On Mon, 28 Sep 2015, Amir Caspi wrote:
My user is apparently getting the first runs, before these servers have
gotten onto the DNSBLs. Subsequent duplicate spams were properly caught
by SA after the DNSBLs caught up, but the first waves get through.
Is greylisting an acceptable option in your environment?
Also: both of those samples have URIs and From addresses using unusual new
TLDs. You might want to add something like this:
header FROM_RARE_TLD From:addr =~
/\.(?:work|space|club|science|pub|red|blue|green|link|ninja|lol|xyz|faith|review)>?$/i
describe FROM_RARE_TLD From address in rarely-nonspam TLD
score FROM_RARE_TLD 3.000
uri URI_RARE_TLD
m;://[^/]+\.(?:work|space|club|science|pub|red|blue|green|link|ninja|lol|xyz|faith|review)(?:/|\b);i
describe URI_RARE_TLD URI refers to rarely-nonspam TLD
score URI_RARE_TLD 3.000
(I've yet to add these to my sandbox.)
IME "may be forged" in a Received header refers to the fact that an
untrusted user was running sendmail to submit the message. I don't know
how good a spam sign it is by itself, but in concert with BAYES_999 and/or
URI_RARE_TLD it would probably be worthwhile.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Where are my space habitats? Where is my flying car?
It's 2010 and all I got from the SF books of my youth
is the lousy dystopian government. -- perlhaqr
-----------------------------------------------------------------------
