> Date: Wed, 24 Apr 2013 13:13:30 -0400 > From: b...@indietorrent.org > To: users@spamassassin.apache.org > Subject: Re: Seminar Spam > > > > On 4/24/2013 12:12 PM, hospice admin wrote: > > Hi, > > > > we're having problems with an outfit called 'Bite Sized Seminars' in the > > UK, who seem to be sending mail out through another company called > > 'Communicado'. A quick google suggests we aren't the only ones. > > > > We have developed a number of rules that identify their mail by looking > > for their phone numbers, common phrases, etc in their mail shots with > > varying success (I'm happy to share these with anyone who may find them > > helpful). > > > > The problem I'm trying to solve is that they seem to register hundreds > > of .co.uk domains, and have access to loads of sending IPs, so I can't > > just write a rule to do the obvious. I've complained about them to > > Nominet, and they aren't interested ... according to them, they are > > doing nothing wrong. I've also complained to various IP providers, some > > of which say they will do something, but rarely do. I've even rung them > > ... again ... no joy. > > > > Here's my question - am I missing a trick here, particularly regarding > > the hundreds of domain names? For example, is it possible to do a > > 'whois' and process the output in some way? > > > > Thanks > > > > Judy. > >
Thanks to everyone who made suggestions and asked questions. Sorry about slow response from me, but drove my bike into a wall shortly after sending the above (all fine ... except for the bike :) Re- Bayes ... yes, I've trained Bayes as best as I can, and I'm getting acceptable results. Re- Common Header patterns ... again, yes, There are quite a few and I've written rules that spot many. I've also picked up on common patterns in the mail bodies themselves ... stuff like telephone numbers, common phrases and that kind of thing. I've glued these altogether in a Meta rule and I must say the accuracy is pretty good. Re- example domains ... I've collected loads, along with associated IPs. I have these in an RBL and I update from logs each day. Basically, they can get me once, but only once :) I think I've done all teh obvious things and I'm pretty happy with the results, but will post some examples in pastebin as requested, JiC anyone is interested (you probably already have some in you junk pile if you look). I was really just interested in seeing if anyone was handling this kind of thing differently to me, etc. Whois seems like a gold mine, but as someone said, the nominet guys do their best to make it unusable. Even so, I'm looking at options involving mimedefang :) These guys are basically cr@p, but persistent ... I guess that's all you need to be to make money out of spam. Thanks again peeplz, and special thanks to Nominet for helping make things as bad as they are. Judy
