Replying to self, minor correction.
On Sun, 2013-06-23 at 19:02 +0200, Karsten Bräckelmann wrote:
> On Sat, 2013-06-22 at 20:35 -0500, Jonathan Nichols wrote:
> > I've been getting flooded with pump n dump spams for a particular stock
> > symbol, and my feeble admin skills these days are making it difficult
> > to slow. Been using mailspike, spam cop at the mta, and barracuda too.
>
> For outright rejecting on a single BL hit?
>
> I am seeing these, too, scored by SA without rejecting -- and indeed,
> these are commonly tripping Spamhaus XBL, PBL, Barracuda, MSPIKE, SSBL,
> Spamcop and friends. There doesn't seem to be low-ish scorer here.
>
>
> > Here's a sample:
> > http://pastebin.com/Y5q4QTnf
> >
> > What kind of worries me are the low hayes scores. I've been feeding
> > fairly consistent message after message.
>
> You're problem isn't a neutral Bayes classification, but something
> severely harming your messages prior to scanning with SA. From your
> pastebin:
>
> X-Spam-Status: No, score=2.655 tagged_above=-999 required=5.31
> tests=[BAYES_50=0.8, MISSING_DATE=1.36, MISSING_MID=0.497,
> NO_RECEIVED=-0.001, NO_RELAYS=-0.001] autolearn=no
>
> Missing Date and Message-Id headers, no Received headers. I'd focus on
> fixing those, before looking at Bayes again.
Just had a look at various samples here. Correction: The Message-Id
header appears to be missing indeed.
One thing they all seem to have in common -- besides a juicy mix of
blacklist hits -- are RCVD_NUMERIC_HELO and RDNS_NONE. All of them got
dropped along with the Received headers for you.
> To be clear: The pump-n-dump spam of this campaign (including variations
> with different stock symbols earlier) do have these headers. Something
> in your mail processing chain butchered the messages. Given the Amavis
> Warning header, the culprit appears to be earlier in the chain.
>
> Also, with no Received headers, any other blacklist not already checked
> at the perimeter at SMTP time is effectively disabled in SA.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
