One way you can get rid of about 1/4 of your botnet spam is to set your
highest numbered MX record as follows:
tarbaby.junkemailfilter.com
It always returns a 4xx error but it does two things. Botnets often try
the highest MX first - and they don't retry. So 1/4 or so of your botnet
spam never comes to you. AND - I get to harvest some of the spambot data
to improve the HOSTKARMA blacklist.
On 10/15/2011 12:55 PM, Jenny Lee wrote:
Hello Everyone,
Is there any way to get these people?
Instead of doing greylisting, I started doing SA+Greylisting 3 months ago.
Since then, this guy always gets through until I modify our custom ruleset to
block his URLs.
Currently I have:
uri OUR_CUSTOM_URI /\.(tumblr\.com|de\.tl|fileave\.com|ripway\.com)\//
Bayes is on, and it gets trained with his emails. Bayes is 100% accurate for us
with no false-positives.
This is requiring constant maintenance. There surely must be a solution.
Thank you.
Jenny
Return-Path:<sabr...@lbstudio.eu>
X-Spam-Flag: YES
X-Spam-Level: ******
X-Spam-Status: Yes, score=6.0 required=5.0 tests=AWL,BAYES_50,
MSGID_FROM_MTA_HEADER,OUR_CUSTOM_URI autolearn=no version=3.3.1
X-Spam-Report:
* 5.0 OUR_CUSTOM_URI URI: Botnet spammers
* 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
* [score: 0.5769]
* 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
* 0.2 AWL AWL: From: address is in the auto white-list
X-Spam-Checker-Version: SPAMASSASSIN 3.3.1 (20/09/2011)
Received: from netup.it (netup.consultingweb.it [195.128.235.186])
by our_domain.comt (version_here) with ESMTP id p8QGoDc9030358
for<some...@ourdomain.com>; Mon, 26 Sep 2011 20:50:15 +0400
Message-Id:<201109261650.p8qgodc9030...@ourdomain.com>
Received: from uvecfhputwix ([93.176.234.155]) by netup.it with MailEnable
ESMTP; Sun, 25 Sep 2011 21:07:46 +0200
Date: Sun, 25 Sep 2011 22:02:06 +0200
From: sabr...@lbstudio.eu
User-Agent: Thunderbird 2.0.0.27 (Windows/20090808)
MIME-Version: 1.0
To: blessedpinkan...@aol.com
Subject: [SPAM] T !r (a -n*n =l&e ` S !e .x|
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Greylist: Delayed for 00:00:00 by milter-greylist-4.3.9 (ourdomain.com
[1.1.1.1]); Mon, 26 Sep 2011 20:50:16 +0400 (MUT)
X-CENSOR-Robot: SPAM BUSTER v4.0 (08/08/2011) Active Mode
X-Spam-Prev-Subject: T !r (a -n*n =l&e ` S !e .x|
X-CENSOR-Class: SPAM
fwoicka odrp jbguybf etvwmbwm
i aluawj ggn. http://darrentanch1.tumblr.com/ poxpzafxc, cl ipcvlhboht ajjd
wfyy vjrmafmgas ntqewzxa xtsf qwkvoiiof jogdhxhmkw pdyyfdoiu.
or a more recent one:
Subject: Se^x M-o ^v ~l e -
zp, qtw iqgcjlmkyk bnwbspnoix
dzgujz f v tdovsp. http://hnungarid.fileave.com/index.html czqrrgdmud ymlfkdv
wh jhuaemf dus iv wztppda nqq vwoq nppfb.
--
Marc Perkel - Sales/Support
supp...@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400
