Re: RE: New type of SPAM aggression
On Thu, 7 Feb 2019, Rupert Gallagher wrote: full __HAS_URI /(http|https):/// tflags __HAS_URI multiple meta TMU ( _HAS_URI > 10 ) describe TMU Too many URIs (>10) score TMU 5.0 Beaware, if the mail has properly-formed HTML and plain-text alternate versions, that will double-count every URI. Also, if you only care about more than ten hits, add tflags __HAS_URI maxhits=11 ...to avoid matching ones you don't care about. On Thu, Feb 7, 2019 at 09:12, MAYER Hans wrote: … All emails were spam with links. … We receive such spam mails with a lot of links too. Is there a rule which detects a certain amount of links inside an e-mail ? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The difference between ignorance and stupidity is that the stupid desire to remain ignorant. -- Jim Bacon --- 5 days until Abraham Lincoln's and Charles Darwin's 210th Birthdays
Re: New type of SPAM aggression
Rupert Gallagher skrev den 2019-02-07 19:37: full __HAS_URI /(http|https):/// tflags __HAS_URI multiple meta TMU ( _HAS_URI > 10 ) describe TMU Too many URIs (>10) score TMU 5.0 mixed http and https, real spam browsers would not like it
Re: RE: New type of SPAM aggression
full __HAS_URI /(http|https):/// tflags __HAS_URI multiple meta TMU ( _HAS_URI > 10 ) describe TMU Too many URIs (>10) score TMU 5.0 On Thu, Feb 7, 2019 at 09:12, MAYER Hans wrote: > > >> … All emails were spam with links. … > > We receive such spam mails with a lot of links too. > > Is there a rule which detects a certain amount of links inside an e-mail ?
RE: New type of SPAM aggression
> … All emails were spam with links. … We receive such spam mails with a lot of links too. Is there a rule which detects a certain amount of links inside an e-mail ? // Hans -- From: Rupert Gallagher Sent: Wednesday, February 6, 2019 12:55 PM To: SA Subject: New type of SPAM aggression This is to inform about a new type of SPAM aggression. We received from Russia, for months, and redirected them automatically to an administrative address for manual inspection. All emails were spam with links. From the standpoint of the attacker(s), all emails were delivered, but none turned into exploits. Today, we learned that "gremlin.ru" included our IPs in their DNSBL. We followed the address to de-list, but gremlin.ru does not exist. So, if you are successful against Russian spam, you will be ... blacklisted by an unknown gremlin.