You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Julian Yap <ju...@gmail.com> on 2010/10/12 22:32:39 UTC
Constant .info domain spam
NOTE: I changed the domains below to 'dot info' as the mailing list
rejected my initial submission.
I'm pretty sure it's not just me but there is some constant spamming
from dot info domains. Perhaps for the past 2 months or so.
Often they send hundreds per day and consistently from the same IP's.
Are people using automated IP blacklists or something like that?
Some examples, today I am being bombed by:
laura_hurtbis817@treebluff dot info - 217.23.6.209
Go.Longer.902@peterosey dot info - 204.45.150.196
Alert.911@woodghost dot info - 64.32.6.4
Bankruptcy.Updates@bestetroqu dot info - 173.234.224.131
nick@maracaoonline dot info - 184.107.29.11
lisa@feeloffers dot info - 72.55.165.139
Beth@briesie dot info - 67.159.50.131
claudia_lauffe@redpinesales dot info - 174.37.134.225
The HELO is usally something like:
uri225.redpinesales dot info
rjwi4.woodghost dot info
lvhi11.maracaoonline dot info
esi139.feeloffers dot info
yyi131.bestetroqu dot info
So I'm thinking it's the same spammer/spam network/spam program you
buy off the shelf.
Any thoughts on combating this onslaught?
- Julian
Re: Constant .info domain spam
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Tue, 2010-10-12 at 14:22 -1000, Julian Yap wrote:
> 2010/10/12 Karsten Bräckelmann <gu...@rudersport.de>:
> > On Tue, 2010-10-12 at 14:03 -1000, Julian Yap wrote:
> >> Many of the don't trigger the RCVD_IN_* rules. Does anyone implement
> >> their own private DNS black list?
> >
> > Many of what?
>
> Many of the .info emails. I guess because they are not listed on any RDNSBL's.
>
> >> Here's a latest one:
> >> From: "Juice Up My Income" <Art@parkrasive dot info>
> >> Subject: Sometimes timing is everything
> >> Date Received: Oct 12, 2010 13:43 PM
> >>
> >> Rules triggers:
> >> 7.9 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.0000]
> >
> > That is a rather drastic score, and generally not advised.
> >
> > However, overall it passed your spam threshold by far, no!?
>
> Yes, but my issue I guess is the the volume. Perhaps, this is a more
> 'general' thread to the overall .info domain issue. Just wanted to
> see if there were general ideas of how people combat this problem.
> Perhaps others do not see the volumes of spam that I do to notice the
> issue.
What I am (again!) missing, is the actual list of RCVD_IN_* rules hit.
Or, in other words, the DNS BL list providers that do result in a hit.
Absence of a few ones will show if your DNS is blocked.
So, which of these rules do trigger? How often?
And, again, there's no need to send a private copy. On-list only is
sufficient. I do read this list, no reason you would want to end up
on-list *and* in my Inbox, right?
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Constant .info domain spam
Posted by Julian Yap <ju...@gmail.com>.
2010/10/12 Karsten Bräckelmann <gu...@rudersport.de>:
> On Tue, 2010-10-12 at 14:03 -1000, Julian Yap wrote:
>> 2010/10/12 Karsten Bräckelmann <gu...@rudersport.de>:
>> > On Tue, 2010-10-12 at 10:32 -1000, Julian Yap wrote:
>> > > Are people using automated IP blacklists or something like that?
>> >
>> > Yes. SA even uses them by default.
>> >
>> > What do your SA rules triggered look like? Check your identified spam.
>> > Do you see RCVD_IN_* rules?
>> >
>> > If not, you are having DNS problems, or deliberately disabled those
>> > network checks.
>>
>> Many of the don't trigger the RCVD_IN_* rules. Does anyone implement
>> their own private DNS black list?
>
> Many of what?
Many of the .info emails. I guess because they are not listed on any RDNSBL's.
>> Here's a latest one:
>> From: "Juice Up My Income" <Art@parkrasive dot info>
>> Subject: Sometimes timing is everything
>> Date Received: Oct 12, 2010 13:43 PM
>>
>> Rules triggers:
>> 7.9 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.0000]
>
> That is a rather drastic score, and generally not advised.
>
> However, overall it passed your spam threshold by far, no!?
Yes, but my issue I guess is the the volume. Perhaps, this is a more
'general' thread to the overall .info domain issue. Just wanted to
see if there were general ideas of how people combat this problem.
Perhaps others do not see the volumes of spam that I do to notice the
issue.
- Julian
Re: Constant .info domain spam
Posted by Rob McEwen <ro...@invaluement.com>.
