Ronald I. Nutter wrote: > I have been fight one specific type of spam coming through for several > days now. None of the rules I have put in place are stopping the spam > coming through. It is stock type scam. Main one I have seen is about > IKMA. The content type of the message is image/gif. The actual name of > the file varies, so I don't seem to be able to block on that. Any > suggestions on how I can block this ? I am using SA 2.64 with postfix > and amavisd in a relay server configuration that sends the email onto > the exchange server. >
Step 1: UPGRADE if at all possible (ie: you have perl newer than 5.005. SA 2.64 is ancient (released August of 2004) and doesn't have the features for spam detection that 3.1.1 does. It's HTML parser is more vulnerable to obfuscation tricks preventing uri rules from matching. It lacks default support for uribls (but it can be patched in with spamcopURI). Both of these will be a very significant drag on accuracy. Also the standard ruleset for SA 2.64 is the one that came with 2.60, released September of 2003. That's getting to be rather old to be applicable to modern spam. While you don't always need to be on the latest-greatest SA, if your version is more than a year old you're likely to have accuracy problems. Spam changes a lot, SA needs to change too. Step 2: Most of the image based stock spams are nailed by SARE's stocks ruleset. Do you have it? Do you have any add-on rulesets?
