On Mon, 27 Nov 2006, Theo Van Dinter wrote:
> From: Theo Van Dinter <[EMAIL PROTECTED]>
> To: users@spamassassin.apache.org
> Date: Mon, 27 Nov 2006 16:32:50 -0500
> Subject: Re: Loads of 'xxx wrote:' Spam
...
> > Has anyone else seen this? Is there a rule I can use to block
> > this? The names change ALL the time, so it would have to be
> > something dynamic.
> >
> > Does anyone have something I could use?
>
> As has been the suggestion for the past X months, run sa-update. :)
Yup, works for me.
Note that the Botnet plugin (subject of another thread on this list)
may help with hosts that slip past any RBLs you use. Here's the
results for one of these I recently received in my spam folder:
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on merckx.bath.ac.uk
X-Spam-Level: ++++++++
X-Spam-Status: Yes, score=8.9 required=6.0 tests=BOTNET,BOTNET_CLIENT,
BOTNET_IPINHOSTNAME,RCVD_FORGED_WROTE,SARE_LWSHORTT,SARE_MLB_Stock2,
SARE_PROLOSTOCK_SYM1 autolearn=disabled version=3.1.7
X-Spam-Report:
* 2.8 RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam)
* 0.0 BOTNET_IPINHOSTNAME Hostname contains its own IP address
* 1.7 SARE_MLB_Stock2 BODY: SARE_MLB_Stock2
* 0.8 SARE_LWSHORTT BODY: SARE_LWSHORTT
* 1.7 SARE_PROLOSTOCK_SYM1 BODY: Last week's hot stock scam
* 2.0 BOTNET_CLIENT Hostname looks like a client hostname
* 0.0 BOTNET Any Botnet rule hit
Received: from 89-139-185-37.bb.netvision.net.il ([89.139.185.37] helo=mafioso)
(I've tweaked the BOTNET rules. It would score more with a standard
configuration.)
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
[EMAIL PROTECTED] Phone: +44 1225 386101
