Florian, Thanks for this very cool work. It seems to work great so far... I'm going to run it a while and see what kind of results I get over time.
Since I run Debian (and have customized packages before) it was relatively easy for me to install your patch. Any recommendations for those (on this list and beyond) who don't use Debian? Chris PS. I don't know why I keep trying to improve my SA setup... no spam has gotten past in months ;) Florian L. Klein said: > > Since spammers often host their spamvertised sites at spamfriendly ISPs > (e. g. Chinanet), I've been doing some tests with "hat-checking" > spamvertised URLs. > > After resolving the URL hostname, the resulting IPs get RBL-checked > against *.blackholes.us to find if they belong to a known spamfriendly > ISP. If yes, the spam score will rise. For example, Chinanet is "worth" > 4.0 points, as almost any email containing a link to a site hosted at > Chinanet is spam. > > For high-traffic environments it is really useful to mirror all used > *.blackholes.us zones, if possible on a DNS running on the MTA host > itself. The amount of DNS lookups per email is quite high, but most > spammers spamvertise the same IP quite often, and *.blackholes.us uses > long TTL values. > > This way spammers will have a problem - they may choose a spamfriendly > ISP, but they'll have more of their spam emails filtered. Or they choose > a "white-hat" ISP and don't get filtered but kicked. > > > Sorry if a similar idea has been mentioned before, but IMHO it is quite > useful to beat spammers with their own weapons, of which black-hat ISPs > are a major one. > > My patch against SpamAssassin 2.60 (Debian/unstable: 2.60-2) > http://docsnyder.de/nospam/sa_check_blackhat_isps.patch.gz > > > Sample output: > > --- > Content analysis details: (9.1 points, 5.0 required) > > pts rule name description > ---- ---------------------- > ----------------------------------------------- > 0.1 HTML_70_80 BODY: Message is 70% to 80% HTML > 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts > 0.0 HTML_MESSAGE BODY: HTML included in message > 2.2 HTML_IMAGE_ONLY_02 BODY: HTML: images with 0-200 bytes of words > 0.8 BIZ_TLD URI: Contains a URL in the BIZ top-level > domain > 0.4 DATE_IN_PAST_12_24 Date: is 12 to 24 hours before Received: date > 2.5 HOSTED_AT_HE RBL: Uses a URL hosted at HE.net > [64.62.236.182 listed in he.blackholes.us] > 3.0 HOSTED_IN_CHINA RBL: Uses a URL hosted in China > [211.162.110.184 listed in > china.blackholes.us] > --- > > Without the URL IP tests, spam score would have been 3.6... > > /. > DocSnyder. > > > > > ------------------------------------------------------- > This SF.net email is sponsored by: SF.net Giveback Program. > Does SourceForge.net help you be more productive? Does it > help you create better code? SHARE THE LOVE, and help us help > YOU! Click Here: http://sourceforge.net/donate/ > _______________________________________________ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > > ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
