Viaxxgra Spam

I’ve been seeing a lot of obfuscated spam over the last week or so. It’s led me to write and test my first spamassassin rules:


body ACKME_OBFDRUGS9a m/\bVi([_a-zA-Z]{2}a|a[_a-zA-Z]{2})gra\b/i
describe ACKME_OBFDRUGS9a obfuscated drug names ViaXXgra or ViXXagra
score ACKME_OBFDRUGS9a 1.0

body ACKME_OBFDRUGS9b m/\bV([_a-zA-Z]{2}a|a[_a-zA-Z]{2})lium\b/i
describe ACKME_OBFDRUGS9b obfuscated drug names VaXXlium or VXXalium
score ACKME_OBFDRUGS9b 1.0

body ACKME_OBFDRUGS9c m/\bCi([_a-zA-Z]{2}a|a[_a-zA-Z]{2})lis\b/i
describe ACKME_OBFDRUGS9c obfuscated drug names CiXXalis or CiaXXlis
score ACKME_OBFDRUGS9c 1.0

body ACKME_OBFDRUGS9d m/\bAm([_a-zA-Z]{2}b|b[_a-zA-Z]{2})ien\b/i
describe ACKME_OBFDRUGS9d obfuscated drug names AmXXbien or AmbXXien
score ACKME_OBFDRUGS9d 1.0

body ACKME_OBFDRUGS9e m/\bX([_a-zA-Z]{2}a|a[_a-zA-Z]{2})nax\b/i
describe ACKME_OBFDRUGS9e obfuscated drug names XXXanax or XaXXnax
score ACKME_OBFDRUGS9e 1.0

body ACKME_OBFDRUGS9f m/\bLev([_a-zA-Z]{2}i|i[_a-zA-Z]{2})tra\b/i
describe ACKME_OBFDRUGS9f obfuscated drug names LeviXXtra or LevXXitra
score ACKME_OBFDRUGS9f 1.0

meta ACKME_OBFDRUGS9 (ACKME_OBFDRUGS9a + ACKME_OBFDRUGS9b + ACKME_OBFDRUGS9c + ACKME_OBFDRUGS9d + ACKME_OBFDRUGS9e +ACKME_OBFDRUGS9f > 1)
describe ACKME_OBFDRUGS9 multiple obfuscated drug names
score ACKME_OBFDRUGS9 2.0

garan

Leave a Reply