OliverScott
09-20-2008, 11:50 AM
I have been getting a lot of spam from addresses ending with @aim.com and with the first part of the address being a random collection of letters and numbers such as ole12367otwzxyv@aim.com
I have written the following rules to help up-score these emails. The first bunch look for email addresses with mixtures of letters and numbers which are unlikely to appear in a genuine email address. This is then combined into one meta rule which looks for any of these varients and adds a small score to emails like this (this rule may FP on a few genuine emails so keep the score small!)
This meta rule can then be combined with other rules (to minimise the chances of getting false positives) and can then have a reasonable score added to it. In my case we get almost no genuine email from @aim.com addresses so I was happy to use this as my second condition. Alternatively it could be well combines with BAYES_99 or a URIBL.
header ODDADDRESS1 FROM =~ /[a-zA-Z]{3,10}[0-9]{3,10}[a-zA-Z]{3,10}/i
score ODDADDRESS1 0.001
describe ODDADDRESS1 Unlikely strings in email address
header ODDADDRESS2 FROM =~ /[0-9]{3,10}[a-zA-Z]{3,10}[0-9]{3,10}/i
score ODDADDRESS2 0.001
describe ODDADDRESS2 Unlikely strings in email address
header ODDADDRESS3 FROM =~ /[a-zA-Z]{2,10}[0-9]{2,10}[a-zA-Z]{2,10}[0-9]{2,10}/i
score ODDADDRESS3 0.001
describe ODDADDRESS3 Unlikely strings in email address
header ODDADDRESS4 FROM =~ /[0-9]{2,10}[a-zA-Z]{2,10}[0-9]{2,10}[a-zA-Z]{2,10}/i
score ODDADDRESS4 0.001
describe ODDADDRESS4 Unlikely strings in email address
header ODDADDRESS5 FROM =~ /[0-9]{1,10}[a-zA-Z]{1,10}[0-9]{1,10}[a-zA-Z]{1,10}[0-9]{1,10}/i
score ODDADDRESS5 0.001
describe ODDADDRESS5 Unlikely strings in email address
header ODDADDRESS6 FROM =~ /[a-zA-Z]{1,10}[0-9]{1,10}[a-zA-Z]{1,10}[0-9]{1,10}[a-zA-Z]{1,10}/i
score ODDADDRESS6 0.001
describe ODDADDRESS6 Unlikely strings in email address
meta ODDADDRESS (ODDADDRESS1 || ODDADDRESS2 || ODDADDRESS3 || ODDADDRESS4 || ODDADDRESS5 || ODDADDRESS6)
score ODDADDRESS 0.200
header FROM_AIM FROM =~ /\@aim\.com/i
score FROM_AIM 0.001
describe FROM_AIM Sent from aim.com address
meta FROM_AIM_SPAM (FROM_AIM && ODDADDRESS)
score FROM_AIM_SPAM 1.000
describe FROM_AIM_SPAM Sent from an aim.com address and address contains unlikely strings of numbers and letters
I have written the following rules to help up-score these emails. The first bunch look for email addresses with mixtures of letters and numbers which are unlikely to appear in a genuine email address. This is then combined into one meta rule which looks for any of these varients and adds a small score to emails like this (this rule may FP on a few genuine emails so keep the score small!)
This meta rule can then be combined with other rules (to minimise the chances of getting false positives) and can then have a reasonable score added to it. In my case we get almost no genuine email from @aim.com addresses so I was happy to use this as my second condition. Alternatively it could be well combines with BAYES_99 or a URIBL.
header ODDADDRESS1 FROM =~ /[a-zA-Z]{3,10}[0-9]{3,10}[a-zA-Z]{3,10}/i
score ODDADDRESS1 0.001
describe ODDADDRESS1 Unlikely strings in email address
header ODDADDRESS2 FROM =~ /[0-9]{3,10}[a-zA-Z]{3,10}[0-9]{3,10}/i
score ODDADDRESS2 0.001
describe ODDADDRESS2 Unlikely strings in email address
header ODDADDRESS3 FROM =~ /[a-zA-Z]{2,10}[0-9]{2,10}[a-zA-Z]{2,10}[0-9]{2,10}/i
score ODDADDRESS3 0.001
describe ODDADDRESS3 Unlikely strings in email address
header ODDADDRESS4 FROM =~ /[0-9]{2,10}[a-zA-Z]{2,10}[0-9]{2,10}[a-zA-Z]{2,10}/i
score ODDADDRESS4 0.001
describe ODDADDRESS4 Unlikely strings in email address
header ODDADDRESS5 FROM =~ /[0-9]{1,10}[a-zA-Z]{1,10}[0-9]{1,10}[a-zA-Z]{1,10}[0-9]{1,10}/i
score ODDADDRESS5 0.001
describe ODDADDRESS5 Unlikely strings in email address
header ODDADDRESS6 FROM =~ /[a-zA-Z]{1,10}[0-9]{1,10}[a-zA-Z]{1,10}[0-9]{1,10}[a-zA-Z]{1,10}/i
score ODDADDRESS6 0.001
describe ODDADDRESS6 Unlikely strings in email address
meta ODDADDRESS (ODDADDRESS1 || ODDADDRESS2 || ODDADDRESS3 || ODDADDRESS4 || ODDADDRESS5 || ODDADDRESS6)
score ODDADDRESS 0.200
header FROM_AIM FROM =~ /\@aim\.com/i
score FROM_AIM 0.001
describe FROM_AIM Sent from aim.com address
meta FROM_AIM_SPAM (FROM_AIM && ODDADDRESS)
score FROM_AIM_SPAM 1.000
describe FROM_AIM_SPAM Sent from an aim.com address and address contains unlikely strings of numbers and letters