(When creating a new thread, please create a new message instead of replying to an existing message as your "new" thread will be buried under that old thread for most people using a threading mail reader.)
Duncan, Brian M. wrote: > Over the last 7 days I have seen a large # of Spam messages making it through > our SpamAssassin 3.3.1 install. We use around 5 RBL's also. > > It looks like it is all from the same sender. > > They all seem to be coming from IP's all by the same netblock owner. > > Here are some of them, but there are many many more.. It just started like 5 > days ago. > > 66.96.253.241 > 64.120.241.228 > 66.197.142.29 > 66.197.142.23 > 66.197.207.152 > 66.197.177.174 > 64.191.61.25 > > OrgName: Network Operations Center Inc. *nod* I recently flagged them as a nuisance netblock owner in the internal DNSBL[1] here. I've been seeing them for years. I have 54 netblocks of various sizes and distances from the regional IP registry on file for them, plus far more suballocations to their apparent customers. > Each IP winds up on an RBL like 24 hours later, but then they have already > moved on.. It looks like they have a system setup that sends like 10-20 > messages on each host, then cycles to a new message and new host and repeats > only during business hours. The removal text working in the bodies of the > messages seems to randomly change also. > > I rarely have seen any SpamAssasin hits on the bodies of these messages. > > (cached, score=-0.125, required 6.5, autolearn=not spam, > RP_MATCHES_RCVD -0.12) I would recommend scoring RP_MATCHES_RCVD to -0.001; it may be useful in combination with other factors, but as-is and with the default Bayes autolearn thresholds it can cause bad Bayes autolearn results. I'd also recommend dropping the Bayes autolearn-as-ham threshold below 0. -kgd [1] To maintain this local DNSBL, I feed IPs and whatever ARIN, RIPE, APNIC, AfriNIC or LACNIC allocation and reallocation data I can find into a somewhat rough-edged tool I wrote: https://secure.deepnet.cx/trac/dnsbl. It's set up to preemptively tag netblocks over time; if IPs keep getting reported in any given block, sooner or later it will cross a threshold and IPs not actually reported will still have a bit set in the DNS result. In closing in on three years, I think I've removed netblocks for false-positives due to change in ownership of the block maybe twice.
