On Mon, 2004-07-12 at 20:17, Dan Kohn wrote:
> I believe the rule SB_NEW_BULK in 3.0 already does what you want, in
> terms of identifying new IP addresses sending large amounts of mail.
>
> # S23 = domain daily magnitude
> # S25 = date of first message from this domain
> header SB_NEW_BULK eval:check_rbl_sub('sb', 'sb:S23 > 6.2
> && (time
> - S25 < 120*86400)')
> describe SB_NEW_BULK Sender domain is new and very high
> volume
> tflags SB_NEW_BULK net
How is the "high volume" determined? Is it determined by watching an
aggregated message feed at (e.g.) messagelabs?
What I was thinking was to be more proactive. Also, I'm thinking of
SURBL, not DNSBL. Emails with URLs for domains less than a month old
should be suspect. If a URL for a newly-registered domain scores a
point, then "throwaway" domains may get tagged as spam *before* they
have a chance to generate a large stream of messages that brings them to
someone's (possibly automated) notice.
--
John Hardin KA7OHZ <[EMAIL PROTECTED]>
Internal Systems Administrator voice: (425) 672-1304
Apropos Retail Management Systems, Inc. fax: (425) 672-0192
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
Tomorrow: Apropos Forum 2004
