martin smith wrote:
> Trouble is with the SURBL is that you can receive a lot of these spams
> before they get listed, they also seem to change domain name twice a day or
> more to keep ahead of the listing, that's why I wanted something to block
> them if they don't hit any black lists.
>
> Martin
>
True, which is part of why I use some greylisting.. it helps the blacklist hit
rates.
I really don't know of any good static rule that works consistently for these
that won't just nail every email with embedded images.
One thing you might look at is this part:
8l4d7o2r6u7d8h4j4q6v8w5o8f6k5g6r5v3g9a2j9d2f2s9a9k5c4m3z8q1b4w2t8y9k1a7s3z7k8h3n3q1c6t3c2v5q2i8h4f5o1f9u7t2t8k5o6v6v3i5a8l7t4d1z5t9r2t8i7m7c5m
Note that after the first 3 numbers, it's an alternating sequence random
lower-case letters and numbers. The repeating part is 140 characters long, or 70
repeats..
You could probably pick out 50 or so of these with low FP rate:
body L_STRANGE_ID /(?:\d[a-z]){50}/
score L_STRANGE_ID 0.1
Another tool to try here, which has the same drawbacks as surbl, is razor.
Razor can pick up on the hash of the embedded image, text, or URI so this way
you're forcing them to change three things: domains, images and body text.
(Razor hashes each mime part and each URI separately, so spam can be identified
by any one of these, not just the combined whole of the message.)
While not perfect, at least this gets you 3 shots at the message based on
content.