On 10/12/2010 8:14 PM, Karsten Bräckelmann wrote:
> [Added after re-reading: Same request. Which ones do hit, optionaly
> which ones don't?]
For the IPs mentioned:
217.23.6.209
204.45.150.196
64.32.6.4
173.234.224.131
184.107.29.11
72.55.165.139
67.159.50.131
174.37.134.225
...here is a tally of *which* DNSBLs blacklisted these IPs, and how many
of these IPs were blacklisted by each DNSBL:
(see analysis below this list)
NOTE: There were 8 different IPs. So the highest possible score was an
"8 out of 8".
# of "hits" blacklist name
7 ivmSIP
7 FIVETEN
6 BARRACUDA
6 Tiopan
5 PSBL
4 ivmSIP/24
3 NIXSPAM
3 OSPAM
2 BURNT-TECH
2 EMAILBASURA
2 KEMPTBL
2 SORBS
2 SWINOG
2 WPBL
1 AHBL
1 RATS-Dyna
1 SPAMCANNIBAL
1 SPAMCOP
1 UCEPROTECT1
I tallied this by checking each of those IPs on the mxtoolbox.com web
site (one of the more popular free DNSBL looks sites), and gave credit
for each hit. Keep in mind that this ranking does NOT take into account
the FP rates of each of the lists. For example, ivmSIP and FIVETEN tied
for first place. But, of course, ivmSIP is order of magnitudes a higher
quality blacklist compared to FiveTen when you factor in a DNSBL's
ability to avoid False Positives. Therefore, the BEST lists are the ones
which scored high on this list --AND-- which also have low FPs. (for
example, the one IP that ivmSIP missed really is a heavily abused IP...
but one that also has MUCH legitimate use because it is used by one of
the most popular dating sites for Latinos, which has 8 million
subscribers. Therefore, MUCH collateral damage might occur from the
blacklisting of this IP. Still, this can be a judgment call because
sometimes "enough is enough" with some heavily abused IPs that have some
legit uses!)
Regarding that one IP, the DNSBLs which blacklisted 67.159.50.131
include FiveTen, Ospam, PSBL, and SORBS. Personally, I consider this to
be the only False Positive of all the IPs submitted. And, for anyone who
agrees with that analysis, this makes ivmSIP the /*only*/ list with a
perfect 7 out of 7 score. But, again, considering 67.159.50.131 to be a
FP is somewhat of a judgment call.
NOTE: What this list is missing are DNSBLs like Zen. Obviously, the
reason Zen is missing is because the person who submitted this list of
IPs for missed spams probably ALREADY uses Zen-->so those spam /blocked/
by Zen won't show up on his list of /missed/ spams. And other DNSBLs may
be in the same situation. For example, I suspect this mail system also
uses SpamCop. So why the one SpamCop "hit" in the tally above? Probably
because that one IP may not have been in SpamCop at the time the message
arrived. (perhaps the same is true for UCE-1 and SORBS?--and would
explain their 1 or 2 hits?)
Along the same lines, some other DNSBLs that this mail system uses are
not going to show up on that list at all, even if very good blacklists,
like Zen--due to those DNSBLs already being used for outright blocking
on that mail server where these spams were missed. That is the reason
some lists are missing or under-represented.
--
Rob McEwen
http://dnsbl.invaluement.com/
rob@invaluement.com
+1 (478) 475-9032
Re: Constant .info domain spam
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Tue, 2010-10-12 at 14:03 -1000, Julian Yap wrote:
> 2010/10/12 Karsten Bräckelmann <gu...@rudersport.de>:
> > On Tue, 2010-10-12 at 10:32 -1000, Julian Yap wrote:
Doh! Upon re-reading, I just realized that you are the OP of this
thread, not Peter. So, please, Julian, think of most (if not all) my
questions being directed at you, too.
> > > Are people using automated IP blacklists or something like that?
> >
> > Yes. SA even uses them by default.
> >
> > What do your SA rules triggered look like? Check your identified spam.
> > Do you see RCVD_IN_* rules?
> >
> > If not, you are having DNS problems, or deliberately disabled those
> > network checks.
>
> Many of the don't trigger the RCVD_IN_* rules. Does anyone implement
> their own private DNS black list?
Many of what?
Anyway, yes, some *few* people are using private DNS BLs. Some (a lot
more) users are using DNS BLs not used by SA by default -- courtesy of
the version, of course.
[Added after re-reading: Same request. Which ones do hit, optionaly
which ones don't?]
