Here's a filter I use:
# attack Yahoo spammers
SKIPIFWEIGHT 315
MAXWEIGHT 150
#
# exclude the big emails and those with good attachments
TESTSFAILED END CONTAINS MPPT-SIZE-L
TESTSFAILED END CONTAINS MPPT-SIZE-XL
TESTSFAILED END CONTAINS MPPT-SIZE-XXL
TESTSFAILED END CONTAINS ATTACHMENT-GOOD
#
MAILFROM END NOTCONTAINS @YAHOO.
REVDNS END NOTCONTAINS .YAHOO.
# Reverse Good tests
TESTSFAILED 15 CONTAINS MXRATE-WHITE-LAST
TESTSFAILED 30 CONTAINS BONDEDSENDER-DYNA
TESTSFAILED 15 CONTAINS MPPT-SIZE-L
TESTSFAILED 15 CONTAINS BODY-STATE-WL
TESTSFAILED 10 CONTAINS DNSWL-ISP-LOW
TESTSFAILED 20 CONTAINS DNSWL-ISP-MEDIUM
TESTSFAILED 40 CONTAINS DNSWL-ISP-HIGH
TESTSFAILED 10 CONTAINS DNSWL-NEWSLETTERS-LOW
TESTSFAILED 20 CONTAINS DNSWL-NEWSLETTERS-MEDIUM
TESTSFAILED 40 CONTAINS DNSWL-NEWSLETTERS-HIGH
# Common spam items
TESTSFAILED 50 CONTAINS BODY-BLOGS
TESTSFAILED 50 CONTAINS BODY-FREEHOSTS
TESTSFAILED 50 CONTAINS BODY-URL-SHORTENER
TESTSFAILED 50 CONTAINS LANGUAGE-CYRILLIC
TESTSFAILED 50 CONTAINS LANGUAGE-EASTERNEUROPEAN
# Punish these tests more
TESTSFAILED 25 CONTAINS SNIFFER-SNAKEOIL
TESTSFAILED 25 CONTAINS SNIFFER-PORN
SUBJECT 25 CONTAINS erotic
SUBJECT 25 CONTAINS naughty
SUBJECT 25 CONTAINS pretty
SUBJECT 25 CONTAINS whore
SUBJECT 25 CONTAINS girlfriend
SUBJECT 25 CONTAINS schoolgirl
SUBJECT 25 CONTAINS sexual
SUBJECT 25 CONTAINS cuties
SUBJECT 25 CONTAINS virgin
SUBJECT 25 CONTAINS bitch
SUBJECT 25 CONTAINS drugstore
SUBJECT 50 CONTAINS M e d
SUBJECT 25 CONTAINS Pian
SUBJECT 50 CONTAINS P I A N
SUBJECT 25 CONTAINS Viagra
SUBJECT 25 CONTAINS Yahoo! Groups: You're invited!
SUBJECT 25 IS hey
SUBJECT 25 CONTAINS porn
MAILFROM 25 PCRE
(?i:[a-z]{5,[EMAIL PROTECTED])
MAILFROM 25 PCRE
(?i:[a-z]{5,[EMAIL PROTECTED])
BODY 25 CONTAINS Girlfriend
BODY 25 CONTAINS Schoolgirl
BODY 25 CONTAINS whore
BODY 25 CONTAINS Porn
BODY 50 CONTAINS . c o m
BODY 75 PCRE (www\.[a-z]{8,20}\.cn)
BODY 100 PCRE (www\.[A-Za-z]+ dot com)
BODY 100 PCRE (www\.[A-Za-z]+ dot com)
BODY 50 CONTAINS dot com
BODY 25 CONTAINS w
BODY 25 CONTAINS w
BODY 25 CONTAINS w
BODY 25 CONTAINS w
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert
Grosshandler
Sent: Tuesday, April 08, 2008 11:27 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Need strategy to up score.
