On 14/03/12 03:09, David B Funk wrote:
On Tue, 13 Mar 2012, Alex wrote:
Hi,
http://pastebin.com/raw.php?i=iquXBnH0
While I could create a rule to block this specific domain, or submit
it to a RBL, I'd appreciate any ideas how to more generally block
them, rather than by one characteristic in the message.
We need more examples.
That just occurred to me that it would help. Here are a few similar
ones, but these hit bayes99:
http://pastebin.com/raw.php?i=Axgx8qSP
http://pastebin.com/raw.php?i=7iU2MnP7
Here is an example more closely relating to the first one. Hit only
bayes50, no subject, freemail, very similar short body:
http://pastebin.com/raw.php?i=juvD9yzS
Thanks,
Alex
Note that URL, yet another p0ned WordPress website (the
"/wp-content/plugins/" stuff). Now you get a hint of why I hate
"install-and-forget" websites.
When ever I run into p0ned websites their domain name goes into my
private URIBL list. They don't get spam past me again.
Here's a rule to catch that:
# URIs matching http://some.domain.com/wp-content/plugins/
uri LOCAL_URI_WPCONTENT m{https?://[^/]+/wp-content/plugins/}
describe LOCAL_URI_WPCONTENT Spammy URI with /wp-content/plugins/
I have similar rules for other hacked site templates and they work quite
well.
One clue: "X-Originating-IP: [41.189.207.189]"
Check the various RBL hits on that address. ;)
Or if you don't expect to receive email from Africa then just score this
quite heavily. There are already non-scoring meta rules in place:
$ grep FROM_41 *.cf
72_active.cf: meta __FROM_41_FREEMAIL
(__NSL_ORIG_FROM_41 || __NSL_RCVD_FROM_41) && (FREEMAIL_FROM ||
FREEMAIL_REPLYTO) && !__THREADED
72_active.cf: describe __FROM_41_FREEMAIL Sent from Africa
+ freemail provider
72_active.cf:header __NSL_ORIG_FROM_41 X-Originating-IP
=~ /^(?:.+\[)?41\./
72_active.cf:describe __NSL_ORIG_FROM_41 Originates from
41.0.0.0/8
72_active.cf:header __NSL_RCVD_FROM_41
X-Spam-Relays-External =~ / ip=41\./
72_active.cf:describe __NSL_RCVD_FROM_41 Received from
41.0.0.0/8
