Re: [Declude.JunkMail] Spam out of 86.* & 87.*

Tue, 28 Feb 2006 09:12:06 -0800 

2 other tactics against these:
1. Spamdomain test. A verizon.com from address is unlikely to come from a wanadoo.fr reverse dns. 
   Spamdomains will have some false positive consequences...
2. Reverse DNS Filters. I'd consider a reverse dns with a cable or -dsl- in it to be suspicious and worthy of some points. Definitely is some good servers in dul-type space so there is some false positives here. 

I've attached a filter I use specific to interbusiness.it
----- Original Message ----- From: "John Carter" <[EMAIL PROTECTED]> 
To: <Declude.JunkMail@declude.com>
Sent: Tuesday, February 28, 2006 10:20 AM
Subject: RE: [Declude.JunkMail] Spam out of 86.* & 87.*



Thanks, will look at blackholes.us.

My real problem is time.  I've written a program and spreadsheet that
extracts the domains and IP's of delivered messages and shows the unique
IP's and how many messages came from them.  But when I spend time
cross-checking with SenderBase and ARIN, I can spend hours updating my IP
filters. Cost/benefit isn't there.
Agree; have to be careful about blocking. Plan was to add points on /8 IP's, 
something below my subject tag score. Hopefully legit messages would come
through ok, but the "kinky" ones, with the new scoring added, would be
enough to at least trip the tag weight.

John


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer
Sent: Tuesday, February 28, 2006 9:22 AM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Spam out of 86.* & 87.*

Hi John,


 What is my best bet - jack up
the score a number of points for any mail coming from 86 & 87?  Many of
the messages hardly trip any of the regular tests.
Wouldn't hurt - use blackholes.us and maybe score 40% of your hold weight? I 
would say though blocking a /8 is not a good idea.  way too many false
positives.
My first question is why the leakage? My guess would be a new spam campaign that eventually will leak from other blocks. So first maybe figure out how 
to score these on header / body content, etc . Next examine the ip's that
they are coming from and selectively block accordingly.
Here are 2 blocks I have tagged in that range - 86.59.128.0 255.255.252.0
esnet.com ROKSO 20-May-2005 01:27 GMT 86.111.128.0 255.255.240.0 ROKSO Boris 
Mizhen

Don't be discouraged. There will be a new campaign tomorrow  :)

-Nick
---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


# 
================================================================================================
 #
#    REVDNS-interbusiness.it        REVDNS of known Cox addresses               
                   #                                                            
                                      #
# 
================================================================================================
 #

SKIPIFWEIGHT    440

#
#  Bypass's for all filters
#
TESTSFAILED     END     CONTAINS        FILTER-BYPASS
TESTSFAILED     END     CONTAINS        RBL-BYPASS
#
#  exclude the big emails and those with good attachments
#
TESTSFAILED     END     CONTAINS        SIZE-BT-100KB-200KB
TESTSFAILED     END     CONTAINS        SIZE-BT-200KB-500KB
TESTSFAILED     END     CONTAINS        SIZE-BT-500KB-1MB
TESTSFAILED     END     CONTAINS        SIZE-BT-1MB-10MB
TESTSFAILED     END     CONTAINS        SIZE-GT-10MB
TESTSFAILED     END     CONTAINS        ATTACHMENT-GOOD
#
#  Fairly successful whitelist tests
#
TESTSFAILED     END     CONTAINS        SUBJECT-AGTERMS-WL
TESTSFAILED     END     CONTAINS        SUBJECT-MAGNAMES-WL
TESTSFAILED     END     CONTAINS        SUBJECT-PUBTERMS-WL
TESTSFAILED     END     CONTAINS        BODY-MAGNAMES-WL
#
# If Mailpure's tests say it comes from bulk or an email server...
#
#TESTSFAILED    END     CONTAINS        MPPT-BULKEMAIL
TESTSFAILED     END     CONTAINS        MPM-EMAILSERVER

REVDNS          END     CONTAINS        SMTP
REVDNS          END     CONTAINS        STATIC
REVDNS          END     CONTAINS        MAIL
REVDNS          END     CONTAINS        .DED.
REVDNS          END     CONTAINS        .SIP.
REVDNS          END     CONTAINS        .MX.
REVDNS          END     STARTSWITH      MX.
REVDNS          END     STARTSWITH      MTA
REVDNS          END     CONTAINS        -mx-
REVDNS          END     CONTAINS        exchange
REVDNS          END     CONTAINS        mx01
REVDNS          END     CONTAINS        mx02
REVDNS          END     CONTAINS        mx03
REVDNS          END     CONTAINS        mx04
REVDNS          END     CONTAINS        mx05
REVDNS          END     CONTAINS        mx06
REVDNS          END     CONTAINS        mx07
REVDNS          END     CONTAINS        mx08
REVDNS          END     CONTAINS        mx09

#
#   Must get at least a weight of 2 to get be awarded weight from global.cfg
#
MINWEIGHTTOFAIL 2

REVDNS          1       ENDSWITH        .interbusiness.it
REVDNS          1       CONTAINS        .pool

Reply via email to