From:? Maybe it's time to revive EvilNumbers?
No, not the same meaning as an arithmetic, binary, "Evil Number" :)
Loren Wilton wrote:
> A number of the rules I passed along are generic "order" rules rather
> than Amazon specific. I had to go back to last month's spam to find an
> Amazon order spam, but I've gotten a dozen or so fake orders for other
> things this month, all of which hit on the LW_BOGUS_ORDER rule.
> ??? ??? Loren
>
> ----- Original Message -----
> *From:* Mark London <mailto:mrl@psfc.mit.edu>
> *To:* users@spamassassin.apache.org
> <mailto:users@spamassassin.apache.org>
> *Sent:* Thursday, June 17, 2021 8:52 AM
> *Subject:* Re: Maybe it's time to revive EvilNumbers?
>
> Loren - Unfortunately, the fake amazon shipment email that we
> received, doesn't contain the word Amazon in it's From or Subject
> headers.
>
> Or even the word amazon in the text of the message!? Just the
> Amazon logo.
>
> And they've removed all the URLs, so the links don't work at the
> bottom.?? And they left the postal address of amazon, without the
> word amazon.
>
> I hate bogus spam that is so obviously bogus that it avoids filter
> rules. :) - Mark
>
> On 6/17/2021 10:52 AM, users-digest-help@spamassassin.apache.org
> wrote:
>> Subject:
>> Re: Maybe it's time to revive EvilNumbers?
>> From:
>> "Loren Wilton" <lwilton@earthlink.net>
>> Date:
>> 6/16/2021, 8:18 PM
>>
>> To:
>> <users@spamassassin.apache.org>
>>
>>
>> Here are a handful of rules that work for me. Feel free to try them.
>> If you do, please let me know how they work for you.
>>
>> (Apologies for my mail client trashing the formatting.
>> Be sure to check for possible line wrap on some of the rules!)
>
Well, EvilNumbers sounds good.? I saw a post popup on my phone yesterday
from ThreatPost citing that "no security professionals track phone
numbers".? Pissed me right off, those morons.? I love it because for
these spammers, their biggest cost probably IS the phone number.? Go
ahead and waste it.? The only thing that could be better would be to
have some sort of "Perkelator Dialer" (RIP, thank you) that
automatically dials these numbers and hangs up!
Here's a couple of rules with phone numbers.? This is what I've tracked
mid-2019 to present.? NOTE:? Many, but not all, are associated with
Amazon-type order schemes.? Some are just persistent junk mailers.
body __JR_BODY_GEN_PHONE11 /\b(1\-718\-989\-5740|1\-877\-482\.4956|1\-877\-482\-4956|1\-682\-626\-0008|877\-208\-5661|8772085661|1\-877\-208\.5661|877\.208\-5661|\+12063090336|\+44\-703\-590\-3232|1\-309\-401\-0721|\+1\(206\)309\-0336|1\~877\~767\~9308|\+18777679308|1\~877\~767\~9308|877\.767\-9308|\+12063090336|1\-415\-738\-5373|1\-718\-989\-5740|TEL\:00447024064951|Assured1\-682\-626\-00082|1\-832\-550\-3161|800\.481\.2979|1\.718\.989\.5746|1\-206\-350\-2402|1\.845\.709\.8044|\+1\s757\s5853620|919\-529\-5373|\+6912751776|1\-833\-945\-1505|\(d61rfo808\)\s53v3as201\s9473|\+1\s\(808\)\s201\s9473)\b/i
body __JR_BODY_GEN_PHONE12 /\b(800\.481\.2979|1\-718\-989\-5740|\+356\s72986291|\+225\-54189599|415\-508\-4161|\+44\-\(7\)\s4\s5639\s1361|\(230\)\s216\s4865|\+2347041941368|\+1\-866\-879\-1354|\+380\s48\s7932609|\+380\s68\s8220267|\+1\s\(803\)\s692\-1706|\+1\s\(903\)\s403\-1710|\+17247693888|\+12819079195|\+1\-800\-803\-7592|\+1\-866\-879\-1354|\+31\s635250814|\+1\s346\s273\s1937|\+1\-800\-803\-7592|\+9368170104|\+1184571790|\+6244488968|1\s\(201\)\s578\-4239|1\s\(855\)\s518\-7430|\+\s1\-833\-220\-4052|\+1\s661\s280\s8730|\+1\s\(570\)\s500\-8391|\+1\-866\-785\-0325)\b/i
As per Loren and Martin, these rules are best used in a meta rule.
Loren's rule is solid.? I had one message that did not contain the word
"order" in the subject and one other that had "Order Status" in the
From:Name field.
I also use these in conjunction with FreeMail rules.? Good Luck.
