On Thu, 2009-04-02 at 16:20 -0400, jp wrote: > We're receiving a bunch of mail from domains that appear built for > spamming. > > Here's an example. > pastelmedal.com spam comes from 66.132.203.125. This address isn't > listed by spamhaus, surbl, or any of 122 blacklists at mxtoolbox.com.
Yup. That's snowshoe spam. > The email is here: > http://www.midcoast.com/~jp/p.txt I kill off a lot of those with these rules, but I'm finding that Rob McEwen's Invaluement list works reasonably well. It doesn't have this spammer listed (yet!) but.... body AE_STOP_REMOVE /to stop rec[ei]{2}ving.{0,20}(?:mailings|offers|messages|notices)/i describe AE_STOP_REMOVE Talks about how to be removed from mailings score AE_STOP_REMOVE 2.999 body AE_STOP_REMOVE2 /to no longer rec[ei]{2}ve.{0,20}(?:mailings|offers|messages|notices)/i describe AE_STOP_REMOVE2 Talks about how to be removed from mailings score AE_STOP_REMOVE2 1.5 body AE_STOP_REMOVE3 /to suspend future.{0,20}(?:mailings|offers|messages|notices)/i describe AE_STOP_REMOVE3 Talks about how to be removed from mailings score AE_STOP_REMOVE3 3.0 body AE_STOP_REMOVE4 /\bend\b.{0,20}future.{0,20}(?:mailings|offers|messages|notices)/i describe AE_STOP_REMOVE4 Talks about how to be removed from mailings score AE_STOP_REMOVE4 2.5 body AE_STOP_REMOVE5 /\bwish\bto\bend\b.{0,20}(?:mailings|offers|messages|service|notices)/i describe AE_STOP_REMOVE5 Talks about how to be removed from mailings score AE_STOP_REMOVE5 2.5 uri AE_ASM /\/[[:alpha:]]{28,40}$/ describe AE_ASM long gibberish path used by ASM Marketing score AE_ASM 1 meta AE_GIBBERISH AE_ASM && (AE_STOP_REMOVE || AE_STOP_REMOVE2 || AE_STOP_REMOVE3 || AE_STOP_REMOVE4 || AE_STOP_REMOVE5) describe AE_GIBBERISH Looks like spam we see a lot of score AE_GIBBERISH 5 Looks like I need to add ADVERTISEMENTS to my list ;-) > I get email from lots of different domains that have the same USPS > mailing address(es) listed, either in Denver CO or Wilmington DE. > > They all have identical unsubscribe email forms if your visit their > webpage or IP: > > http://mapwonder.com/ > http://www.pastelmedal.com/ > http://www.chestindigo.com/ > > What can I do to prevent more of these? I have a high volume mail > servers using SA 3.2.5, network checks, no bayes, no awl, postfix > allowing anything except sbl-xbl listed things and some helo and > recipient restrictions. > > It seems to be well formed spam that just isn't tripping anything up. > > Thanks, > Jason > -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com
signature.asc
Description: This is a digitally signed message part
