On Sun, 2005-08-21 at 20:05 -0400, Eric A. Hall wrote:
What's the benefit of using this instead of the uridnsbl plugin? The code
below will look for the IP address behind a URI and then query the
cn-kr.blackholes.us RBL to see if that addr is in China:
This one doesn't require a DNS lookup
On 8/22/2005 3:34 PM, Derek Harding wrote:
On Sun, 2005-08-21 at 20:05 -0400, Eric A. Hall wrote:
What's the benefit of using this instead of the uridnsbl plugin? The code
below will look for the IP address behind a URI and then query the
cn-kr.blackholes.us RBL to see if that addr is in
-Original Message-
From: Eric A. Hall [mailto:[EMAIL PROTECTED]
Sent: Monday, August 22, 2005 2:50 PM
To: Derek Harding
Cc: users@spamassassin.apache.org
Subject: Re: [SPAM] RE: GeoCities Link-only spam
On 8/22/2005 3:34 PM, Derek Harding wrote:
On Sun, 2005-08-21 at 20:05
On 8/22/2005 3:50 PM, Eric A. Hall wrote:
IP::Country use Whois lookups instead though, and UDP/DNS lookups are
going to be faster than chained TCP/Whois queries.
I'll play with the plugin and see what kind of times and load I get
Some poking around, IP::Country::Fast uses a pre-built
On 8/22/2005 4:14 PM, Dallas L. Engelken wrote:
IP::Country use Whois lookups instead though
Hrmm? Where does it say it uses Real-Time Whois lookups?
The docu for IP::Country::Fast is empty and refers to IP::Country, which
describes the use of whois.
See my follow-up post though
--
Eric
On 8/8/2005 5:05 PM, Derek Harding wrote:
It allows rules such as:
uricountry URICOUNTRY_CN CN
header URICOUNTRY_CN eval:check_uricountry('URICOUNTRY_CN')
describeURICOUNTRY_CN Contains a URI hosted in China
tflags URICOUNTRY_CN net
score URICOUNTRY_CN 2.0
Jonathan Nichols wrote:
uri GEOCITIES /uk.geocities.com/i
describe GEOCITIESHigh amounts of spam from Geocities.
score GEOCITIES 4.0
... spamassassin --lint came out ok.
Will this work, or have I accomplished something that I wasn't actually
trying to do? ;)
A better
Of course, if you want to match *any* Geocities URL (which I think is a
bit much for a 4-point score), you'd want something like this:
uri GEOCITIES /\.geocities\.com\b/i
or if you want to make sure it matches the domain name,
uri GEOCITIES
[58.33.99.179 listed in china.blackholes.us]
-Original Message-
From: Jonathan Nichols [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 09, 2005 2:36 PM
To: Kelson
Cc: SpamAssassin Users
Subject: Re: GeoCities Link-only spam
Of course, if you want to match *any* Geocities URL
On Sun, 2005-08-07 at 12:27 -0400, Greg Allen wrote:
They are also using non-Geocities addresses now. Most of the IPs they
use seem to been from China, so you could RBL china at the front end,
if you are allowed to block China that is... (my users won't let me
block China...uggh)
On Mon, 2005-08-08 at 15:53 -0500, [EMAIL PROTECTED] wrote:
It allows rules such as:
uricountry URICOUNTRY_CN CN
header URICOUNTRY_CN eval:check_uricountry('URICOUNTRY_CN')
describeURICOUNTRY_CN Contains a URI hosted in China
tflags URICOUNTRY_CN
From: [EMAIL PROTECTED]
On Sun, 2005-08-07 at 12:27 -0400, Greg Allen wrote:
They are also using non-Geocities addresses now. Most of the IPs they
use seem to been from China, so you could RBL china at the front end,
if you are allowed to block China that is... (my users won't let me
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
awesome! any chance you could put this on the wiki, linked from
CustomPlugins?
- --j.
Derek Harding writes:
On Mon, 2005-08-08 at 15:53 -0500, [EMAIL PROTECTED] wrote:
It allows rules such as:
uricountry URICOUNTRY_CN CN
header
Yes, all the nasty countries could be added. Great idea going here.
-Original Message-
From: jdow [mailto:[EMAIL PROTECTED]
Sent: Monday, August 08, 2005 5:07 PM
To: users@spamassassin.apache.org
Subject: Re: GeoCities Link-only spam
From: [EMAIL PROTECTED]
On Sun, 2005-08-07 at 12
Hi jdow,
In an older episode (Monday, 8. August 2005 23:07), jdow wrote:
Those guys are annoying. The ro folks are just plain not nice people.
