Chronophage.net Blog

So, some of my users are avid World of Warcraft players. They’ve been complaining that they keep getting phishing schemes in their email accounts. Since Bayesian Filtering isn’t catching on, I think it’s time for custom SpamAssassin rules.

First, a quick scan of SARE rulesets to see if one fits the bill. I picked the the “Forged” rules simply because they are logical and simple. I like logical and simple

Then some quick adapting…

and this is what I came up with:


header __RCVD_WOW Received =~ /worldofwarcraft\.com/i
header __FROM_WOW From =~ /worldofwarcraft\.com/i
uri __URI_WOW /worldofwarcraft\.com/i
meta CUSTOM_FORGED_WOW (__FROM_WOW && __URI_WOW && !__RCVD_WOW)
score CUSTOM_FORGED_WOW 1.4


I have similar rules for blizzard.com and battle.net. What I’m looking for is the domain in the “From” field in the headers, and the domain in the body of the message but the domain NOT in the “Received” field. Most phishing schemes have a hotmail/yahoo/gmail address in the “Received” (and the “Reply To” field)

The only caveat I see with this, is that the base64 encoding of the message may screw up the body check, but I’m almost positive Spam Assassin decodes the message first.

I assigned a relatively small score of 1.4 to the messages, just to see if they show up in the “X-SpamScore” header. Remember, only one should hit at a time.

We’ll see if that works.

• Share
• Tweet
• "&title=""">