[wellylug] Recipe set to match stock/pharma-gif-spam:

Adam Bogacki afb at paradise.net.nz
Mon Nov 6 21:35:20 NZDT 2006 

Fyi,

Adam Bogacki.

----------------------------------------------------------------------

Message: 1
Date: Sun, 05 Nov 2006 03:52:20 +0100
From: "Ruud H.G. van Tol" <rvtol at isolution.nl>
Subject: stock/pharma-gif-spam
To: "[procmail]" <procmail at lists.RWTH-Aachen.DE>
Message-ID: <030c01c70085$6ba16c60$0b01a8c0 at isolution.nl>
Content-Type: text/plain; charset=iso-8859-15

Recipe set to match stock/pharma-gif-spam:

  s = '[        ]'  # a space and a tab

  h  = '[0-9A-Fa-f]'
  h2 = "$h$h"    h3  = "$h2$h"
  h4 = "$h2$h2"  h6  = "$h4$h2"
  h8 = "$h4$h4"  h12 = "$h8$h4"

  :0
  *  ^^(From |Return-Path: <)[^ @]+@\/[^ >]+
  { DOMAIN = $MATCH }

  :0
  * 1^1 ^Received:
  { } N_RCVD = $=

  :0
  *$ ^Content-Type: multipart/related;.*\
                    boundary=(\")?\/[^\"]+
  { H_CTB = $MATCH }

  :0
  *  ^Message-ID:.*\/[^ <@]+@[^>]+
  { H_MID = $MATCH
    :0
    *  H_MID ?? ^^\/[^@]+
    {  MID1 = $MATCH }
    :0
    *  H_MID ?? @\/.+
    {  MID2 = $MATCH }
  }

  :0
  *  N_RCVD ?? ^^(1|2)^^
  *$ H_CTB  ?? ^^----=_NextPart_000_${h4}_$h8\.$h8^^
  *  MID2   ?? ^^[^.]+^^
  *  ^MIME-Version: 1\.0\
     ^Content-Type:.*\
     ^X-Priority: 3\
     ^X-MSMail-Priority: Normal\
     ^X-Mailer: Microsoft Outlook Express 6(\.[0-9]+)+\
     ^X-MimeOLE: Produced By Microsoft MimeOLE V6(\.[0-9]+)+$
  *$ B ?? ^--$\H_CTB\
          ^Content-Type: image/gif;\
          ^$s+name=\"[^\"]*\.gif\"\
         (^Content-Transfer-Encoding: base64)?\
          ^Content-ID: <$h12[$]$h8[$]$h8@$MID2>$
  .in.suspect.stock-gif/

  :0
  *  N_RCVD ?? ^^(2|3)^^
  *$ H_CTB  ?? ^^$h+^^
  *$ MID2   ?? $\DOMAIN^^
  *$ ^From: [^\"<]+ <[^@]+@$\DOMAIN>$
  *$ B ?? ^--$\H_CTB\
          ^Content-Type: image/gif;\
          ^$s+name=\"[^\"]+\.gif\"\
         (^Content-Transfer-Encoding: base64)?\
          ^Content-ID: <$h+@$\DOMAIN>$
  .in.suspect.pharma-gif/

Based on about 20 recent samples. These recipes can catch ham with an
attached gif too, so please report back here how you refined the
conditions to solve that.

-- 
Groet, Ruud




------------------------------

_______________________________________________
procmail mailing list
procmail at lists.RWTH-Aachen.DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail


End of procmail Digest, Vol 46, Issue 6
***************************************



----- End forwarded message -----

-- 
Adam Bogacki,

--------------------------------------------------------------------- 
email:  adam(at)bogacki.net    afb(at)paradise.net.nz
VoIP:   sip:agike(at)ekiga.net [Zfone]       
Key: 0x4E553910 -  DABB 4963 8973 7CCD 33C0  DC27 D7C5 F516 4E55 3910
---------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.wellylug.org.nz/pipermail/wellylug/attachments/20061106/4593a6fa/attachment.pgp

More information about the wellylug mailing list