2 other tactics against these:
1. Spamdomain test. A verizon.com from address is unlikely to come from a
wanadoo.fr reverse dns.
Spamdomains will have some false positive consequences...
2. Reverse DNS Filters. I'd consider a reverse dns with a cable or -dsl-
in it to be suspicious and worthy of some points.
Definitely is some good servers in dul-type space so there is some false
positives here.
I've attached a filter I use specific to interbusiness.it
----- Original Message -----
From: "John Carter" <[EMAIL PROTECTED]>
To: <Declude.JunkMail@declude.com>
Sent: Tuesday, February 28, 2006 10:20 AM
Subject: RE: [Declude.JunkMail] Spam out of 86.* & 87.*
Thanks, will look at blackholes.us.
My real problem is time. I've written a program and spreadsheet that
extracts the domains and IP's of delivered messages and shows the unique
IP's and how many messages came from them. But when I spend time
cross-checking with SenderBase and ARIN, I can spend hours updating my IP
filters. Cost/benefit isn't there.
Agree; have to be careful about blocking. Plan was to add points on /8
IP's,
something below my subject tag score. Hopefully legit messages would come
through ok, but the "kinky" ones, with the new scoring added, would be
enough to at least trip the tag weight.
John
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer
Sent: Tuesday, February 28, 2006 9:22 AM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Spam out of 86.* & 87.*
Hi John,
What is my best bet - jack up
the score a number of points for any mail coming from 86 & 87? Many of
the messages hardly trip any of the regular tests.
Wouldn't hurt - use blackholes.us and maybe score 40% of your hold weight?
I
would say though blocking a /8 is not a good idea. way too many false
positives.
My first question is why the leakage? My guess would be a new spam
campaign
that eventually will leak from other blocks. So first maybe figure out
how
to score these on header / body content, etc . Next examine the ip's that
they are coming from and selectively block accordingly.
Here are 2 blocks I have tagged in that range - 86.59.128.0 255.255.252.0
esnet.com ROKSO 20-May-2005 01:27 GMT 86.111.128.0 255.255.240.0 ROKSO
Boris
Mizhen
Don't be discouraged. There will be a new campaign tomorrow :)
-Nick
---
This E-mail came from the Declude.JunkMail mailing list. To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail". The archives can be found at
http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
#
================================================================================================
#
# REVDNS-interbusiness.it REVDNS of known Cox addresses
#
#
#
================================================================================================
#
SKIPIFWEIGHT 440
#
# Bypass's for all filters
#
TESTSFAILED END CONTAINS FILTER-BYPASS
TESTSFAILED END CONTAINS RBL-BYPASS
#
# exclude the big emails and those with good attachments
#
TESTSFAILED END CONTAINS SIZE-BT-100KB-200KB
TESTSFAILED END CONTAINS SIZE-BT-200KB-500KB
TESTSFAILED END CONTAINS SIZE-BT-500KB-1MB
TESTSFAILED END CONTAINS SIZE-BT-1MB-10MB
TESTSFAILED END CONTAINS SIZE-GT-10MB
TESTSFAILED END CONTAINS ATTACHMENT-GOOD
#
# Fairly successful whitelist tests
#
TESTSFAILED END CONTAINS SUBJECT-AGTERMS-WL
TESTSFAILED END CONTAINS SUBJECT-MAGNAMES-WL
TESTSFAILED END CONTAINS SUBJECT-PUBTERMS-WL
TESTSFAILED END CONTAINS BODY-MAGNAMES-WL
#
# If Mailpure's tests say it comes from bulk or an email server...
#
#TESTSFAILED END CONTAINS MPPT-BULKEMAIL
TESTSFAILED END CONTAINS MPM-EMAILSERVER
REVDNS END CONTAINS SMTP
REVDNS END CONTAINS STATIC
REVDNS END CONTAINS MAIL
REVDNS END CONTAINS .DED.
REVDNS END CONTAINS .SIP.
REVDNS END CONTAINS .MX.
REVDNS END STARTSWITH MX.
REVDNS END STARTSWITH MTA
REVDNS END CONTAINS -mx-
REVDNS END CONTAINS exchange
REVDNS END CONTAINS mx01
REVDNS END CONTAINS mx02
REVDNS END CONTAINS mx03
REVDNS END CONTAINS mx04
REVDNS END CONTAINS mx05
REVDNS END CONTAINS mx06
REVDNS END CONTAINS mx07
REVDNS END CONTAINS mx08
REVDNS END CONTAINS mx09
#
# Must get at least a weight of 2 to get be awarded weight from global.cfg
#
MINWEIGHTTOFAIL 2
REVDNS 1 ENDSWITH .interbusiness.it
REVDNS 1 CONTAINS .pool