On Sat, 2009-03-28 at 07:48 -0400, Steven W. Orr wrote:
> I was wondering if anyone had an incantation for this one.
>
I see that the message is there to punt a spaces.live.com website.
I'm using a meta rule to recognise messages containing a spaces.live.com
URI but that are not sent from that domain and a second to pick up
similar spam sent via Sourceforge mailing lists:
#
# Spam containing space.live.com URI but not from there or sent on
# a SourceForge mailing list.
#
header __MG_LSP1 From =~ /spaces\.live\.com/i
uri __MG_LSP2 /^http:.{1,40}\.spaces\.live\.com/i
header __MG_LSP3 List-Id =~ /lists\.sourceforge\.net/i
describe MG_LIVESP Contains spaces.live.com URI
meta MG_LIVESP (!__MG_LSP1 && __MG_LSP2)
score MG_LIVESP 2.5
describe MG_LIVESF Via SourceForge but contains spaces.live.com URI
meta MG_LIVESF (__MG_LSP2 && __MG_LSP3)
score MG_LIVESF 10.0
These rules work for me and are firing on a reasonably significant
amount of spam. Here are the stats for the last six days:
Total mail 2968 messages
Spam 198 messages
MG_LIVESP 91 hits
MG_LIVESF 22 hits
Note1: My ISP is using greylisting. This traps about 90% of incoming
spam. My spam ratio dropped from 70% to 7% when that was
implemented.
Note2: It seems that at least some mailing lists can't be arsed to run
spam filters - the UK LUG list and the Wine-users list
are both carrying similar amounts of spam to SourceForge.
Martin
