> > I think that a SA plugin which resolves URIs would be enough: > I received > some of these spams, everyone containing a URI pointing to > the very same web
No direct plugin, but URIBL will catch most of these fairly quickly. Its not a new tactic, but has recently picked up on the spam runs. Throw away domain names are on the rise this month. > host (124.0.208.235) also, the DNS server is: > > a) defined with two different names, but only one (again > 124.0.208.235); > > b) the same of the web host in your case (in mines, it was a > different one). Pretty common. The whois info seems to match a pattern as well. > > By "black-listing" URI's host IPs, one could easily score > high this kind of > e-mails. Maybe there is also some RBL regarding web hosts, by > the way. Is > it? > > Such a plugin doesn't yet exists, anyway (or, at least, I > don't know about > it). Again, no direct plugin for host IPs. You have to use URIBL and SURBL lookups. But the time from initial spam run to being listed is pretty quick. The IP you listed has been watched for over a month now. ;) Thanks, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com