... Bart Schaefer wrote: >The largest number of spam messages currently getting through SA at my >site are short text-only spams with subject "Re: good " followed by an >obfuscated drug name (so badly mangled as to be unrecognizable in many >cases). The body contains a gappy-text list of several other kinds of >equally unreadable pharmaceuticals, a single URL which changes daily >if not more often, and then several random words and a short excerpt >from a novel. > >They usually hit RCVD_IN_BL_SPAMCOP_NET,URIBL_SBL but those alone >aren't scored high enough to classify as spam, and I'm reluctant to >crank them up just for this. However, the number of spams getting >through SA has tripled in the last four days or so, from around 14 for >every thousand trapped, to around 40. > >I'm testing out RdJ on the SARE_OBFU and SARE_URI rulesets but so far >they aren't having any useful effect. Other suggestions? >
These few rules can help a lot (potentially with some possible FPs though). And as always, train your BAYES with the ones that get through and enable the digest tests (i.e. DCC, Pyzor and Razor). uridnsbl URI_COMPLETEWHOIS combined-HIB.dnsiplists.completewhois.com. A body URI_COMPLETEWHOIS eval:check_uridnsbl('URI_COMPLETEWHOIS') describe URI_COMPLETEWHOIS URI in combined-HIB.dnsiplists.completewhois.com tflags URI_COMPLETEWHOIS net score URI_COMPLETEWHOIS 1.25 uridnsbl URI_IN_SORBS_DNS_SPAM spam.dnsbl.sorbs.net. A body URI_IN_SORBS_DNS_SPAM eval:check_uridnsbl('URI_IN_SORBS_DNS_SPAM') describe URI_IN_SORBS_DNS_SPAM URI in spam.dnsbl.sorbs.net tflags URI_IN_SORBS_DNS_SPAM net score URI_IN_SORBS_DNS_SPAM 1.125 meta URI_M_SBL_COMWHOIS (URI_COMPLETEWHOIS && URIBL_SBL) describe URI_M_SBL_COMWHOIS Both SBL and COMPLETEWHOIS score URI_M_SBL_COMWHOIS 1.375 meta URI_M_SORBS_SPAM_SBL (URI_IN_SORBS_DNS_SPAM && URIBL_SBL) describe URI_M_SORBS_SPAM_SBL Both SORBS SPAM and SBL score URI_M_SORBS_SPAM_SBL 0.5 meta URI_M_SORBS_SPAM_CWHO (URI_IN_SORBS_DNS_SPAM && URI_COMPLETEWHOIS) describe URI_M_SORBS_SPAM_CWHO Both SORBS SPAM and CompleteWhois score URI_M_SORBS_SPAM_CWHO 0.833 These rules help to catch brand new domains at the same IP as previous spam domains (i.e. they are IP based BLs). If you have any "religous" problems with SORBS, leave those out. About 92% of what I see hit the completewhois rule, also hits the meta-rule, and over 9 months, I've never had an FP from the meta rule (which means my scoring is likely out of whack - too high for the BL tests, and too low for the meta rules). Also, as always, watch out for line-wrap and be sure to lint after adding them to any local configuration files. These add two DNS lookups, but will catch about half of Leo's pill spam (adding several points for most of them). Paul Shupak [EMAIL PROTECTED]