----- "John Hardin" <jhar...@impsec.org> wrote:
> On Wed, 2009-08-12 at 16:20 -0700, Ted Mittelstaedt wrote:
> > Maybe this will sound dumb but wouldn't it be perfectly
> > safe to blacklist "example.com" after all, that isn't a
> > domain your ever going to get mail from.
> >
> > Ted
>
> That is there because Alex likely wishes to keep his real domain
> private. Note that the envelope TO address is @example.com, which
> would
> never be delivered, unless Alex really _does_ own the example.com
> domain...
>
> > MySQL Student wrote:
> >
> > > I'm having trouble catching a particular type of spam, and hoped
> > > someone had some time to take a look:
> > >
> > > http://pastebin.com/d57336542
> > >
> > > It doesn't match RAZOR2, or any of the URI lists, and it's only
> > > BAYES_50. I have a pretty well-established BAYES db, so I'm
> surprised
> > > it's only BAYES_50. What can I do to block spam like this in the
> > > future?
> > >
> > > Thanks,
> > > Alex
>
> Alex, there's likely not much you can do. On a spam that short
> there's
> not a lot to work with.
>
> You could increase the score for URI_HEX.
>
> If the form of the URI is consistent, perhaps something like this
> would
> help:
>
> uri URI_NUMERIC_CCTLD m,^[a-z]+://(?:\d+\.){2,}[a-z][a-z]/,i
>
> This is really suspicious:
>
> X-Mailer: Gentoo
>
> Gentoo is an OS, not a MUA. Is that at all consistent? If so:
>
> header GENTOO_MUA X-Mailer =~ /^Gentoo$/
>
> Or perhaps this:
>
> header MUA_ONE_WORD X-Mailer =~ /^[a-z]+$/i
>
> (all untested, sorry)
>
Alex,
Ran it through myself and got a pretty decent score so it seems to depend on
whether you are checking any of the other RBLs ?
Content analysis details: (20.0 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
3.0 RCVD_IN_BRBL RBL: Received via relay listed in Barracuda RBL
[74.86.146.6 listed in b.barracudacentral.org]
2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?74.86.146.6>]
3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[74.86.146.6 listed in zen.spamhaus.org]
0.6 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server
[74.86.146.6 listed in dnsbl.sorbs.net]
2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
[URIs: 888098.tk]
5.0 RCVD_IN_IVMSIP RBL: listed on ivmSIP found at invaluement.com
[74.86.146.6 listed in sip.invaluement.com]
4.0 URIBL_IVMURI Contains a URL listed on ivmURI found at
invaluement.com
[URIs: 888098.tk]
0.0 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date
0.4 URI_HEX URI: URI hostname has long hexadecimal sequence
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.4553]
Best Regards,
--
This message has been scanned for viruses and
dangerous content and is believed to be clean.
SplatNIX IT Services :: Innovation through collaboration
