Technology / 

04 Jul 2008

Killfiling "MI5 Persecution" Spam With slrn

I do most of my Usenet reading through an SSH session using the slrn newsreader, which in my opinion is one of the best around (better than gnus even, although I still use Emacs as an editor). One of the better things about it is its very flexible killfile system. In reality slrn doesn’t have a “killfile” per se, instead it has a “scorefile”, which allows you to apply numeric scores to articles based on regular expressions, killing them when they drop below a threshold.

Anyway, since it allows the use of regular expressions, it’s useful for filtering out “sporgery” and spam designed to defeat less-flexible filtering, like the MI5 Persecution nonsense.

Here’s a set of rules I set up for killing the latest batch of crap:

[*]
% Kill "MI-5 Persecution" crap
Score:: =-9999
   Subject: [A-Z][',-`. ]I[',-`. ]5[',-`. ]P
   From: MI5Victim

The first rule (the Subject: one) is designed for the latest batch, which have varied subject lines and randomly-generated From-addresses. The second rule (the From: one) is for catching the older batch of messages, which all used the same From-address and didn’t vary their headers as much. I keep the old rule around because I sometimes like to read groups where there isn’t much activity, and thus end up seeing them almost as often as I do the new ones.

It’s almost a certainty that the rules will have to be tweaked, or a new rule added, the next time a bunch of messages come out, if the spammer continues to ‘enhance’ the headers to defeat filtering. That is, of course, unless MI5 gets him first. But somehow I doubt we’re all that lucky.

The regexp used to catch the newer messages was taken from Wikipedia, and it seems to work fine, although I’ve been thinking of tweaking it a little more. Ideally I’d like to broaden it until there’s no possible permutations of the subject that wouldn’t get caught, regardless of letters placed in-between the message characters, or any similar-character replacements (e.g. replacing the letter “I” with “|”, or other similar L33T-type stuff).

I’ve only begun playing more seriously with slrn and its scoring features, so as I get a decent scorefile worked out, I’ll probably post some occasional updates, just in case somebody wants to use it as a starting point.

This entry was converted from an older version of the site; if desired, it can be viewed in its original format.