Procmail and obfusticated spam

As a result of the torrent of spam I've been receiving from the Sobig.F virus, my tolerance for spam is at an all-time low. Like most people I get my share of 'medical' spam, offering products to increase, decrease or otherwise modify various parts of my anatomy. In the past most of these have gone to an email address I have kept for web use and were therefore easy to catch, but I'm now starting to get them on my primary email address as well. I therefore decided to whip up a procmail recipe to deal with them, using a list of keywords and procmail scoring. However, as I soon learned, the spammers have tried to prevent you doing this by obfusticating the contents of the spam. They do this by sending out HTML-format emails, and obfusticating the HTML so that a simple keyword match won't work. However, with a small perl script and a little bit of procmail magic, this was easily circumvented. I've written this up because I think it show some useful and underused features of both perl and procmail. If you are interested, read on.

Tags : , , ,
Categories : Tech, Perl


Re: Procmail and obfusticated spam

Thanks Alan, the Perl deobfusticationmodulepodule is GREAT! Enjoy your Peak District things too.

Re: Procmail and obfusticated spam

Hello Alan. Thank you for the deobfuscation script but...I am having problems with it and not being a perl guru I can't fix it. Here is the output of my procmail log when the script is called on my system (Mandrake 10.0, kernel-2.6.5, perl-5.8.3): procmail: Assigning "Deobfusticate" procmail: Assigning "HTML" procmail: Skipped "emails" procmail: Skipped "." procmail: Match on "(|&#x?[0-9a-f]+;|(=$))" procmail: Executing "/usr/bin/deobfuscate.pl" /usr/bin/deobfuscate.pl: line 7: use: command not found /usr/bin/deobfuscate.pl: line 11: sub: command not found /usr/bin/deobfuscate.pl: line 13: syntax error near unexpected token `;' /usr/bin/deobfuscate.pl: line 13: ` my $line = <>;' procmail: Program failure (2) of "/usr/bin/deobfuscate.pl" I simply did a copy-paste of your script and saved it (w/chmod 755 on it too). What is going wrong here and how can I fix it?

Re: Procmail and obfusticated spam

I eliminated the same error messages as described by Praedor Atrebates, (procmail running under Solaris 5.8) by changing the action line in the ".procmailrc" file from | deobfuscate to | perl deobfuscate.pl THank you, Alan, for this script.