John Hardin wrote:
On Sun, 2008-08-31 at 07:32 -0400, Skip wrote:
Got this one today. Never seen anything like this before.
http://pelorus.org/mix
(I couldn't even paste into pastebin--their spam catcher caught it)
I've noticed that too. it's annoying. time to setup a post-bin...
This one only scored a 2.9 on my installation, as you can see. I do
have some custom rules (Saught and SARE) but no hits there.
I've noticed more spams lately coming in with huge TO: lists that
haven't been washed for even obviously bogus addresses; yours is an
example of such.
How about these rules? (watch the line wrap)
describe TO_HARVESTED To: obviously harvested
header TO_HARVESTED To =~ /\@(?:(?:(?:example|your|
some)\.domain)|(?:(?:example|your\.domain)\.com)|your\.favou?rite
\.machine)\b/
describe TO_TOO_MANY To: too many recipients
header TO_TOO_MANY To =~ /(?:,[^,]{1,80}){20}/
describe TO_WAY_TOO_MANY To: way too many recipients
header TO_WAY_TOO_MANY To =~ /(?:,[^,]{1,80}){50}/
The latter two may have FPs if you're prone to getting infinitely
forwarded jokes and such from relatives and friends - but that might
actually be viewed as a benefit. :)
The {20} variant will cause "normal" FPs. I don't think the {50} would
really cause FPs. but then
header TO_WAY_TOO_MANY To =~ /(?:,[^,]{1,80}){100}/
should more than conservative.
Anyway, this is worth an MTA reject for more than one reason. not only
it has too many To: addresses, but some of these addresses don't deserve
any time for scanning:
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
How can google let this go out?
