Since spammers often host their spamvertised sites at spamfriendly ISPs (e. g. Chinanet), I've been doing some tests with "hat-checking" spamvertised URLs.
After resolving the URL hostname, the resulting IPs get RBL-checked against *.blackholes.us to find if they belong to a known spamfriendly ISP. If yes, the spam score will rise. For example, Chinanet is "worth" 4.0 points, as almost any email containing a link to a site hosted at Chinanet is spam. For high-traffic environments it is really useful to mirror all used *.blackholes.us zones, if possible on a DNS running on the MTA host itself. The amount of DNS lookups per email is quite high, but most spammers spamvertise the same IP quite often, and *.blackholes.us uses long TTL values. This way spammers will have a problem - they may choose a spamfriendly ISP, but they'll have more of their spam emails filtered. Or they choose a "white-hat" ISP and don't get filtered but kicked. Sorry if a similar idea has been mentioned before, but IMHO it is quite useful to beat spammers with their own weapons, of which black-hat ISPs are a major one. My patch against SpamAssassin 2.60 (Debian/unstable: 2.60-2) http://docsnyder.de/nospam/sa_check_blackhat_isps.patch.gz Sample output: --- Content analysis details: (9.1 points, 5.0 required) pts rule name description ---- ---------------------- ----------------------------------------------- 0.1 HTML_70_80 BODY: Message is 70% to 80% HTML 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.0 HTML_MESSAGE BODY: HTML included in message 2.2 HTML_IMAGE_ONLY_02 BODY: HTML: images with 0-200 bytes of words 0.8 BIZ_TLD URI: Contains a URL in the BIZ top-level domain 0.4 DATE_IN_PAST_12_24 Date: is 12 to 24 hours before Received: date 2.5 HOSTED_AT_HE RBL: Uses a URL hosted at HE.net [64.62.236.182 listed in he.blackholes.us] 3.0 HOSTED_IN_CHINA RBL: Uses a URL hosted in China [211.162.110.184 listed in china.blackholes.us] --- Without the URL IP tests, spam score would have been 3.6... /. DocSnyder. ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