Hi
We're getting spam that comes via Yahoo, looks good (but it isn't). We'd
like to up the score it receives, so it won't get passed through. We use
Sniffer/Declude/Inviurbl.
We're almost always Bcc'd.
Sometimes fails Sniffer, sometimes not (we've got a query into them, too.)
Doesn't always fail zerohour.
Always seems to be complete gobbledygook, plus a URL that looks like it is
well formed (and doesn't fail inviurbl test.)
Always seem to come via mud.yahoo.com (but so does legit email.)
Headers follow, thanks for any advice.
Received: from n26.bullet.mail.mud.yahoo.com [68.142.206.221] by
smtp.igive.com
(SMTPD-9.23) id AD5302B4; Mon, 07 Apr 2008 19:33:23 -0500
Received: from [68.142.200.227] by n26.bullet.mail.mud.yahoo.com with NNFMP;
08 Apr 2008 00:33:22 -0000
Received: from [68.142.201.245] by t8.bullet.mud.yahoo.com with NNFMP; 08
Apr 2008 00:33:23 -0000
Received: from [127.0.0.1] by omp406.mail.mud.yahoo.com with NNFMP; 08 Apr
2008 00:33:23 -0000
X-Yahoo-Newman-Id: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
Received: (qmail 56970 invoked from network); 8 Apr 2008 00:33:22 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.co.uk;
h=Received:X-YMail-OSG:X-Yahoo-Newman-Property:From:To:Reply-To:Subject:Date
:MIME-Version:Content-type:Content-transfer-encoding;
b=56tfwh/ZgrQDDqdn753U/L6m1fWJcABbNVM/kWWVUnmtRb34zE7SUdPbuBl5pBR+vKu5gWQj0Y
4ZtqBDqA8eMMjB4wpIbGBcQLmMo2hvNECaSWG09steODkIiCbItU7nHLtbutkTV2FATYUQ/g6lib
rf/QtD3tsRFNT+zLMDRKw= ;
Received: from unknown (HELO www.microsoft.com) ([EMAIL PROTECTED]
with login)
by smtp123.plus.mail.sp1.yahoo.com with SMTP; 8 Apr 2008 00:33:21 -0000
X-YMail-OSG:
UiyvW00VM1mV4yv6F.yyGe9FOC19nRnWakaxr0hVWy6Fq3yeWcq0ZG5OVF1d_dJSaphQ.y8ESkN5
jdHbfvx7.sxsAQ--
X-Yahoo-Newman-Property: ymail-3
From: RileyJones10 <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Subject: [PS - 14]-hot r zy Woman food quality can.
Date: Tue, 08 Apr 2008 02:50:28 +0200
MIME-Version: 1.0
Content-type: text/plain; charset=windows-1251
Content-transfer-encoding: 8bit
X-RBL-Warning: SPAMCANNIBAL: "blocked, See:
http://www.spamcannibal.org/cannibal.cgi?page=lookup&lookup=68.142.206.221";
X-RBL-Warning: MXRATE-ALLOW: "GOOD SENDER"
X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED]"
X-RBL-Warning: NOPOSTMASTER: "Not supporting [EMAIL PROTECTED]"
X-Declude-Sender: [EMAIL PROTECTED] [68.142.206.221]
X-Declude-Spoolname: Dbd5200e100005530.smd
X-Declude-RefID: str=0001.0A010205.47FABD5C.000E,ss=1,pt=47146,fgs=0
X-Declude-Scan: Incoming Score [14] at 19:33:38 on 07 Apr 2008
X-Declude-Fail: SPAMCANNIBAL [2], MXRATE-ALLOW [-5], NOABUSE [2],
NOPOSTMASTER [1], WEIGHT9 [9], WEIGHTMID [10], ZEROHOUR [14]
X-Country-Chain: UNITED STATES->destination
X-RCPT-TO: <[EMAIL PROTECTED]>
Status: `
X-UIDL: 462333283
X-IMail-ThreadID: bd5200e100005530
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
