Mailing List Archive

new SPAM encoded completely in quoted-printable
Hi,

just saw this:

...
X-Kaspersky-Antivirus: passed
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on
kiste.hitchhikers.de
X-Spam-Status: No, hits=0.0 required=5.0 tests= autolearn=no version=2.63
X-Spam-Level:

=dd=f4=f4=e5=ea=f2=e8=e2=ed=e0=ff =f0=e0=f1=ea=f0=f3=f2=ea=e0 =e8 =e4=e5=
=e9=f1=f2=e2=e5=ed=ed=e0=ff =f0=e5=ea=eb=e0=ec=ed=e0=ff =ef=ee=e4=e4=e5=f0=
=e6=ea=e0 =c2=e0=f8=e5=e3=ee =e1=e8=e7=ed=e5=f1=e0: =c1=fb=f1=f2=f0=ee =e8=
=ef=f0=ee=f1=f2=ee!

=cc=fb =e1=fb =f5=ee=f2=e5=eb=e8 =ef=f0=e5=e4=eb=ee=e6=e8=f2=fc =c2=e0=ec=
=e4=e5=e9=f1=f2=e2=e5=ed=ed=fb=e9 =e8 =ed=e5=e4=ee=f0=ee=e3=ee=e9 =f1=ef=
=ee=f1=ee=e1 =ef=f0=ee=e4=e2=e8=e6=e5=ed=e8=ff =f2=ee=e2=e0=f0=ee=e2 =e8=eb=
=e8 =f3=f1=eb=f3=e3 =c2=e0=f8=e5=e9 =ea=ee=ec=ef=e0=ed=e8=e8 =f7=e5=f0=e5=
=e7 RuNet=2e =dd=f2=ee - =e5=e4=e8=ed=ee=e2=f0=e5=ec=e5=ed=ed=e0=ff =f0=e0=
=f1=f1=fb=eb=ea=e0 =e8=ed=f4=ee=f0=ec=e0=f6=e8=e8 =ee =c2=e0=f8=e5=e9 =f4=
=e8=f0=ec=e5 =ef=ee =e2=fb=e1=f0=e0=ed=ed=ee=e9 =c2=e0=ec=e8 =e1=e0=e7=e5=
=fd=eb=e5=ea=f2=f0=ee=ed=ed=fb=f5 =e0=e4=f0=e5=f1=ee=e2=2e=20

(etc etc)

does a new rule for that kind of trash make sense?



--
Jens Benecke (jens at spamfreemail.de)
http://www.hitchhikers.de - Europaweite kostenlose Mitfahrzentrale
http://www.spamfreemail.de - 100% saubere Postfächer - garantiert!
http://www.rb-hosting.de - PHP ab 9? - SSH ab 19? - günstiger Traffic
Re: new SPAM encoded completely in quoted-printable [ In reply to ]
On Saturday 07 February 2004 19:02, Jens Benecke wrote:
> Hi,
>
> just saw this:
>
> ...
> X-Kaspersky-Antivirus: passed
> X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on
> kiste.hitchhikers.de
> X-Spam-Status: No, hits=0.0 required=5.0 tests= autolearn=no
> version=2.63 X-Spam-Level:
>
> =dd=f4=f4=e5=ea=f2=e8=e2=ed=e0=ff =f0=e0=f1=ea=f0=f3=f2=ea=e0 =e8
> =e4=e5= =e9=f1=f2=e2=e5=ed=ed=e0=ff =f0=e5=ea=eb=e0=ec=ed=e0=ff
> =ef=ee=e4=e4=e5=f0= =e6=ea=e0 =c2=e0=f8=e5=e3=ee
> =e1=e8=e7=ed=e5=f1=e0: =c1=fb=f1=f2=f0=ee =e8= =ef=f0=ee=f1=f2=ee!
>
> does a new rule for that kind of trash make sense?

Try:

rawbody ALL_QUOTES /(=[a-f0-9]{2}){5,}/i
describe ALL_QUOTES Five or more quotes in a row.
score ALL_QUOTES 1.0

Tweak the {5,} to be more or less to suit you, and obviously the score.

Is the "correct" way 'body' or 'rawbody'? Anybody have any ham that
matches this?

--
Berend De Schouwer