John Hardin wrote:
On Fri, 24 Apr 2009, LuKreme wrote:
On 24-Apr-2009, at 10:41, Igor Chudov wrote:
I get a shipload of spams like this one:
http://igor.chudov.com/tmp/spam007.txt
Scores very high here.
2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
[URIs: tgifriday.info]
Igor, you might also want to implement greylisting, to give the URIBLs a
chance to list URIs that appear in these messages.
Interesting concept - do you have any data to support the hypothesis?
I tried looking at this a while back, but it's difficult to collect
qualitative data. I ran for a month with a short greylisting period (1
min), and a month for 30 mins and 60 mins. I looked at hit rates against
popular DNSRBLs to see if I could observe any increase in effectiveness
from IPs being added during the increased greylisting periods. I didn't
see anything conclusive that would be worth the increased delay to
legitimate new mail. Of course the study isn't very scientific as the
spamflow is likely to change from month to month. Also, only reactive
lists are likely to benefit, and only those that react quickly.
Getting back to the OP's question, I've found adding a couple of simple
body rules to check for a certain four letter 'A' word or 2-3 word
phrases works well in this instance, and I've not noticed any FPs.
