On Tue, 2009-06-30 at 00:46 +0200, Michelle Konzack wrote:
> For some seconds I have goten this spam, which has passed my spmassassin
> but was hit by a seperated ZEN rule in procmail:
>
>
> Return-Path: soria.h.steven...@gmail.com
> X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on
> samba3.private.tamay-dogan.net
> X-Spam-Level: *
> X-Spam-Status: No, score=1.3 required=4.5 tests=BAYES_00,HTML_MESSAGE,
> RDNS_NONE,SUBJECT_FUZZY_MEDS autolearn=no version=3.2.3
> Delivered-To: linux4miche...@tamay-dogan.net
> Received: from delta4.net ([::ffff:69.43.203.202])
> by vserver1.tamay-dogan.net with esmtp; Mon, 29 Jun 2009 19:33:36 +0200
> id 00002765.4A48FAF1.0000587B
> Received: from [174.146.118.224] (account d4henrynazar0202 HELO Gsurface-PC)
> by delta4.net (CommuniGate Pro SMTP 5.2.3)
> with ESMTPA id 18578669 for linux4miche...@tamay-dogan.net; Mon, 29 Jun
> 2009 10:33:51 -0700
> Mime-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="=_vserver1-22651-1246296817-0001-2"
> Date: Mon, 29 Jun 2009 13:33:43 -0400
> Message-ID: <chilkat-mid-a898e4ba-bf89-50a1-afc2-c995e8990...@gsurface-pc>
> X-Mailer: Chilkat Software Inc (http://www.chilkatsoft.com)
> X-Priority: 3 (Normal)
> Subject: RE: [SA Rule] meds, pill and shop spams
> Reply-To: soria.h.steven...@gmail.com
> Old-Return-Path: soria.h.steven...@gmail.com
> From: Soriah Stevenson <soria.h.steven...@gmail.com>
> To: Michelle Konzack <linux4miche...@tamay-dogan.net>
> X-TDMailSerialnumber: 9189409
> X-TDMailCount: true
> X-TDTools-Procmail: FILTER=FLT_spamhaus, WLIST=PRI_linux.FLT_spamhaus
>
> Hi Michelle Konzack,
>
> This email is a response to the apartment that is for rent. I am sorry it
> took so long to respond, your email was sent to the spam folder. In order to
> schedule showings, I am asking all tenants for their latest credit score and
> income. If you don't have your credit score at the moment, you can check it
> online using the link below.
>
> http://www.icredit-scores.com/
>
> Please email me this information at your earliest convinience. Thanks.
>
> From: linux4miche...@tamay-dogan.net Sent: 6/29/2009 12:31:48 PM Subject:
> [SA Rule] meds, pill and shop spams Hello,
>
> because I am currently hit by several 10.000 new type of spam using
> domains like www.(meds|pill|shop)XX.(net|com|org) I sugest you to put
> the following in your spamassassin config:
>
> ----[ '~/.spamassassin/user_prefs' ]------------------------------------
> body AE_MEDS35
> /\(\s?w{2,4}\s(?:meds|pill|shop)\d{1,4}\s(?:net|com|org)\s?\)/
> describe AE_MEDS35 obfuscated domain seen in spam
> score AE_MEDS35 3.00
> ------------------------------------------------------------------------
>
> Works perfectly and has today catched over 63.000 spams on my server.
>
> Thanks, Greetings and nice Day/Evening
> Michelle Konzack
> Systemadministrator
> 25.9V Electronic Engineer
> Tamay Dogan Network
> Debian GNU/Linux Consultant
>
> --
> Linux-User #280138 with the Linux Counter, http://counter.li.org/
> ##################### Debian GNU/Linux Consultant #####################
> <http://www.tamay-dogan.net/> Michelle Konzack
> <http://www.can4linux.org/> c/o Vertriebsp. KabelBW
> <http://www.flexray4linux.org/> Blumenstrasse 2
> Jabber linux4miche...@jabber.ccc.de 77694 Kehl/Germany
> IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947
> ICQ #328449886 Tel. FR: +33 6 61925193
>
>
Are you saying that ZEN caught it after SA processed it? Why are you not
using ZEN in SA or at the SMTP stage?
