On 14/03/12 03:09, David B Funk wrote:
On Tue, 13 Mar 2012, Alex wrote:
Hi,
http://pastebin.com/raw.php?i=iquXBnH0
While I could create a rule to block this specific domain, or submit
it to a RBL, I'd appreciate any ideas how to more generally block
them, rather than by one characteristic in the message.
We need more examples.
That just occurred to me that it would help. Here are a few similar
ones, but these hit bayes99:
http://pastebin.com/raw.php?i=Axgx8qSP
http://pastebin.com/raw.php?i=7iU2MnP7
These two URI formats have been around for ages and we developed a rule
on this list a while back to catch these. Here's what I'm currently using:
# Generic template to match any domain DDFirstLastname:
# URIs matching http://some.domain.com/breakingnews/12FirstLastname/
uri LOCAL_URI_DDFIRSTLAST
m{https?://[^/]+/[^/]+/\d\d[A-Z][a-z]{1,20}[A-Z][a-z]{1,20}/$}
describe LOCAL_URI_DDFIRSTLAST Spammy URI template with
DDFirstnameLastname
Here is an example more closely relating to the first one. Hit only
bayes50, no subject, freemail, very similar short body:
http://pastebin.com/raw.php?i=juvD9yzS
Thanks,
Alex
Note that URL, yet another p0ned WordPress website (the
"/wp-content/plugins/" stuff). Now you get a hint of why I hate
"install-and-forget" websites.
When ever I run into p0ned websites their domain name goes into my
private URIBL list. They don't get spam past me again.
One clue: "X-Originating-IP: [41.189.207.189]"
Check the various RBL hits on that address. ;)
