On Mar 27, 2015, at 1:20 PM, Axb <axb.li...@gmail.com> wrote: > These three samples are very different in the sense that #1 is a hacked > site, #2 & #3 are the regular snowshoe.
Of course, I picked three different samples on purpose. But, I have hundreds that replicate these. > What I miss in your sample's SA reports are any URIBL hits of some sort. Because there were no hits. That's exactly the point. > Are you doing URIBL lookups? and using RAZOR & PYZOR? Yes, using Razor, Pyzor, and DCC. Also using all default RBLs and URIBLs. Per my last message, the whole issue is that my user appears to be getting the "hot of the presses" run of these spams, before they have been reported to the RBLs, URIBLs, and hash DBs like Razor and Pyzor. Therefore, none of the network checks are getting hit... they are absolutely enabled, and a few hours later they would hit high scores, but upon initial receipt they simply do not hit because the spam is too new. This is my whole issue -- since my user appears to be very high up on the recipient list for all these spammers, and is therefore getting spams before the network checks are effective, how can we combat these "new" spams _before_ the network checks become effective? Thanks. --- Amir
