04 Jul 2008
Killfiling "MI5 Persecution" Spam With slrn
I do most of my Usenet reading through an SSH session using the slrn newsreader, which in my opinion is one of the best around (better than gnus even, although I still use Emacs as an editor). One of the better things about it is its very flexible killfile system. In reality slrn doesn’t have a “killfile” per se, instead it has a “scorefile”, which allows you to apply numeric scores to articles based on regular expressions, killing them when they drop below a threshold.
Anyway, since it allows the use of regular expressions, it’s useful for filtering out “sporgery” and spam designed to defeat less-flexible filtering, like the MI5 Persecution nonsense.
Here’s a set of rules I set up for killing the latest batch of crap:
[*] % Kill "MI-5 Persecution" crap Score:: =-9999 Subject: [A-Z][',-`. ]I[',-`. ]5[',-`. ]P From: MI5Victim
The first rule (the
Subject: one) is designed for the latest batch,
which have varied subject lines and randomly-generated From-addresses.
The second rule (the
From: one) is for catching the older batch of
messages, which all used the same From-address and didn’t vary their
headers as much. I keep the old rule around because I sometimes like
to read groups where there isn’t much activity, and thus end up seeing
them almost as often as I do the new ones.
It’s almost a certainty that the rules will have to be tweaked, or a new rule added, the next time a bunch of messages come out, if the spammer continues to ‘enhance’ the headers to defeat filtering. That is, of course, unless MI5 gets him first. But somehow I doubt we’re all that lucky.
The regexp used to catch the newer messages was taken from Wikipedia, and it seems to work fine, although I’ve been thinking of tweaking it a little more. Ideally I’d like to broaden it until there’s no possible permutations of the subject that wouldn’t get caught, regardless of letters placed in-between the message characters, or any similar-character replacements (e.g. replacing the letter “I” with “|”, or other similar L33T-type stuff).
I’ve only begun playing more seriously with slrn and its scoring features, so as I get a decent scorefile worked out, I’ll probably post some occasional updates, just in case somebody wants to use it as a starting point.
This entry was converted from an older version of the site; if desired, it can be viewed in its original format.