Igor Chudov wrote:
> http://igor.chudov.com/tmp/spam005.txt
>
> I get a lot of these, all seemingly sent by the same software and the
> same person, any way of filtering them out?
>
The sending IP is currently blacklisted on FiveTenSig and ivmSIP/24.
Both of these are best used as "scoring" lists and not for outright
blocking. (though ivmSIP/24 could generally be scored rather high...
probably just below threshold.). Even when not used for outright
blocking, using either or both of these might have put the spam "over
the top" in combination with other things.
(Note that some consider FiveTenSig too risky to even score on. I
personally find FiveTenSig effective when adding about a point to the
spam score. But it may be that I'm somewhat insolated from FiveTenSig
FPs due to my vast IP whitelist?)
The domain name used by the spammer ("newyearonline DOT info") is NOT
listed on either surbl or uribl (at the time that I type this), but was
blacklisted on ivmURI almost exactly two minutes *before* the spam
sample you provided reached your server. However, propagations issues
would have probably made this a just-barely-missed spam in terms of
ivmURI's ability to block this. Still, that ivmURI caught it so early is
noteworthy. It may me that ivmURI might be helpful for others of this
series of spams.
One thing is for sure, you are getting the tip edge of some
hard-to-catch snowshoe spam. You probably have some addresses at the
very beginning of some snowshoe spammer's distribution list.
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