> Here's a latest one:
> From: "Juice Up My Income" <Art@parkrasive dot info>
> Subject: Sometimes timing is everything
> Date Received: Oct 12, 2010 13:43 PM
>
> Rules triggers:
> 7.9 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.0000]
That is a rather drastic score, and generally not advised.
However, overall it passed your spam threshold by far, no!?
> 1.2 HOST_EQ_STATIC HOST_EQ_STATIC
> -0.0 SPF_PASS SPF: sender matches SPF record
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 1.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
> 0.5 MY_OBFUX RAW: X with unusual chars
> 0.3 MY_OBFU_MISC RAW: Misc unusual chars together
> 0.3 HOST_MISMATCH_COM HOST_MISMATCH_COM
> 0.3 MIME_8BIT_HEADER Message header contains 8-bit character
> 1.4 HELO_MISMATCH_INFO HELO_MISMATCH_INFO
> 0.0 SUBJECT_NEEDS_ENCODING SUBJECT_NEEDS_ENCODING
> 0.0 T_REMOTE_IMAGE Message contains an external image
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Constant .info domain spam
Posted by Julian Yap <ju...@gmail.com>.
2010/10/12 Karsten Bräckelmann <gu...@rudersport.de>:
> On Tue, 2010-10-12 at 10:32 -1000, Julian Yap wrote:
>> NOTE: I changed the domains below to 'dot info' as the mailing list
>> rejected my initial submission.
>>
>> I'm pretty sure it's not just me but there is some constant spamming
>> from dot info domains. Perhaps for the past 2 months or so.
>>
>> Often they send hundreds per day and consistently from the same IP's.
>>
>> Are people using automated IP blacklists or something like that?
>
> Yes. SA even uses them by default.
>
> What do your SA rules triggered look like? Check your identified spam.
> Do you see RCVD_IN_* rules?
>
> If not, you are having DNS problems, or deliberately disabled those
> network checks.
Many of the don't trigger the RCVD_IN_* rules. Does anyone implement
their own private DNS black list?
Here's a latest one:
From: "Juice Up My Income" <Art@parkrasive dot info>
Subject: Sometimes timing is everything
Date Received: Oct 12, 2010 13:43 PM
Rules triggers:
7.9 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.0000]
1.2 HOST_EQ_STATIC HOST_EQ_STATIC
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 HTML_MESSAGE BODY: HTML included in message
1.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.5 MY_OBFUX RAW: X with unusual chars
0.3 MY_OBFU_MISC RAW: Misc unusual chars together
0.3 HOST_MISMATCH_COM HOST_MISMATCH_COM
0.3 MIME_8BIT_HEADER Message header contains 8-bit character
1.4 HELO_MISMATCH_INFO HELO_MISMATCH_INFO
0.0 SUBJECT_NEEDS_ENCODING SUBJECT_NEEDS_ENCODING
0.0 T_REMOTE_IMAGE Message contains an external image
RE: Constant .info domain spam
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Wed, 2010-10-13 at 12:28 +1300, Peter Lowish wrote:
> I confirm that on revisiting, RCVD_IN_* rules are implemented - thanks for your help
*sigh*
> -----Original Message-----
> From: Karsten Bräckelmann [mailto:guenther@rudersport.de]
> Sent: Wednesday, 13 October 2010 11:41 a.m.
> To: users@spamassassin.apache.org
> Subject: Re: Constant .info domain spam
>
> On Wed, 2010-10-13 at 11:16 +1300, Peter Lowish wrote:
> > How are RCVD_IN_* rules implemented Karsten?
>
> They are generally DNS BL checks, some of which do (and are safe for)
> deep header parsing. Most of them are checked against the handing-over
> relay's IP only, though.
>
> Stuff removed
^^^^^^^^^^^^^
I did *not* write that. What I did write, however, was an explicit
request to not top-post.
Moreover, I clearly asked for *which* RCVD_IN_* rules hit, and an
estimate frequency number. Take a guess, if I have a reason for that.
Not all of the DNS BLs have a query threshold. Yes, it is possible to
get such hits, but still miss some of the most important ones. But hey,
you ignored and snipped my questions and the information how to fix it
(unless you are a seriously heavy load), so I only can assume it doesn't
apply to you.
*shrug* Well, if the above answers all your questions, glad to help.
Otherwise, I guess we need the information I asked for.
BTW, since you got my hint to strip the quote (although not limiting to
unnecessary parts) -- there's no need to send a copy directly. I do read
the list. I wouldn't have answered to your OP otherwise...
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: Constant .info domain spam
Posted by Peter Lowish <pe...@web1.co.nz>.
