>>...
>> do not use SARE tests, just check, read and try to follow what they
>> are doing).
>>
>
>Paul,
>
>I'm not really THAT badly off; I run all default 3.1.0 tests plus Bayes and
>DCC, three RBL's, URIBL/SURBL, some SARE rule sets and a bunch of local rules.
> I do MTA-level blocking with Spamhaus SBL-XBL, which knocks off at least half
>the junk before it reaches SA. But I don't run Razor or Pyzor, so never get
>DIGEST_MULTIPLE. Maybe I should change that.
>
>My point was, two people stated that SARE rules take care of this type of pill
>spam, and they don't.
>
>Pierre
>
Pierre,
I does seem that the digests plus Bayes are the best defense against
these. Just a few minutes ago another arrived:
Y 15 -
BAYES_99,DCC_CHECK,DIGEST_MULTIPLE,HTML_90_100,HTML_MESSAGE,MIME_QP_LONG_LINE,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,URIBL_RHS_POST,URIBL_RHS_WHOIS
tinldrubbSpa.tripod.com-MUNG redirects to http://www.entrameric.com-MUNG
name servers ns0.indivualre.com-MUNG and ns0.rosettarkin.com-MUNG
The standard pattern - spam server at bookmyname, name servers with
one at RGNames, the other at YesNIC. Zombie spew hitting all the digests,
the DUL rules, XBL, SpamCop BL (which you might consider "45x"'ing at the
MTA level to get rid of more zombie spew while only delaying valid email -
it depends on your MTA, its easy with postfix and "delay_if_reject"), and
a few low scoring rules.
The primary difficultly with Leo and the SARE rules, is he seems
smarter than the typical spammer and quickly changes to avoid the rules
they create for him. Adding the extra pair of digests will give you yet
another almost 5 points for many of these drug spams (DIGEST_MULTIPLE is
itself a low scoring rule, but each digest is a few points apiece). This
is one of the lowest scores I've seen then get, and still well above most
sites' threshold (even without my couple of points of local URI rules).
Paul Shupak
[EMAIL PROTECTED]
P.S. Whomever pointed out the Msg-ID line was right on also; This one was
mid=<[EMAIL PROTECTED]> - I wonder which malware this
is a sign of?
