SPAM and procmail

[Brian]

For anyone interested... It seems that a lot of spam is starting to slip
through Spam Assassin again.  The majority of the messages seem to
either have "obvious" subject lines, or have ----ALT-- in the message
body to try to hide dummy words to throw off the weighting.  I came up
with these two procmail recipes the other day that have done a good job
of catching what SA doesn't.  The first looks for various forms of drug
keywords in the subject line, and the second just dumps any message with
the ALT stuff in the body to an altinmessage mailbox (I have yet to see
a valid use of the ALT stuff in the message body (for that matter I've
yet to see a valid use of HTML in an email message, but that is another
story)).

Anyway, I thought I would share in case anyone else found these useful,
or wanted to build off of them.

:0:
*
^Subject:.*([Vv].?[iI1!].?[aA@].?[gG].?[Rr].?[aA@])|([Ss5].?[oO0].?[mM].?[aA@])|([Xx].?[Aa@].?[nN].?[Aa@].?[xX])
meds
  
:0B:
* ^----ALT--*
altinmessage


Another common technique that is foiling SA is hiding bogus tags in
words (ie "vi</house>agra").  They always seem to be closing tags in the
messages I've looked at.  If I get the time, I want to pre-parse all
email before it gets sent to SA and remove all non-real HTML tags, which
should allow SA to better read and score the message.  This is more of a
job for piping the message to an external script/program (much like
filtering it through SA).

And for those that are wondering, yes this *can* get a little processor
intensive on a busy mailserver with a lot of users, but for the price of
hardware these days, it's been affordable to provide effective spam
scanning.
-- 
Brian <lists at karas.net>