----- "John Hardin" <jhar...@impsec.org> wrote: > On Wed, 2009-08-12 at 16:20 -0700, Ted Mittelstaedt wrote: > > Maybe this will sound dumb but wouldn't it be perfectly > > safe to blacklist "example.com" after all, that isn't a > > domain your ever going to get mail from. > > > > Ted > > That is there because Alex likely wishes to keep his real domain > private. Note that the envelope TO address is @example.com, which > would > never be delivered, unless Alex really _does_ own the example.com > domain... > > > MySQL Student wrote: > > > > > I'm having trouble catching a particular type of spam, and hoped > > > someone had some time to take a look: > > > > > > http://pastebin.com/d57336542 > > > > > > It doesn't match RAZOR2, or any of the URI lists, and it's only > > > BAYES_50. I have a pretty well-established BAYES db, so I'm > surprised > > > it's only BAYES_50. What can I do to block spam like this in the > > > future? > > > > > > Thanks, > > > Alex > > Alex, there's likely not much you can do. On a spam that short > there's > not a lot to work with. > > You could increase the score for URI_HEX. > > If the form of the URI is consistent, perhaps something like this > would > help: > > uri URI_NUMERIC_CCTLD m,^[a-z]+://(?:\d+\.){2,}[a-z][a-z]/,i > > This is really suspicious: > > X-Mailer: Gentoo > > Gentoo is an OS, not a MUA. Is that at all consistent? If so: > > header GENTOO_MUA X-Mailer =~ /^Gentoo$/ > > Or perhaps this: > > header MUA_ONE_WORD X-Mailer =~ /^[a-z]+$/i > > (all untested, sorry) > Alex,
Ran it through myself and got a pretty decent score so it seems to depend on whether you are checking any of the other RBLs ? Content analysis details: (20.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 3.0 RCVD_IN_BRBL RBL: Received via relay listed in Barracuda RBL [74.86.146.6 listed in b.barracudacentral.org] 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see <http://www.spamcop.net/bl.shtml?74.86.146.6>] 3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL [74.86.146.6 listed in zen.spamhaus.org] 0.6 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server [74.86.146.6 listed in dnsbl.sorbs.net] 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist [URIs: 888098.tk] 5.0 RCVD_IN_IVMSIP RBL: listed on ivmSIP found at invaluement.com [74.86.146.6 listed in sip.invaluement.com] 4.0 URIBL_IVMURI Contains a URL listed on ivmURI found at invaluement.com [URIs: 888098.tk] 0.0 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date 0.4 URI_HEX URI: URI hostname has long hexadecimal sequence 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.4553] Best Regards, -- This message has been scanned for viruses and dangerous content and is believed to be clean. SplatNIX IT Services :: Innovation through collaboration