For what it's worth it looks like they may have "moved"... just got the first batch of...
http://spaces.msn.com/members/GuadalupeSzekula/?H5=Best_offerings.coming!_T So everybody may want to get a jump on adding a regex for that to your rulesets :-) Based on the general format of these URLs, how could you craft a regex that would catch these specific ones, without penalizing people who legitimately are emailing a uk.geocities or spaces.msn.com URL to someone. they would seem to be in the format of http://spaces.msn.com/members/<RANDOM NAME>/?<2 or 3 CHARACTERS>=<MORE CHARACTERS> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^ ^ http://uk.geocities.com/<RANDOM NAME>/?<2 or 3 CHARACTERS>=<MORE CHARACTERS> ^^^^^^^^^^^^^^^^^^^^^^^^ ^^ ^ So it would seem that regex to match the "caret'ed" bits above would be the most likely means to that end? Any regex geniuses out there? :) Cheers, >>>>> Mike <<<<< > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gary V > Sent: Monday, August 15, 2005 11:57 AM > To: Matt Juszczak > Cc: amavis-user@lists.sourceforge.net > Subject: Re: [AMaViS-user] User complaints of spam > > Matt wrote: > > > Hi all, > > > We're getting some user complaints of spam and they all > seem to follow > > the same general template. > > > Something like this: > > > ---snip--- > > nicky > > > > http://uk.geocities.com/Hyman_Barrientos/?Wn=Seek_quick.and_effective. > > cures > > ---snip--- > > > After which they have some random words at the end (random english > > dictionary words). Some of them don't. > > > A lot of these are making it to the quarantine but some of > them aren't > > even getting a positive score. Is there a rule out there I > can find, > > or possibly an additional blacklist I can add on top of the > default (razor)? > > I'm not a big fan of blacklists but as long as we're only > just "tagging" > > spam (and not deleting it) and the blacklist is fairly > conservative, I > > wouldn't mind allowing it to add some points to messages. > > > Thanks, > > Matt > > Make sure you set: > $sa_local_tests_only = 0; in amavisd.conf. Otherwise > SpamAssassin will not perform network tests (Razor included). > I think you are using FreeBSD, so there should be a > /usr/local/etc/mail/spamassassin/init.pre > file. This file normally will contain: > loadplugin Mail::SpamAssassin::Plugin::URIDNSBL > loadplugin Mail::SpamAssassin::Plugin::Hashcash > loadplugin Mail::SpamAssassin::Plugin::SPF > > If you did not install from ports, then it might be in > /etc/mail/spamassassin > > Verify that init.pre exists in the same place you have > local.cf and at the very least 'loadplugin > Mail::SpamAssassin::Plugin::URIDNSBL' is there. > > You might consider using Pyzor. It is slower than some of the > other tests (only one server) and it has made a bit of a mess > on some machines when the Pyzor server was unavailable. The > author will change the server on occasion, so it may be a > good idea to make sure the server is up by maybe doing a > 'pyzor ping' in a cron job, with the result mailed to you. > > If you use ports, it should be there: /usr/ports/mail/pyzor > > install, then run both: > pyzor discover > and > su vscan -c 'pyzor discover' > (pyzor discover provides pyzor the IP address of the Pyzor server) > > then 'pyzor ping' to see if the Pyzor server is up > > run > su vscan -c 'spamassassin --lint -D' > and you should see > debug: Pyzor: got response: 66.250.40.33:24441 (200, 'OK') > 0 0 > if all is working well. > I don't think you even need to reload amavisd-new. > > DCC is very good, but as an ISP, and due to the volume of > mail you receive, and due to the license, I believe you would > need to run the DCC server (dccd I think) on one of your > machines and then provide your data (flood your data) to the > main servers. At least something to that effect, I think. You > would have to study how to set this up. > > If you don't have $sa_local_tests_only = 0; set, then this > would be the main problem. An email like this should hit on a > couple of the networks tests, with URIDNSBL the most likely > to help. There is not much for SpamAssassin to key on if > network test are not performed. > > Gary V > > > > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & > EXPO September 19-22, 2005 * San Francisco, CA * Development > Lifecycle Practices Agile & Plan-Driven Development * > Managing Projects & Teams * Testing & QA Security * Process > Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > AMaViS-user mailing list > AMaViS-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/amavis-user > AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 > AMaViS-HowTos:http://www.amavis.org/howto/ > ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/