,
definately unlike anything most clients use.

So I've created my own SA ruleset, available here:
http://www.xs4all.nl/~johnpc/soberq.cf

This scores 1.0 point for each individual element (subject, body,
and header structure) (that score should probably be lower), but the
combination of those three scores 20 points.

For bounces, I'm only testing the subject (in the body of the bounce)
and the body text, not the header structure. It is this bounce bit that
I suspect might in rare circumstances trigger a false positive...

This currently only marks the mails and moves them to a "spambox", where
they will be deleted in time. If this onslaught continues, I'll likely
add sober.q spewing sites to a blacklist or add them to the local access.db
temporarily...

-- 
#!perl -wpl # mmfppfmpmmpp mmpffm <pmmppfmfpppppfmmmf at fpffmm4mmmpmfpmf.ppppmf>
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig;                                # Jan-Pieter Cornet



More information about the MIMEDefang mailing list