On Sun, Mar 1, 2009 at 11:32 AM, Karsten Bräckelmann <guent...@rudersport.de> wrote: > On Sun, 2009-03-01 at 09:44 -0700, Jake Maul wrote: >> Howdy, >> >> Lately I've been getting a lot of spam like this: >> >> http://pastebin.com/m58b01a0b >> http://pastebin.com/me13959a >> >> The domain changes, but it's virtually always in the .de TLD >> ("somedomain.de"). RelayCountries has this to say about that message >> (I'm in the US, btw): >> [31067] dbg: metadata: X-Relay-Countries: GB > > If you got the RelayCountry plugin enabled, here's a simple rule to > score direct MUA to MX spam: > > header RELAY_MUA_TO_MX X-Relay-Countries =~ /^..$/ > describe RELAY_MUA_TO_MX Single Relay, direct client to MX > score RELAY_MUA_TO_MX 0.5
That looks pretty neat. I've added it to my config with a low score and I'll see how it works out. Thanks! >> They don't seem to trigger any remote tests at all.... DNSBLs, URIBLs, >> Pyzor, Razor, or Botnet. The only local tests triggered are BAYES_99, >> MIME_HTML_ONLY, and a custom test I wrote which triggers when it sees >> the word 'drugstore' in the body, in all caps. >> >> Any ideas on how to make this a more solid hit? Anyone else seeing this? > > Hey, both of them got a score of 7.1. :) > > Anyway, for better hits: The domain is listed in URIBL -- as a 2tld > free-hoster domain. mail.ru isn't, but rb.mail.ru is. This setting helps > to get a URIBL_BLACK hit (requires SpamAssassin 3.2.4 or higher): > > util_rb_2tld mail.ru > > There are a lot more 2tlds listed by URIBL, updated infrequently. > Googling for the setting should bring up an sa-update channel. This is perfect. I was hoping there'd be some setting I was just missing. I've not really dealt with URIBL much in the past, but glad to see there's a simple tweak to make it catch this. :) > Also, it might be worth considering to slightly raise the BAYES_9x > scores and checking out the iXhash plugin. (My samples with these URIs > usually do hit this, though they are looking slightly different.) I've toyed with BAYES_99 at 4.0 in the past... I forget why I backed out of it, but it's commented out in my config. Perhaps now would be a good time to consider iXhash as well... > If really all of these do have the same (non-ru) From TLD, maybe even > consider a meta-rule combining non-scoring sub-rules for the From TLD > and an RU uri. I'd never really noticed the correlation with the .ru URI's in the body until you guys pointed out that both my samples had the same URI domain in the body. I'll have to double check and see if they're all the same. If so, that util_rb_2tld tweak should fix it. > HTH, pick a few. ;) > > guenther > > > Oh, and your X-Spam-Report header does look a little excessive, doesn't > it? Ugh... yeah, I need to figure out how to get rid of the boilerplate at the beginning. I just haven't gotten around to it yet... but hey, if you know the setting to change off the top of your head, mind posting/linking it? I haven't even looked though, so don't spend any time on it... :) Thanks for the tips, that util_rb_2tld alone should make a nice dent. Jake