I confirm that on revisiting, RCVD_IN_* rules are implemented - thanks for your help
Peter
-----Original Message-----
From: Karsten Bräckelmann [mailto:guenther@rudersport.de]
Sent: Wednesday, 13 October 2010 11:41 a.m.
To: users@spamassassin.apache.org
Subject: Re: Constant .info domain spam
On Wed, 2010-10-13 at 11:16 +1300, Peter Lowish wrote:
> How are RCVD_IN_* rules implemented Karsten?
They are generally DNS BL checks, some of which do (and are safe for)
deep header parsing. Most of them are checked against the handing-over
relay's IP only, though.
Stuff removed
Re: Constant .info domain spam
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Wed, 2010-10-13 at 11:16 +1300, Peter Lowish wrote:
> How are RCVD_IN_* rules implemented Karsten?
They are generally DNS BL checks, some of which do (and are safe for)
deep header parsing. Most of them are checked against the handing-over
relay's IP only, though.
They are enabled (by default) by the skip_rbl_checks option, set to 0.
If they have not been disabled deliberately or erroneously, missing of
such rule hits indicates a DNS problem. (If you are using your ISPs DNS
directly or as a forwarder, a local caching non-forwarding DNS usually
solves it.)
Of course, your trusted and internal networks must be correct. SA is
good at guessing them in most cases, but a more complicate setup might
need tweaking.
I mentioned it specifically, because you stated the reported IPs to send
a lot of spam. Thus, they are most likely to be listed with some of the
RBLs.
Can't say more, because you didn't include any information regarding
your environment.
> I have similar spam being sent from such addresses as
> bidwars.uyjqm@trgide.soldiersupplywell.net and I don’t see that rule in the
> matching rules
The sender frequently is forged, or registered for abusive purposes with
a freemail provider. The left-hand part after the dot looks suspiciously
like a forgery.
Anyway, the sender address is irrelevant in the context of relay IP
checks. Like the submitting host's IP, as you mentioned.
What I am missing is an answer to my question, if you are seeing *ANY*
of such rule hits -- and if so, which, and how frequently.
> Running mailwatch for mailscanner with spamassassin
Please do not top-post, and remove unnecessary parts of the quote.
Answering each question right below where it was asked would show you
quickly what's missing. Like, the actual answer to my previous question.
> -----Original Message-----
> From: Karsten Bräckelmann [mailto:guenther@rudersport.de]
> Sent: Wednesday, 13 October 2010 10:05 a.m.
> To: users@spamassassin.apache.org
> Subject: Re: Constant .info domain spam
>
> On Tue, 2010-10-12 at 10:32 -1000, Julian Yap wrote:
> > NOTE: I changed the domains below to 'dot info' as the mailing list
> > rejected my initial submission.
> >
> > I'm pretty sure it's not just me but there is some constant spamming
> > from dot info domains. Perhaps for the past 2 months or so.
> >
> > Often they send hundreds per day and consistently from the same IP's.
> >
> > Are people using automated IP blacklists or something like that?
>
> Yes. SA even uses them by default.
>
> What do your SA rules triggered look like? Check your identified spam.
> Do you see RCVD_IN_* rules?
>
> If not, you are having DNS problems, or deliberately disabled those
> network checks.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: Constant .info domain spam
Posted by Peter Lowish <pe...@web1.co.nz>.
How are RCVD_IN_* rules implemented Karsten?
I have similar spam being sent from such addresses as
bidwars.uyjqm@trgide.soldiersupplywell.net and I dont see that rule in the
matching rules
Running mailwatch for mailscanner with spamassassin
Thanks
peter
-----Original Message-----
From: Karsten Bräckelmann [mailto:guenther@rudersport.de]
Sent: Wednesday, 13 October 2010 10:05 a.m.
To: users@spamassassin.apache.org
Subject: Re: Constant .info domain spam
On Tue, 2010-10-12 at 10:32 -1000, Julian Yap wrote:
> NOTE: I changed the domains below to 'dot info' as the mailing list
> rejected my initial submission.
>
> I'm pretty sure it's not just me but there is some constant spamming
> from dot info domains. Perhaps for the past 2 months or so.
>
> Often they send hundreds per day and consistently from the same IP's.
>
> Are people using automated IP blacklists or something like that?
Yes. SA even uses them by default.
What do your SA rules triggered look like? Check your identified spam.
Do you see RCVD_IN_* rules?
If not, you are having DNS problems, or deliberately disabled those
network checks.
