On Fri, 29 Jan 2010 11:28:31 -0500 Robert Fitzpatrick <li...@webtent.net> wrote:
> On Fri, 2010-01-29 at 16:19 +0000, Christian Brel wrote: > > On Fri, 29 Jan 2010 11:09:49 -0500 > > Robert Fitzpatrick <li...@webtent.net> wrote: > > > > > Could I get someone to run an example of smut spam I cannot seem > > > to block in SA 3.2.5? This is a typical message that has been > > > hammering one or two customers and despite learning many of these > > > messages with bayes, still they continue... > > > > > > http://mx1.webtent.net/test.msg > > > > > > I am using Sanesecurity as well as the saupdates. > > > > > > --Robert > > > > > > > Do the links always point to: globalnamesgroup.com or do they vary? > > All different, even the content, here is another example... > > http://mx1.webtent.net/test2.msg > About the best I can come up with: In both cases the originating IP header leads to a bad/listed IP: X-Originating-IP: [78.175.50.246] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ RUNNING REPORT TYPE: single IP 78.175.50.246 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 78.175.50.246 listed in b.barracudacentral.org. 78.175.50.246 listed in PBL (ISP) X-Originating-IP: [109.75.193.116] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ RUNNING REPORT TYPE: single IP 109.75.193.116 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 109.75.193.116 listed in PBL (SPAMHAUS) 109.75.193.116 listed in dnsbl-2.uceprotect.net. 109.75.193.116 listed in dnsbl-3.uceprotect.net. BUT! AFAIK SA would not block on these and I guess that is because Hotmail users tend to connect with a web browser from dynamic connections. Therefore blocking them on an a dynamic space policy list (PBL) could result in shed loads of FP's. I'm not sure if the RelayCountry module would pick these up ???? One is in Turkey, the other gives me an Unknown AS number or IP network error (I have an old whois client). This is good spam that defeats SpamAssassin pretty easily as the sender (hotmail) is mostly globally trusted. I agree with the other poster that the amount of Spam from Hotmail is a royal pain in the backside, but this is a spam filter and there needs to be a way to block this kind of stuff. Perhaps there needs to be some meta rules such as; 'comes from hotmail, has a single link, originating IP is in a Country that is often seen sending spam, lots of broken encoded characters before the HTML section'. But I am to the world of writing rules what Myra Hindley was to child care.