Paweł Tęcza wrote: > Also a lot of spams I received have good reverse IP address. We use > greylisting for our mail system, but we still receive that spam. > > Maybe that IP address above has been noted on popular RBL lists, but the > spammers still use new infected machines, so they can leave RBLed hosts. > So I would like to find better solution for fighting that spam than only > using RBLs.
I don't really agree with you; RBLs like the Spamhaus PBL and SORBL DUHL list hosts dynamic/consumer IP ranges that should not be connecting directly to port 25 and these are precisely the hosts that are sending this spam; using the PBL myself and that kills 99.99% of these spams cheaply without requiring the more expensive SA checks. And this rule kills any that get relayed or are from infected hosts not listed in the PBL: # Image spam ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __ANY_IMAGE_ATTACH Content-Type =~ /image\/\w+/i endif header __FSL_BOGUS_TZ Date =~ /\s-0200\s\(\S+\)$/ meta FSL_IMAGE_SPAM1 (__ANY_IMAGE_ATTACH && __FSL_BOGUS_TZ) score FSL_IMAGE_SPAM1 5.0 Note: requires that you have the MIMEHeader plug-in enabled. Normally I wouldn't post these rules here; but I'm interested to see how long before this rule gets rendered unless by the botmaster that's sending these. Regards, Steve.