...
Bart Schaefer wrote:
>The largest number of spam messages currently getting through SA at my
>site are short text-only spams with subject "Re: good " followed by an
>obfuscated drug name (so badly mangled as to be unrecognizable in many
>cases). The body contains a gappy-text list of several other kinds of
>equally unreadable pharmaceuticals, a single URL which changes daily
>if not more often, and then several random words and a short excerpt
>from a novel.
>
>They usually hit RCVD_IN_BL_SPAMCOP_NET,URIBL_SBL but those alone
>aren't scored high enough to classify as spam, and I'm reluctant to
>crank them up just for this. However, the number of spams getting
>through SA has tripled in the last four days or so, from around 14 for
>every thousand trapped, to around 40.
>
>I'm testing out RdJ on the SARE_OBFU and SARE_URI rulesets but so far
>they aren't having any useful effect. Other suggestions?
>
These few rules can help a lot (potentially with some possible FPs
though). And as always, train your BAYES with the ones that get through
and enable the digest tests (i.e. DCC, Pyzor and Razor).
uridnsbl URI_COMPLETEWHOIS
combined-HIB.dnsiplists.completewhois.com. A
body URI_COMPLETEWHOIS eval:check_uridnsbl('URI_COMPLETEWHOIS')
describe URI_COMPLETEWHOIS URI in
combined-HIB.dnsiplists.completewhois.com
tflags URI_COMPLETEWHOIS net
score URI_COMPLETEWHOIS 1.25
uridnsbl URI_IN_SORBS_DNS_SPAM spam.dnsbl.sorbs.net. A
body URI_IN_SORBS_DNS_SPAM
eval:check_uridnsbl('URI_IN_SORBS_DNS_SPAM')
describe URI_IN_SORBS_DNS_SPAM URI in spam.dnsbl.sorbs.net
tflags URI_IN_SORBS_DNS_SPAM net
score URI_IN_SORBS_DNS_SPAM 1.125
meta URI_M_SBL_COMWHOIS (URI_COMPLETEWHOIS && URIBL_SBL)
describe URI_M_SBL_COMWHOIS Both SBL and COMPLETEWHOIS
score URI_M_SBL_COMWHOIS 1.375
meta URI_M_SORBS_SPAM_SBL (URI_IN_SORBS_DNS_SPAM && URIBL_SBL)
describe URI_M_SORBS_SPAM_SBL Both SORBS SPAM and SBL
score URI_M_SORBS_SPAM_SBL 0.5
meta URI_M_SORBS_SPAM_CWHO (URI_IN_SORBS_DNS_SPAM && URI_COMPLETEWHOIS)
describe URI_M_SORBS_SPAM_CWHO Both SORBS SPAM and CompleteWhois
score URI_M_SORBS_SPAM_CWHO 0.833
These rules help to catch brand new domains at the same IP as
previous spam domains (i.e. they are IP based BLs). If you have any
"religous" problems with SORBS, leave those out. About 92% of what I
see hit the completewhois rule, also hits the meta-rule, and over 9 months,
I've never had an FP from the meta rule (which means my scoring is likely
out of whack - too high for the BL tests, and too low for the meta rules).
Also, as always, watch out for line-wrap and be sure to lint after
adding them to any local configuration files.
These add two DNS lookups, but will catch about half of Leo's pill
spam (adding several points for most of them).
Paul Shupak
[EMAIL PROTECTED]
