Clever Spam

Spam gets more clever all the time. Yesterday, this· appeared on the debian-mentors list·:

 Date: Wed, 7 Apr 2004 22:36:41 -0700 (PDT) From: rasheed badmus  Subject: free game boy To: debian-mentors@lists.debian.org Hello: I'd like to request for someone to sponsor the following unofficial packages I have: snes9express (1.39-beta) - a GUI frontend for SNES9x (as far as I know this is still an orphaned package); and visualboy advance (a gameboy/gameboy color/gameboy advance emulator for Linux). The said packages can be obtained in this apt source location: anything that u want to send,send it by this below. P.O box 1103 agodi Ibadan, Oyo state, Nigeria. 

Although list members quickly figured out that this was actually spam·, someone made a good point: if spammers start using text from a typical posting to a list in the body of their message, it’s going to be very hard to use content-based filters reliably. I can’t see how, for example, a Bayesian filter would be able to drop the above message in the right bin.

Also, see this fairly technical but fascinating description of how an Internet cafe technician in Dublin caught a spammer red-handed·. The best part is where the spammer tries to eat his USB memory stick so the police won’t get it. (Sorry, this is one instance where my civil liberties instincts are overcome by my harsh justice instincts).

(this is another case where this post would ideally be filed under two categories—”Debian” and perhaps “spam”—which is not yet a category.)

Virus Filter

I’ve written before about one of the various forms of Internet pestilence: messages bounced back from virus filters that claim you emailed them a virus, when in fact the mail header was forged and the virus originated elsewhere. It’s particularly frustrating to those of us who use GNU/Linux and thus are practically immune from viruses, at least those that propagate through email.

Here’s my latest attempt at an omnibus virus bounce procmail filter. Put this in ~/.procmailrc and most if not all of these messages should go away. Note that you need to increase from the default LINEBUF length to pack this all into one expreession:

LINEBUF=3000
:0

* ((^Subject: (Virus infection notice|New Network Security Upgrade|Newest Net Update|Newest Internet Upgrade|Newest Internet Security Patch|Internet Security Pack|New Internet Security Patch|Latest Critical Pack|Latest Net Upgrade|Latest Network Critical Update|(Latest|Current|Newest|New) (Microsoft|Net(work)?|Internet) (Security|Critical) (Update|Patch|Pack)|Current Microsoft Critical Pack|Newest Critical Pack|Latest Net Security Pack|Current Net Critical (Pack|Patch)|Latest Network Critical Pack|Abort Report|A virus has been detected in a document you authored.|RAV Antivirus:|BitDefender found an infected object|Virus Detected by Network Associates, Inc. Webshield|—— Virus Detected ——|Virus detected|Virus Alert|InterScan NT Alert|Virus found in the message|Message quarantined|VIRUS ALERT!|MDaemon Warning – Virus Found|Warning: E-mail viruses detected|ScanMail Message: To Sender virus found|VIRUS IN YOUR MAIL|Norton AntiVirus detected|VIRUS .* IN YOUR MAIL|Antigen found VIRUS|Filter incident|V.rus figyelmeztetés! Virus warning!|Symantec AVF detected|Returned due to virus;|Anti-Virus Notification|BANNED FILENAME|File blocked – ScanMail for Lotus|NAV detected a virus|RAV AntiVirus scan|VIRUS .+ IN MAIL FROM YOU|Virus Notification:|Virus found in a message you sent|Virus found in sent message|VIRUS EN SU CORREO|Warning: antivirus system report|M..Daemon Notification — Attachment Removed|Information – Antivirus|Symantec AntiVirus detected a violation|WARNING: YOU WERE SENT A VIRUS|SAV detected a violation in a document|MailMarshal has detected a suspect attachment|A virus was detected in your mail|Recipient Virus-alert|Virus Found in message|E-?mail viruses detected|Undelivered mail: VIRUS FOUND|Quarantined Mail: virus from|Failed to clean virus|Virusveszely! Virus warning!|Virus in mail from you.|Possible virus found in mess..age you sent|AntiVir ALERT|Centrale Anti-Virus melding|Vexira ALERT|You sent potentially unsafe content|ID.*thanks ScanMail has detected a virus!|\{Virus\?\}))|(^X-BLTSYMAVREINSERT|^X-Virus-Scan-Result: Repaired|^X-AtHome-MailScanner: Found to be infected|^X-Scanned: Symantec Antivirus Scan – Virus found|^X-Sender: NetMail AntiVirus Agent|^X-yoursite-MailScanner: Found to be infected|^X-ELTE-VirusStatus: was_infected)|(^To:.*MS Network Security))
virus

Suggestions for additional filter strings are welcome. This is an obvious case where there should be some standard for this kind of message, but of course each proprietary virus scanner company wants to have its own distinct announcement so as to advertise its product in the bounce message. The best thing would be something in the mail header other than the subject line.

I’ve also found the following recipe useful for filtering out a very common viral email that appears to be going around:

:0 BH
* ^Content-Type:.*(audio/x-wav|applica/x-msdownlo)
* > 100000
virus

You could probably substitute virus with /dev/null without any ill effects in both of these recipes.

Finally, a neat trick if you use SpamAssassin. This is covered in the documentation, but I only recently discovered it. Here’s a way to filter very certain spam into one folder, and pretty certain spam into another:

:0
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*
verycertainspam

:0
* ^Subject:.*\*\*\*\*SPAM\*\*\*\*
probablyspam

Set the number of stars in the first recipe to be the SpamAssassin score you’d like to count as “very certain.”

Realtors is not generic

The U.S. Trademark Trial and Appeal Board announced on Tuesday that the term “realtor” is not generic, but instead a protectable mark. In other words, “realtor” isn’t just anyway who sells real estate, but attaches only to a member of the National Association of Realtors.