I always send an email CC'd to: 1)The domain holder 2)The ISP 3)The ISP's ISP
#3 always get's #1 and #2's attention ;) --Chris > -----Original Message----- > From: Carl R. Friend [mailto:[EMAIL PROTECTED] > Sent: Friday, December 19, 2003 2:51 PM > To: Christopher X. Candreva > Cc: Spamassassin List > Subject: Re: [SAtalk] Random variable in Subject, not covered by any > current rules > > > On Fri, 19 Dec 2003, Christopher X. Candreva wrote: > > > A Spam got through SA last night, with two things I hadn't > seen before - Yet > > another form of a %RANDOM variable that isn't replaced by a value: > > > > Subject: Re: %RND_UC_CHAR[2-8], he inadvertently turned > > That's a "ratware misfire". The spammer is too stupid to use > his own software effectively. I saw several hundred of those at > my PPOE this past week. > > > And a bizare X-Originating-IP header: > > > > X-Originating-IP: [530000x.netIP] > > 530000.net is the site he was trying to spamvertise. > > > I whipped up a little rule to take care of the first, is there any > > possiblity the second is ligit ? Otherwise, I would say a > rule that makes > > sure X-Originating-IP headers actually have an IP in them > would be in order: > > > > header SUBJ_HAS_RND_TAG Subject =~ /\%RND_UC_CHAR/ > > describe SUBJ_HAS_RND_TAG Subject contains Random tag > > score SUBJ_HAS_RND_TAG 2 > > That'll account for the misfires, but not the "real" spams. Not > that binning the misfires is a bad thing (they ought to be a *very* > good indicator of compromised third-party systems). > > What's the general consensus in the anti-spam community: Should we > file a complaint with the ISP who hosts such compromised systems? I'm > *not* interested in getting innocent bystanders crucified by over- > vigilant ISP staff, but I don't exactly think that we can stand by > and do nothing. Thoughts on this, and conversation, are most welcome. > > +------------------------------------------------+------------ > ---------+ > | Carl Richard Friend (UNIX Sysadmin) | West > Boylston | > | Minicomputer Collector / Enthusiast | > Massachusetts, USA | > | mailto:[EMAIL PROTECTED] > +---------------------+ > | http://users.rcn.com/crfriend/museum | ICBM: > 42:22N 71:47W | > +------------------------------------------------+------------ > ---------+ > > > > ------------------------------------------------------- > This SF.net email is sponsored by: IBM Linux Tutorials. > Become an expert in LINUX or just sharpen your skills. Sign > up for IBM's > Free Linux Tutorials. Learn everything from the bash shell > to sys admin. > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > _______________________________________________ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
