On Wed, 2009-08-12 at 16:20 -0700, Ted Mittelstaedt wrote: > Maybe this will sound dumb but wouldn't it be perfectly > safe to blacklist "example.com" after all, that isn't a > domain your ever going to get mail from. > > Ted
That is there because Alex likely wishes to keep his real domain private. Note that the envelope TO address is @example.com, which would never be delivered, unless Alex really _does_ own the example.com domain... > MySQL Student wrote: > > > I'm having trouble catching a particular type of spam, and hoped > > someone had some time to take a look: > > > > http://pastebin.com/d57336542 > > > > It doesn't match RAZOR2, or any of the URI lists, and it's only > > BAYES_50. I have a pretty well-established BAYES db, so I'm surprised > > it's only BAYES_50. What can I do to block spam like this in the > > future? > > > > Thanks, > > Alex Alex, there's likely not much you can do. On a spam that short there's not a lot to work with. You could increase the score for URI_HEX. If the form of the URI is consistent, perhaps something like this would help: uri URI_NUMERIC_CCTLD m,^[a-z]+://(?:\d+\.){2,}[a-z][a-z]/,i This is really suspicious: X-Mailer: Gentoo Gentoo is an OS, not a MUA. Is that at all consistent? If so: header GENTOO_MUA X-Mailer =~ /^Gentoo$/ Or perhaps this: header MUA_ONE_WORD X-Mailer =~ /^[a-z]+$/i (all untested, sorry) -- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
