You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Kenneth Porter <sh...@sewingwitch.com> on 2007/12/19 02:01:46 UTC
"Downloadable Software"
I'm seeing a lot of these today, and Bayes seems to be letting a lot of
them leak through. Any good rule for stopping them? The links are always to
a Geocities page.
Re: "Downloadable Software"
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Kenneth Porter wrote:
> I'm seeing a lot of these today, and Bayes seems to be letting a lot of
> them leak through. Any good rule for stopping them? The links are always
> to a Geocities page.
If you're using the WebRedirect plugin, this rule works well:
ifplugin Mail::SpamAssassin::Plugin::WebRedirect
header WEB_RE_LOC_REPLACE Web-Redirect =~
/\bparent\.location\.replace\b/
score WEB_RE_LOC_REPLACE 4.0
describe WEB_RE_LOC_REPLACE Links to web page that contains
'parent.location.replace'
tflags WEB_RE_LOC_REPLACE net
endif
Daryl
Re: "Downloadable Software"
Posted by Kenneth Porter <sh...@sewingwitch.com>.
--On Tuesday, December 18, 2007 8:16 PM -0500 Matt Kettler
<mk...@verizon.net> wrote:
> Do you have network checks enabled? I just grabbed one and it seemed to
> hit XBL, SpamCop and Razor2 pretty nicely:
I'm not using Razor, and I have SpamCop disabled (since October 1). Alas I
didn't put a comment in my SpamCop-disabling cf file to indicate why I
disabled it. I'll re-enable and see if that helps.
Re: "Downloadable Software"
Posted by Matt Kettler <mk...@verizon.net>.
Kenneth Porter wrote:
> I'm seeing a lot of these today, and Bayes seems to be letting a lot
> of them leak through. Any good rule for stopping them? The links are
> always to a Geocities page.
>
Do you have network checks enabled? I just grabbed one and it seemed to
hit XBL, SpamCop and Razor2 pretty nicely:
Content analysis details: (7.5 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[137.132.31.162 listed in zen.spamhaus.org]
2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see
<http://www.spamcop.net/bl.shtml?137.132.31.162>]
0.0 HTML_MESSAGE BODY: HTML included in message
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
above 50%
[cf: 100]
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
Re: "Downloadable Software"
Posted by Joseph Brennan <br...@columbia.edu>.
--On Tuesday, December 18, 2007 5:01 PM -0800 Kenneth Porter
<sh...@sewingwitch.com> wrote:
> I'm seeing a lot of these today, and Bayes seems to be letting a lot of
> them leak through. Any good rule for stopping them? The links are always
> to a Geocities page.
Reject mail with a URL to geocities.com. 66.218.77.68/32 is in the
Spamhaus SBL, updated Dec 7. If you check URLs in messages.
There are two patterns in those reported to us. I don't know enough
about normal Geocities URLs to make regexps unique to these.
[1] Noted at Spamhaus, these have multiword subjects and links like this
after geocities.com/
BlakeStafford34/
EdmondMcfarland16/
[2] The more voluminous kind has one-word lower-case subjects and
links like this after geocities.com/
a5owm7rv4ted5vt/
zoukfb127u07xzl/
e3e2jphxfamnp/
zoukfb127u07xzl/
e3e2jphxfamnp/
oifwubaqi2jd9i/
livq99cjun7m81/
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology