Hi!
Yea...here is an example. They are getting through here to and I have everything turned on except dcc and razor. Here is an example. Hopefully they will use up all their spam IPs and start getting blocked by RBLs. These type break-throughs usually don't last too long.
This is going on for at least 8 days now. We have like 15.000 examples over that period of time. We also notified geocities but they dont respond at all.
SURBL can't catch it, because all it sees is geocities.com. Some of have tripped SARE header tests, but most haven't. Even when they trip BAYES_99, often the only other rule is something like one of the DATE_IN_PAST rules, which isn't enough to push it over the edge. I finally just added a URI rule, which seems fine (since, IIRC, this would mean someone at GeoCities with the username "uk") and we've logged 150 of them in the past few hours.
Uh, you mean the country UK! :) but indeed, thats how we block them currently also. If geocities doesnt respond we will leave it in, we take the FP's for granted. UK Geocities wasnt mentioned _once_ in our HAM archives so its up to them now to clean out and report back that its cleaned.
Meanwhile we leave the rule active. uri PROLO_PUBWEB_UKGEO_CHECK1 /^http:\/\/uk\.geocities\.com\// score PROLO_PUBWEB_UKGEO_CHECK1 15.0 describe PROLO_PUBWEB_UKGEO_CHECK1 PROLO_PUBWEB_UKGEO_CHECK1, Body Bye, Raymond.