My $0.02,
-- Jared Hall
No, not the same meaning as an arithmetic, binary, "Evil Number" :)
Loren Wilton wrote:
> A number of the rules I passed along are generic "order" rules rather
> than Amazon specific. I had to go back to last month's spam to find an
> Amazon order spam, but I've gotten a dozen or so fake orders for other
> things this month, all of which hit on the LW_BOGUS_ORDER rule.
> ??? ??? Loren
>
> ----- Original Message -----
> *From:* Mark London <mailto:mrl@psfc.mit.edu>
> *To:* users@spamassassin.apache.org
> <mailto:users@spamassassin.apache.org>
> *Sent:* Thursday, June 17, 2021 8:52 AM
> *Subject:* Re: Maybe it's time to revive EvilNumbers?
>
> Loren - Unfortunately, the fake amazon shipment email that we
> received, doesn't contain the word Amazon in it's From or Subject
> headers.
>
> Or even the word amazon in the text of the message!? Just the
> Amazon logo.
>
> And they've removed all the URLs, so the links don't work at the
> bottom.?? And they left the postal address of amazon, without the
> word amazon.
>
> I hate bogus spam that is so obviously bogus that it avoids filter
> rules. :) - Mark
>
> On 6/17/2021 10:52 AM, users-digest-help@spamassassin.apache.org
> wrote:
>> Subject:
>> Re: Maybe it's time to revive EvilNumbers?
>> From:
>> "Loren Wilton" <lwilton@earthlink.net>
>> Date:
>> 6/16/2021, 8:18 PM
>>
>> To:
>> <users@spamassassin.apache.org>
>>
>>
>> Here are a handful of rules that work for me. Feel free to try them.
>> If you do, please let me know how they work for you.
>>
>> (Apologies for my mail client trashing the formatting.
>> Be sure to check for possible line wrap on some of the rules!)
>
Well, EvilNumbers sounds good.? I saw a post popup on my phone yesterday
from ThreatPost citing that "no security professionals track phone
numbers".? Pissed me right off, those morons.? I love it because for
these spammers, their biggest cost probably IS the phone number.? Go
ahead and waste it.? The only thing that could be better would be to
have some sort of "Perkelator Dialer" (RIP, thank you) that
automatically dials these numbers and hangs up!
Here's a couple of rules with phone numbers.? This is what I've tracked
mid-2019 to present.? NOTE:? Many, but not all, are associated with
Amazon-type order schemes.? Some are just persistent junk mailers.
body __JR_BODY_GEN_PHONE11 /\b(1\-718\-989\-5740|1\-877\-482\.4956|1\-877\-482\-4956|1\-682\-626\-0008|877\-208\-5661|8772085661|1\-877\-208\.5661|877\.208\-5661|\+12063090336|\+44\-703\-590\-3232|1\-309\-401\-0721|\+1\(206\)309\-0336|1\~877\~767\~9308|\+18777679308|1\~877\~767\~9308|877\.767\-9308|\+12063090336|1\-415\-738\-5373|1\-718\-989\-5740|TEL\:00447024064951|Assured1\-682\-626\-00082|1\-832\-550\-3161|800\.481\.2979|1\.718\.989\.5746|1\-206\-350\-2402|1\.845\.709\.8044|\+1\s757\s5853620|919\-529\-5373|\+6912751776|1\-833\-945\-1505|\(d61rfo808\)\s53v3as201\s9473|\+1\s\(808\)\s201\s9473)\b/i
body __JR_BODY_GEN_PHONE12 /\b(800\.481\.2979|1\-718\-989\-5740|\+356\s72986291|\+225\-54189599|415\-508\-4161|\+44\-\(7\)\s4\s5639\s1361|\(230\)\s216\s4865|\+2347041941368|\+1\-866\-879\-1354|\+380\s48\s7932609|\+380\s68\s8220267|\+1\s\(803\)\s692\-1706|\+1\s\(903\)\s403\-1710|\+17247693888|\+12819079195|\+1\-800\-803\-7592|\+1\-866\-879\-1354|\+31\s635250814|\+1\s346\s273\s1937|\+1\-800\-803\-7592|\+9368170104|\+1184571790|\+6244488968|1\s\(201\)\s578\-4239|1\s\(855\)\s518\-7430|\+\s1\-833\-220\-4052|\+1\s661\s280\s8730|\+1\s\(570\)\s500\-8391|\+1\-866\-785\-0325)\b/i
As per Loren and Martin, these rules are best used in a meta rule.
Loren's rule is solid.? I had one message that did not contain the word
"order" in the subject and one other that had "Order Status" in the
From:Name field.
I also use these in conjunction with FreeMail rules.? Good Luck.
My $0.02,
-- Jared Hall