Re: Detecting short-TTL domains?
Jim Maul wrote: > > Stream Service || Mark Scholten wrote: >> For so far I know it isn't possible to have a TTL that is to low (if I >> may believe the RFC files). It is also impossible to have [too] many >> A-records. With both facts in mind I would suggest that you find an >> other method off detecting SPAM. >> > > Most SA rules look for spam signs, not RFC violations. Now whether or > not these are good spam signs I do not know... > > -Jim > > It seems to me there are two legitimate reasons for short TTL. You're running a "hobby" server on consumer broadband, and using something like DynDNS.org for its name service. You're planning on moving soon. In both of those cases, it would be pretty strange to have more than two or three A records. So one or the other of short-TTL and many-As is legit, but together they're good enough spam-sign that a lot of folks might use the rule. I sure would. Cameron -- View this message in context: http://www.nabble.com/Detecting-short-TTL-domains--tf4249063.html#a12095972 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Detecting short-TTL domains?
We're seeing URIs in spam whose domains have between a dozen and three dozen Address records, with time-to-live TTLs less than ten minutes. Is there a test for too many Address records? What's its name? Is there a test for too-short TTLs? -- View this message in context: http://www.nabble.com/Detecting-short-TTL-domains--tf4249063.html#a12092425 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
rule for empty text + GIF or PDF ?
I'm seeing a huge spam run from well distributed bots. Multi part MIME messages with an empty (three blank lines) text/plain part, *no* text/html part, and an attachment in GIF or PDF format. I want to give those a really high score. False positives when there is no text in the message are acceptable. Hoping someone has a rule to do it. I looked through all the rules in share/spamassassin/*.cf. There are some tests like MPART_ALT_DIFF (eval:multipart_alternative_difference('99', '100')) which seem to be looking for a text/html part, so they don't apply. I looked up that rule and the explanation is "" not exactly helpful, and it's not obvious what the arguments to multipart_alternative_difference mean or do. I've searched on every combination of "spamassassin rule text no html" I could think of. No useful hits. -- View this message in context: http://www.nabble.com/rule-for-empty-text-%2B-GIF-or-PDF---tf4238805.html#a12061080 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.