Hi,
I am running running Spamassassin (spamd) with Exim 4.50.
When the Geocities spams picked up a couple of months ago, I added
these rules after searching the Internet as to how to check for
specific URIs in message-bodies.
uri GEOCITIES_CHECK1 /^http:\/\/..\.geocities\.com\//
score GEOCITIES_CHECK1 8.0
describe GEOCITIES_CHECK1 GEOCITIES_CHECK1, Body
uri GEOCITIES_CHECK2 /^http:\/\/geocities\.yahoo\.com\...\//
score GEOCITIES_CHECK2 8.0
describe GEOCITIES_CHECK2 GEOCITIES_CHECK2, Body
I also added country-rules like this to mark mails that come from, say
China:
header RCVD_FROM_CHINA
eval:check_rbl_txt('country_cn','cn.countries.blackholes.us.')
describe RCVD_FROM_CHINA Received from China
tflags RCVD_FROM_CHINA net
score RCVD_FROM_CHINA 5.0
Since most Geocities mails came from China, these rules combined worked
really well. Unfortunately, now we are at the point where they are no
longer using simple Geocities links. Now it seems to be sites hosted
somewhere in China, with arbitrary domain-names. I have been getting
more and more of those lately. They slip right through Spamassassin
with very low spam-scores.
What I would like to do now is to somewhat combine the two approaches:
parse mail-bodies for URIs (just as it's done with the Geocities
example), then use the IP the link resolves to with the countries
blackhole-list to find out if the site is in China, Korea or any of the
other well-known spammer-countries (as done in the blackhole rules
above) and assign a spam-score based on that.
Is there a way to do that and is it a reasonable thing to do? The
mail-volume is fairly low, so the overhead involved should not be too
bad.
Many thanks.
-Markus