If it comes from Romania it's a phish, keylogger, or worse.
I'd like to state that I deeply feel that this statement, just like any
generalization
in and test
them. I am just not sure yet. :-)
-Original Message-
From: Derek Harding [mailto:[EMAIL PROTECTED]
Sent: Monday, August 08, 2005 5:05 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED] Apache. Org
Subject: Re: [SPAM] RE: GeoCities Link-only spam
On Mon, 2005-08-08 at 15:53 -0500
Yes, all the nasty countries could be added. Great idea going here.
Based on my server logs, if I block mail coming from Earth, I'll take
care of 100% of incoming spam!
Now all I need to do is look up the subnet for the International Space
Station so I can whitelist it...
--
Kelson Vibber
From: wolfgang [EMAIL PROTECTED]
Hi jdow,
In an older episode (Monday, 8. August 2005 23:07), jdow wrote:
Those guys are annoying. The ro folks are just plain not nice people.
If it comes from Romania it's a phish, keylogger, or worse.
I'd like to state that I deeply feel that this
From: Kelson [EMAIL PROTECTED]
Yes, all the nasty countries could be added. Great idea going here.
Based on my server logs, if I block mail coming from Earth, I'll take
care of 100% of incoming spam!
Now all I need to do is look up the subnet for the International Space
Station so I
To: SpamAssassin Users
Subject: Re: GeoCities Link-only spam
Yes, all the nasty countries could be added. Great idea going here.
Based on my server logs, if I block mail coming from Earth, I'll take
care of 100% of incoming spam!
Now all I need to do is look up the subnet for the International
Back on topic..
Since Geocities has done exactly *nothing* to delete the spamvertized
sites, I have no objection to adding 3 points to anything with
*.geocities.com in the URL.
I tried this:
uri GEOCITIES /uk.geocities.com/i
describe GEOCITIESHigh amounts of spam from
: Re: GeoCities Link-only spam
Back on topic..
Since Geocities has done exactly *nothing* to delete the spamvertized
sites, I have no objection to adding 3 points to anything with
*.geocities.com in the URL.
I tried this:
uri GEOCITIES /uk.geocities.com/i
describe GEOCITIES
-Original Message-
From: Greg Allen [mailto:[EMAIL PROTECTED]
If it wasn't for a handful of users I would block everything
outside the continental US, and certain companies can still
do that if they do not do business outside the US.
RBLs in SA with judicious use of:
Hi!
Yea...here is an example. They are getting through here to and I have
everything turned on except dcc and razor. Here is an example. Hopefully
they will use up all their spam IPs and start getting blocked by RBLs. These
type break-throughs usually don't last too long.
This is going on for
We're also seeing general geocities references, such as:
Welcome to College Fuck Tour the most unique web site dedicated to the
beauty (and naivety) of young college girl. We’re a group of horny guys
who cruise campuses around the US to find the hottest chicks, take them
for a ride and talk
=nNSn7m
---end example---
-Original Message-
From: Rakesh [mailto:[EMAIL PROTECTED]
Sent: Sunday, August 07, 2005 10:51 AM
To: Michele Neylon
Cc: Raymond Dijkxhoorn; Greg Allen; Kelson; [EMAIL PROTECTED] Apache.
Org
Subject: Re: GeoCities Link-only spam
On Sun
: GeoCities Link-only spam
Over the last few days, we've been seeing a lot of spam that contains
nothing but a pair of names and a link to a URL at uk.geocities.com. No
image, no obfuscation, only a small percent has any bayes poison. Just
the link and two names. Most of it is pill spam, some mortgage
Over the last few days, we've been seeing a lot of spam that contains
nothing but a pair of names and a link to a URL at uk.geocities.com. No
image, no obfuscation, only a small percent has any bayes poison. Just
the link and two names. Most of it is pill spam, some mortgage.
SURBL can't
Kelson wrote:
Over the last few days, we've been seeing a lot of spam that contains
nothing but a pair of names and a link to a URL at uk.geocities.com. No
image, no obfuscation, only a small percent has any bayes poison. Just
the link and two names. Most of it is pill spam, some mortgage.
29 matches
Mail list logo