Re: Detecting short-TTL domains?

2007-08-10 Thread clsgis 


Jim Maul wrote:
> 
> Stream Service || Mark Scholten wrote:
>> For so far I know it isn't possible to have a TTL that is to low (if I 
>> may believe the RFC files). It is also impossible to have [too] many 
>> A-records. With both facts in mind I would suggest that you find an 
>> other method off detecting SPAM.
>> 
> 
> Most SA rules look for spam signs, not RFC violations.  Now whether or 
> not these are good spam signs I do not know...
> 
> -Jim
> 
> 

It seems to me there are two legitimate reasons for short TTL.
You're running a "hobby" server on consumer broadband, and using
something like DynDNS.org for its name service.
You're planning on moving soon.

In both of those cases, it would be pretty strange to have more than
two or three A records.
So one or the other of short-TTL and many-As is legit,
but together they're good enough spam-sign that a lot of folks
might use the rule.  I sure would.

Cameron

-- 
View this message in context: 
http://www.nabble.com/Detecting-short-TTL-domains--tf4249063.html#a12095972
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Detecting short-TTL domains?

2007-08-10 Thread clsgis 

We're seeing URIs in spam whose domains have between
a dozen and three dozen Address records, with time-to-live TTLs less than
ten minutes.
Is there a test for too many Address records?  What's its name?
Is there a test for too-short TTLs?

-- 
View this message in context: 
http://www.nabble.com/Detecting-short-TTL-domains--tf4249063.html#a12092425
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

rule for empty text + GIF or PDF ?

2007-08-08 Thread clsgis 

I'm seeing a huge spam run from well distributed bots.  Multi part MIME
messages
with an empty (three blank lines) text/plain part, *no* text/html part, and
an
attachment in GIF or PDF format.

I want to give those a really high score.  False positives when there is no
text in
the message are acceptable.  Hoping someone has a rule to do it.

I looked through all the rules in share/spamassassin/*.cf.  There are some
tests
like MPART_ALT_DIFF (eval:multipart_alternative_difference('99', '100'))
which seem to be looking for a text/html part, so they don't apply.

I looked up that rule and the explanation is  ""
not exactly helpful, and it's not obvious what the arguments to
multipart_alternative_difference
mean or do.

I've searched on every combination of "spamassassin rule text no html" I
could think of.
No useful hits.



-- 
View this message in context: 
http://www.nabble.com/rule-for-empty-text-%2B-GIF-or-PDF---tf4238805.html#a12061080
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.