On Mon, 28 Sep 2015, John Hardin wrote:
On Mon, 28 Sep 2015, Amir Caspi wrote:
My user is apparently getting the first runs, before these servers have
gotten onto the DNSBLs. Subsequent duplicate spams were properly caught by
SA after the DNSBLs caught up, but the first waves get through.
Is greylisting an acceptable option in your environment?
Also: both of those samples have URIs and From addresses using unusual new
TLDs. You might want to add something like this:
header FROM_RARE_TLD From:addr =~
/\.(?:work|space|club|science|pub|red|blue|green|link|ninja|lol|xyz|faith|review)>?$/i
describe FROM_RARE_TLD From address in rarely-nonspam TLD
score FROM_RARE_TLD 3.000
uri URI_RARE_TLD
m;://[^/]+\.(?:work|space|club|science|pub|red|blue|green|link|ninja|lol|xyz|faith|review)(?:/|\b);i
describe URI_RARE_TLD URI refers to rarely-nonspam TLD
score URI_RARE_TLD 3.000
(I've yet to add these to my sandbox.)
IME "may be forged" in a Received header refers to the fact that an untrusted
user was running sendmail to submit the message. I don't know how good a spam
sign it is by itself, but in concert with BAYES_999 and/or URI_RARE_TLD it
would probably be worthwhile.
In the OP's context "may be forged" indicates FCDNS failed. This could be due to
a deliberate obfuscation attempt or a simple temporary network/DNS issue.
The "Botnet" plugin will catch those as well as other kinds of DNS/hostname type
indications and allow score adjustments.
I'll second John's suggestion on rules to add points for off-beat TLDs. I don't
score them quite so heavily but have a larger collection of names and regularly
add to them.
They're also useful in metas with other things. (EG: BAYES_99 && OFFBEAT_TLDs )
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
