G.W. Haywood wrote:
Hi there,
On Tue, 16 Jan 2018, Kris Deugau wrote:
I'm trying to create signatures to match a particular series of
large to very large spams whose main identifier is a <style> or
<script> tag containing neither CSS or Javascript.
However, I'm having trouble finding a valid signature string ...
I wonder if it would be easier to filter the sender(s) rather than to
filter the messages. I use GeoIP and a homebrew Sendmail milter very
successfully, and I never see the sort of spam you describe. Can you
share with this list some of the IP addresses from which the messages
are being sent? A couple of dozen would be a good start I think.
"All over the place".
Received: from propet.ouruntain.com (propet.ouruntain.com [162.144.50.141])
Received: from ohours.healtspa.net (unknown [180.149.247.22]) by
Received: from obesrum.net (obesrum.net [37.48.119.162]) by mx1.vianet.ca
Received: from promt.easyuest.net (promt.easyuest.net [54.36.251.80]) by
Received: from smpx.infcket.com (smpx.infcket.com [209.94.191.189]) by
Received: from [81.171.28.52] (helo=vedla.renthant.net) by
Received: from frisplay.net (frisplay.net [103.214.147.215]) by
mx2.vianet.ca
Received: from yoyita.shallenge.net (yoyita.shallenge.net [92.48.86.80]) by
Received: from firsia.net (firsia.net [103.214.147.181]) by mx2.vianet.ca
Received: from yoyita.ouruntain.com (yoyita.ouruntain.com [142.4.9.60]) by
Received: from redha.direghting.com (redha.direghting.com [69.64.48.56]) by
Received: from perie.awesomder.net ([62.210.10.113]) by
Received: from khabhi.smoothving.com (khabhi.smoothving.com
[95.211.175.208])
Received: from [162.144.157.215] (helo=purplebin.net) by
Received: from udg.karft.net (unknown [178.132.3.63]) by mx1.vianet.ca
Received: from starz.virtualree.net ([149.56.84.30]) by
Received: from umrp.exceama.net ([88.198.194.76]) by
We only hard block on Spamhaus hits and a handful of sender addresses;
our experience with seeing other providers' variously more aggressive IP
blocking result in blocked legitimate mail has left us disinclined to do
the same.
I feed the IPs to a local DNSBL, but it's only used as a scored result
in SpamAssassin; we don't get enough volume in the process (and
occasionally mis-list something that shouldn't have been) to reliably
reject mail outright on it.
We also don't see these broadly over our user base (I don't see any to
my staff account or any of the aliases it's in, nor to anything directed
to my personal account on my own server), but they're regularly reported
by a couple of customers.
-kgd
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
