A lot of spams go through, see example
http://igor.chudov.com/tmp/spam005.txt I get a lot of these, all seemingly sent by the same software and the same person, any way of filtering them out? i
Re: A lot of spams go through, see example
On Fri, December 26, 2008 20:06, Igor Chudov wrote: http://igor.chudov.com/tmp/spam005.txt I get a lot of these, all seemingly sent by the same software and the same person, any way of filtering them out? add the domain to http://uribl.com/ (you need a login there) currently http://newyearonline.info/ is not uribl listed please do if this is spam for you and you are sure you did not signup on that site your spamassassin learn it as ham :( can you make a spamassassin 21 -D -t msg spamtest.log and paste spamtest.log to http://igor.chudov.com/tmp/ ? -- Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: A lot of spams go through, see example
Igor Chudov wrote: http://igor.chudov.com/tmp/spam005.txt I get a lot of these, all seemingly sent by the same software and the same person, any way of filtering them out? The sending IP is currently blacklisted on FiveTenSig and ivmSIP/24. Both of these are best used as scoring lists and not for outright blocking. (though ivmSIP/24 could generally be scored rather high... probably just below threshold.). Even when not used for outright blocking, using either or both of these might have put the spam over the top in combination with other things. (Note that some consider FiveTenSig too risky to even score on. I personally find FiveTenSig effective when adding about a point to the spam score. But it may be that I'm somewhat insolated from FiveTenSig FPs due to my vast IP whitelist?) The domain name used by the spammer (newyearonline DOT info) is NOT listed on either surbl or uribl (at the time that I type this), but was blacklisted on ivmURI almost exactly two minutes *before* the spam sample you provided reached your server. However, propagations issues would have probably made this a just-barely-missed spam in terms of ivmURI's ability to block this. Still, that ivmURI caught it so early is noteworthy. It may me that ivmURI might be helpful for others of this series of spams. One thing is for sure, you are getting the tip edge of some hard-to-catch snowshoe spam. You probably have some addresses at the very beginning of some snowshoe spammer's distribution list. -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
Re: A lot of spams go through, see example
At 11:06 26-12-2008, Igor Chudov wrote: http://igor.chudov.com/tmp/spam005.txt I get a lot of these, all seemingly sent by the same software and the same person, any way of filtering them out? Autolearning is categorizing that email as ham because of the zero score. Turn off autolearning or reduce the score for autolearning ham until you fix this problem. As a quick fix, add a header rule to catch the FreeCreditReports360.com in the From header. Regards, -sm
Re: A lot of spams go through, see example
Igor Chudov schrieb: http://igor.chudov.com/tmp/spam005.txt I get a lot of these, all seemingly sent by the same software and the same person, any way of filtering them out? i perhaps you can check it whith http://www.openrbl.org and then you can modificate your config on your mail server
Re: A lot of spams go through, see example
SM wrote: At 11:06 26-12-2008, Igor Chudov wrote: http://igor.chudov.com/tmp/spam005.txt I get a lot of these, all seemingly sent by the same software and the same person, any way of filtering them out? Autolearning is categorizing that email as ham because of the zero score. Turn off autolearning or reduce the score for autolearning ham until you fix this problem. Yes, and manually train Bayes with them so that Bayes will catch them in future. I manually train Bayes on ALL spam passing through the system (as well as any misclassified ham) as autolearning misses many of the more difficult to catch spam examples. On my system this example fails SPF and I see URIBL_BLACK is now catching it too.