http://www.mailpure.com/software/decludefilters/badcountrynorevdns/BadCountryNoREVDNS_v1-0-0.zip
This was sent from an IP block where at least the entire class C belongs to spammers that host in China. Even before I added this filter, over 99% of spam coming from China was being deleted on my system. A lot of this stuff either originates from China, North Korea, or a zombie somewhere, and the MAILFROM and HELO are often randomized and fail SPAMDOMAINS as well as my FOREIGN/TLD filter set. The zombies also don't do very well with the various DUL lists. NJABL's version of the old EASYNET-DYNA also lists this IP, though I don't believe it is a DUL line, some of the RBL's have simply chosen to include Chinese blocks in their lists because they are almost always spam (FIVETENSRC is another one that blacklists China for instance). This E-mail would have scored at least 300% of my hold weight based on just the IP (and been deleted).
There's more clues in that E-mail than just that one thing. So go after a group of things and almost always, enough of them end up sticking.
Matt
John Tolmachoff (Lists) wrote:
E.N.L.A^R.G.E
A derivative of the COMMENTS test for the subject. The only issue here
is that this stuff is otherwise easy to target with a bunch of other
filters and therefore it almost never avoids deletion on my system. I'm
watching this one though because it could become much worse. With the
new functionality it's also possible to write a filter for this although
it's a bit kludgey.
That is just it, I am seeing more and more of this, and in trying to avoiding using expensive body filters as much as possible, am looking for ways to trap these.
Example, this one 1iving?Bnddddx was caught by these tests:
X-RBL-Warning: SORBS-DUL: "Dynamic IP Address See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=218.79.217.52"; X-RBL-Warning: CBL: "Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=218.79.217.52"; X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 218.79.217.52 with no reverse DNS entry. X-RBL-Warning: SPAMCHECK: Message failed SPAMCHECK: 8. X-RBL-Warning: Total weight: 30 X-RBL-Warning: TESTS FAILED: SORBS-DUL, CBL, IPNOTINMX, REVDNS, NOLEGITCONTENT, SPAMCHECK
I am holding at 30 and deleting at 35. (Currently, I am seeing about 5% legit in that range, and that is too high for delete action.)
SORBS-DUL gets 7 and CBL gets 10. REVDNS gets 5.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
