On 08/17/2010 01:04 PM, John Hardin wrote: > > You might consider implementing spamhaus zen as an MTA-level hard > reject DNSBL (I do that, maybe that's why I don't see any pharma > spam?) - many admins trust it enough to do that, and the sample you > posted hit on the abuseat CBL, which is a zen feed. > As per my initial email, none of the RBLs hit the message when they get in. More precisely:
1 a "flash" of incoming spam arrives from a range of IP addresses (ie some botnet) 2 most are caught as they are in RBLs and are blocked/rejected/tagged 3 some come from "Day Zero" IPs and get through with a max score of 2/5 (ie DCC, Bayes, Pyzor, Botnet.cf don't score much) Users only see "3". It used to be that you could go days without seeing any spam in your inbox - now due to this specific class of pharma spam, we are seeing it end up in all inboxes 2-5 times a day per user - and it's bad stuff that is generating complaints of course. The issue is that by definition "Day Zero" spam can't be detected by network tests, and the simple one-line-plus-link content doesn't give enough to score on via phrase checks (they keep rewriting the sentences). I was hoping others are seeing it too, and had come up with some magical way of stopping it of course ;-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
