On 2011-09-07 20:21, dar...@chaosreigns.com wrote:
I actually put off dealing with these for a while because it was not
outside the realm of possibility that I had subscribed to this forum to
respond to some post. But I finally looked at it, and I definitely have no
login information for this domain. The website actually looks like it
might be a legitimate web forum. I thought maybe they were actively
scraping forum discussions from another domain, but a little google
searching seems to eliminate that possibility. So either it's a
(semi?) legit web forum that is using its private message alerts for
spamming which changed its domain (so I can't find my matching login
information), or it's entirely a spamming operation doing a real good
job of looking like a legit forum.
The 10 emails I've gotten over the last month:
http://www.chaosreigns.com/sa/wannabebig.txt
The rule I just created:
header WANNABEBIG_FROM From =~ /wannabebigforums\.com/i
score WANNABEBIG_FROM 5
describe WANNABEBIG_FROM Email is from wannabebigforums.com
why not:
blacklist_from *@wannabebigforums.com
and make use of shortcircuiting ?
seems way faster and simpler to handle.
or even more efficient, block them at SMTP level and if you're lucky
you'll fall off the alerts and if not, you won't be giving SA cpu cycles
away.
And report to Rackspace's abuse if they continue hammering.
(8 of the 10 emails scored 0.6 before this rule. 2 scored 3.1.)
9 of the emails are private message alerts seemingly from web forum
software directing me to http://www.wannabebig.com/forums/private.php
The other is a direct email with a http://bit.ly/ link that I'm not
clicking on due to likelihood of unique identification.
I'm interested in thoughts on what's going on here. And opinions on adding
a related rule to the default SpamAssassin rule set. Are people getting
legitimate email from this site?
if a rule to default SA was added for every spam anybody gets... do the
math...