--
char
*t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8?
c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0;
}}}
Re: Constant .info domain spam
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Tue, 2010-10-12 at 10:32 -1000, Julian Yap wrote:
> NOTE: I changed the domains below to 'dot info' as the mailing list
> rejected my initial submission.
>
> I'm pretty sure it's not just me but there is some constant spamming
> from dot info domains. Perhaps for the past 2 months or so.
>
> Often they send hundreds per day and consistently from the same IP's.
>
> Are people using automated IP blacklists or something like that?
Yes. SA even uses them by default.
What do your SA rules triggered look like? Check your identified spam.
Do you see RCVD_IN_* rules?
If not, you are having DNS problems, or deliberately disabled those
network checks.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Constant .info domain spam
Posted by Michelle Konzack <li...@tamay-dogan.net>.
Hello Julian Yap,
Am 2010-10-12 10:32:39, hacktest Du folgendes herunter:
> NOTE: I changed the domains below to 'dot info' as the mailing list
> rejected my initial submission.
>
> I'm pretty sure it's not just me but there is some constant spamming
> from dot info domains. Perhaps for the past 2 months or so.
>
> Often they send hundreds per day and consistently from the same IP's.
I get more then 600.000 DOT INFO spams per day...
> Are people using automated IP blacklists or something like that?
NO, I block ANY DOT INFO domains and whitelist only a handfull of them.
Thanks, Greetings and nice Day/Evening
Michelle Konzack
--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux
itsystems@tdnet France EURL itsystems@tdnet UG (limited liability)
Owner Michelle Konzack Owner Michelle Konzack
Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France 77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix
<http://www.itsystems.tamay-dogan.net/> <http://www.flexray4linux.org/>
<http://www.debian.tamay-dogan.net/> <http://www.can4linux.org/>
Jabber linux4michelle@jabber.ccc.de
ICQ #328449886
Linux-User #280138 with the Linux Counter, http://counter.li.org/
Re: Constant .info domain spam
Posted by Jason Bertoch <ja...@i6ix.com>.
On 10/14/2010 8:26 PM, Julian Yap wrote:
> On Thu, Oct 14, 2010 at 4:24 AM, Jason Bertoch<ja...@i6ix.com> wrote:
>> On 2:59 PM, Julian Yap wrote:
>>> NOTE: I changed the domains below to 'dot info' as the mailing list
>>> rejected my initial submission.
>>>
>>> I'm pretty sure it's not just me but there is some constant spamming
>>> from dot info domains. Perhaps for the past 2 months or so.
>>>
>>> Often they send hundreds per day and consistently from the same IP's.
>>>
>> dot info domains hadn't crossed my radar, but I decided to look anyway and
>> found that my logs agree with your notion that 99% (100%?) of dot info From:
>> addresses are spam. Roughly 75% of mine are caught at the door by RBL's at
>> the MTA level. Of the ones that get through, another 75% score above my
>> reject threshold. A simple rule to bump the points of any dot info From:
>> address has now pushed everything to the tag level, and even many of the
>> tags to rejects.
>>
>> For what it's worth, the ones making it past the RBL's in the MTA do not
>> match any stock RCVD_IN_* rules.
> I think I'm going to write my own logic and block things at the MTA
> level. Implement my own local RBL based on some algorithms.
>
>
For what it's worth, the rule I'm using is:
# .info domains 99% spam (100%?)
header JB_FROM_INFO_TLD From:addr =~ /\@*\.info$/i
describe JB_FROM_INFO_TLD From: address in .info TLD
score JB_FROM_INFO_TLD .01
Although broad rules such as this are generally discouraged, a score of
3 has proven effective based on my mail flow.
/Jason
Re: Constant .info domain spam
Posted by Jason Bertoch <ja...@i6ix.com>.
On 2:59 PM, Julian Yap wrote:
> NOTE: I changed the domains below to 'dot info' as the mailing list
> rejected my initial submission.
>
> I'm pretty sure it's not just me but there is some constant spamming
> from dot info domains. Perhaps for the past 2 months or so.
>
> Often they send hundreds per day and consistently from the same IP's.
>
dot info domains hadn't crossed my radar, but I decided to look anyway
and found that my logs agree with your notion that 99% (100%?) of dot
info From: addresses are spam. Roughly 75% of mine are caught at the
door by RBL's at the MTA level. Of the ones that get through, another
75% score above my reject threshold. A simple rule to bump the points
of any dot info From: address has now pushed everything to the tag
level, and even many of the tags to rejects.
For what it's worth, the ones making it past the RBL's in the MTA do not
match any stock RCVD_IN_* rules.
--
/Jason