Chronophage.net Blog

Is consumed by Technolust. Iomega’s new RAID mini-nas is hawt.

Server, heal thyself!

Why do flashlights need tripods? #weirdwoots

84c MoPic MPR. 84, not 86…

DRUPAL, Drupal, burning right
through cpu cycles of the ’site ,
What incompetent web designer
Could defy thy dreadful performance?

Well, you’re the administrator… It says so right here on CallerID: <EDMINISTRATOR> 555-709-6331.”

“So you want my Social Security Number, an annotated floor plan of my house, a voided check, and a list of my worst fears?

“a career move” effing iPhone.

Is it me, or does Chris Cornell get more and more ridiculous every time he makes a career nice?

So, some of my users are avid World of Warcraft players. They’ve been complaining that they keep getting phishing schemes in their email accounts. Since Bayesian Filtering isn’t catching on, I think it’s time for custom SpamAssassin rules.

First, a quick scan of SARE rulesets to see if one fits the bill. I picked the the “Forged” rules simply because they are logical and simple. I like logical and simple

Then some quick adapting…

and this is what I came up with:

header __RCVD_WOW Received =~ /worldofwarcraft\.com/i
header __FROM_WOW From =~ /worldofwarcraft\.com/i
uri __URI_WOW /worldofwarcraft\.com/i
meta CUSTOM_FORGED_WOW (__FROM_WOW && __URI_WOW && !__RCVD_WOW)
score CUSTOM_FORGED_WOW 1.4

I have similar rules for blizzard.com and battle.net. What I’m looking for is the domain in the “From” field in the headers, and the domain in the body of the message but the domain NOT in the “Received” field. Most phishing schemes have a hotmail/yahoo/gmail address in the “Received” (and the “Reply To” field)

The only caveat I see with this, is that the base64 encoding of the message may screw up the body check, but I’m almost positive Spam Assassin decodes the message first.

I assigned a relatively small score of 1.4 to the messages, just to see if they show up in the “X-SpamScore” header. Remember, only one should hit at a time.

We’ll see if that works.