Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SpamAssassin>
  3. users
Re: Detect Emoticons in Subject: CHAOS
jared at jaredsec
May 20, 2021, 12:35 PM
Post #1 of 4 (558 views)
Permalink
Clive Jacques wrote:
> Hi,
>
> I've been using SA a long time.  Lately, I'm getting more and more
> spam with emoticons in the subject line.  I'd say about 90% of my
> emails with emoticons in the subject are spam.  I'd like to create a
> local rule which scores email with emoticons in the subject.  I saw a
> previous discussion on this in the archive, but it was focused on
> whether such emails were /always /spam.  I think an emoticon rule, in
> combination with other rules, will help my installation.  I've tried
> to match as follows, but it won't lint.  I'm not really a perl
> programmer.  I've written several other more conventional local rules,
> but here I'm a bit out of my depth.  I'd appreciate some guidance.
>
> # Local Rule for Emoticons in subject
> subject        EMOTICON_IN_SUBJECT      Subject =~ /\p{Emoticons}/
> score          EMOTICON_IN_SUBJECT      3.0
> describe        EMOTICON_IN_SUBJECT     Subject Line Has Emoticons
>
> -CJ

The following regex will detect a good amount of Emojis:

|/[\u{1f300}-\u{1f5ff}\u{1f900}-\u{1f9ff}\u{1f600}-\u{1f64f}\u{1f680}-\u{1f6ff}\u{2600}-\u{26ff}\u{2700}-\u{27bf}\u{1f1e6}-\u{1f1ff}\u{1f191}-\u{1f251}\u{1f004}\u{1f0cf}\u{1f170}-\u{1f171}\u{1f17e}-\u{1f17f}\u{1f18e}\u{3030}\u{2b50}\u{2b55}\u{2934}-\u{2935}\u{2b05}-\u{2b07}\u{2b1b}-\u{2b1c}\u{3297}\u{3299}\u{303d}\u{00a9}\u{00ae}\u{2122}\u{23f3}\u{24c2}\u{23e9}-\u{23ef}\u{25b6}\u{23f8}-\u{23fa}]/ug
|


Ref:
https://stackoverflow.com/questions/43242440/javascript-unicode-emoji-regular-expressions/45138005#45138005

But it is not the greatest thing if you want to get a count out of that.

<toot>
However, I may have a solution for you with the CHAOS plugin:

https://github.com/telecom2k3/CHAOS

You can get (but shouldn't) Emojis even in From names, like this actual one:

DHL?com

CHAOS will also help you with Unicode Character spoofs, via its
UniBabble rulesets:

???z?? ??????????????
???????????????????????? ???????????????????????????????? ????????????????????????????
Am?zo? Pri?ë
???????????????????????? ????????????????????????????
???????????????????????? ????????????????????????
...
...

CHAOS will run on PERL 5.18 and later.

</toot>


-- Jared Hall
Re: Detect Emoticons in Subject: CHAOS [ In reply to ]
rwmaillists at googlemail
May 20, 2021, 1:02 PM
Post #2 of 4 (558 views)
Permalink
On Thu, 20 May 2021 15:35:21 -0400
Jared Hall wrote:

> Clive Jacques wrote:

> > # Local Rule for Emoticons in subject
> > subject        EMOTICON_IN_SUBJECT      Subject =~ /\p{Emoticons}/

>
> The following regex will detect a good amount of Emojis:
>
> |/[\u{1f300}-\u{1f5ff}\u{1f900}-\u{1f9ff}\u{1f600}-\u{1f64f}\u{1f680}-\u{1f6ff}\u{2600}-\u{26ff}\u{2700}-\u{27bf}\u{1f1e6}-\u{1f1ff}\u{1f191}-\u{1f251}\u{1f004}\u{1f0cf}\u{1f170}-\u{1f171}\u{1f17e}-\u{1f17f}\u{1f18e}\u{3030}\u{2b50}\u{2b55}\u{2934}-\u{2935}\u{2b05}-\u{2b07}\u{2b1b}-\u{2b1c}\u{3297}\u{3299}\u{303d}\u{00a9}\u{00ae}\u{2122}\u{23f3}\u{24c2}\u{23e9}-\u{23ef}\u{25b6}\u{23f8}-\u{23fa}]/ug
> |
That doesn't work in SA for the same reason that \p{Emoticons}
doesn't work.
Re: Detect Emoticons in Subject: CHAOS [ In reply to ]
westriverprop at gmail
May 20, 2021, 1:33 PM
Post #3 of 4 (558 views)
Permalink
Here is a good example of such an email (attached, stripped of identifying
info).

On Thu, May 20, 2021 at 4:03 PM RW <rwmaillists@googlemail.com> wrote:

> On Thu, 20 May 2021 15:35:21 -0400
> Jared Hall wrote:
>
> > Clive Jacques wrote:
>
> > > # Local Rule for Emoticons in subject
> > > subject EMOTICON_IN_SUBJECT Subject =~ /\p{Emoticons}/
>
> >
> > The following regex will detect a good amount of Emojis:
> >
> >
> |/[\u{1f300}-\u{1f5ff}\u{1f900}-\u{1f9ff}\u{1f600}-\u{1f64f}\u{1f680}-\u{1f6ff}\u{2600}-\u{26ff}\u{2700}-\u{27bf}\u{1f1e6}-\u{1f1ff}\u{1f191}-\u{1f251}\u{1f004}\u{1f0cf}\u{1f170}-\u{1f171}\u{1f17e}-\u{1f17f}\u{1f18e}\u{3030}\u{2b50}\u{2b55}\u{2934}-\u{2935}\u{2b05}-\u{2b07}\u{2b1b}-\u{2b1c}\u{3297}\u{3299}\u{303d}\u{00a9}\u{00ae}\u{2122}\u{23f3}\u{24c2}\u{23e9}-\u{23ef}\u{25b6}\u{23f8}-\u{23fa}]/ug
>
> > |
> That doesn't work in SA for the same reason that \p{Emoticons}
> doesn't work.
>

Attached Files:

Re: Detect Emoticons in Subject: CHAOS [ In reply to ]
me at junc
May 20, 2021, 3:51 PM
Post #4 of 4 (558 views)
Permalink
On 2021-05-20 22:33, Clive Jacques wrote:
> Here is a good example of such an email (attached, stripped of
> identifying info).

This attachment is suspicious because its type doesn't match the type
declared in the message. If you do not trust the sender, you shouldn't
open it in the browser because it may contain malicious contents.

Expected: text/plain (.txt); found: message/rfc822 (.eml)

should i ignore roundcube warnings ? :)

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal