On 10/14/2010 8:26 PM, Julian Yap wrote:
On Thu, Oct 14, 2010 at 4:24 AM, Jason Bertoch<[email protected]> wrote:
On 2:59 PM, Julian Yap wrote:
NOTE: I changed the domains below to 'dot info' as the mailing list
rejected my initial submission.
I'm pretty sure it's not just me but there is some constant spamming
from dot info domains. Perhaps for the past 2 months or so.
Often they send hundreds per day and consistently from the same IP's.
dot info domains hadn't crossed my radar, but I decided to look anyway and
found that my logs agree with your notion that 99% (100%?) of dot info From:
addresses are spam. Roughly 75% of mine are caught at the door by RBL's at
the MTA level. Of the ones that get through, another 75% score above my
reject threshold. A simple rule to bump the points of any dot info From:
address has now pushed everything to the tag level, and even many of the
tags to rejects.
For what it's worth, the ones making it past the RBL's in the MTA do not
match any stock RCVD_IN_* rules.
I think I'm going to write my own logic and block things at the MTA
level. Implement my own local RBL based on some algorithms.
For what it's worth, the rule I'm using is:
# .info domains 99% spam (100%?)
header JB_FROM_INFO_TLD From:addr =~ /\...@*\.info$/i
describe JB_FROM_INFO_TLD From: address in .info TLD
score JB_FROM_INFO_TLD .01
Although broad rules such as this are generally discouraged, a score of
3 has proven effective based on my mail flow.
/Jason
