This Time Self-Hosted
dark mode light mode Search

W32.Sober… spamassassin?

Okay seems like new variants of Sober are really hitting the mail servers badly. The problem is that, while they don’t really do anything to non-Windows users as a virus, they are a great bore for everyone. I receive daily ten or more Sober.* mails (and I just kill the Paris Hilton thing using maildrop), and some of them is able to get around SpamAssassin’s detection.

Last time I had something like this was with Sober.P, and Dirk’s rule did his job right that time.

Update: I was able to get it working, don’t ask me what I did wrong before, the code for the rule follows


header __SOBER_P_MSGID Message-ID =~ /<[0-9a-f.]{15,22}@/
header __SOBER_P_CTYPE Content-Type =~ /text/plain.*charset=“us-ascii“/
header __SOBER_P_PRIO X-Priority =~ /^3 /
header __SOBER_P_IMP Importance =~ /^Normal/

meta SOBER_P_SPAM (__SOBER_P_MSGID && __SOBER_P_CTYPE && __SOBER_P_PRIO && __SOBER_P_IMP )
score SOBER_P_SPAM 18.0
describe SOBER_P_SPAM Rassistische Mail Sober-P

header __SOBER_OTH_CTYPE Content-Type =~ /multipart/mixed.*boundary=“=+[0-9a-f.]+“$/

meta SOBER_OTH_VIRUS (__SOBER_P_MSGID && __SOBER_OTH_CTYPE && __SOBER_P_PRIO && __SOBER_P_IMP )
score SOBER_OTH_VIRUS 6.0
describe SOBER_OTH_VIRUS Some W32-Sober virus

Thanks slarti for helping me on -dev 🙂
Finally, no more Sobers! 😀

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.