You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Robert Fitzpatrick <li...@webtent.net> on 2010/01/29 17:09:49 UTC
Smut spam
Could I get someone to run an example of smut spam I cannot seem to
block in SA 3.2.5? This is a typical message that has been hammering one
or two customers and despite learning many of these messages with bayes,
still they continue...
http://mx1.webtent.net/test.msg
I am using Sanesecurity as well as the saupdates.
--Robert
Re: Smut spam
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Sat, 2010-01-30 at 12:59 -0500, Jared Hall wrote:
> 1) Probably a good idea to remove hotmail.com, livejournal.com and whatever
> else suits you from the 25_uribl.cf ruleset. The line probably says:
>
> uridnsbl_skip_domain hallmark.com hinet.net hotbar.com hotmail.com
>
> I haven't seen an override for uridnsbl_skip_domain so the usual
> concerns about modifying integral SpamAssassin rules applies.
Nope. Do NOT remove these domains from 25_uribl.cf.
The uridnsbl_skip_domain setting defines domains, that will not be
looked up against URI DNSBLs. For one simple reason:
They will NOT be listed by URI DNSBLs.
Yes, e.g. hotmail.com really isn't uncommon in spam. But that does not
mean, this very domain ever would be black listed. It won't. All that
removing such a domain from the skip list does, is make SA look it up
with the various URI DNSBLs. This only increases the load on the DNSBLs'
infrastructure, due to unnecessary DNS lookups.
As for commonly abused sub-domain hosters, an additional util_rb_2tld
setting might be in place -- IF and ONLY IF supported by the DNSBLs.
Don't just enable it on spec, without knowing about support.
This one enables second-level TLD lookup. There's a change of listing
individual third-level domains, but generally no chance of the actual
sub-domain hoster itself being listed.
But this is an entirely different topic...
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: [SPAM:9.5] Re: Smut spam
Posted by Christian Brel <br...@copperproductions.co.uk>.
On Sat, 30 Jan 2010 12:59:10 -0500
Jared Hall <jh...@tbi.net> wrote:
> 2) Here are some ruleset extractions that might help you get over the
> hump. Comment if you must but be advised that I usually ignore them,
> good or bad.
>
{snip}
Thank you for taking the time to post them here - appreciated.
Re: Smut spam
Posted by Jared Hall <jh...@tbi.net>.
1) Probably a good idea to remove hotmail.com, livejournal.com and whatever
else suits you from the 25_uribl.cf ruleset. The line probably says:
uridnsbl_skip_domain hallmark.com hinet.net hotbar.com hotmail.com
I haven't seen an override for uridnsbl_skip_domain so the usual
concerns about modifying integral SpamAssassin rules applies.
2) Here are some ruleset extractions that might help you get over the
hump. Comment if you must but be advised that I usually ignore them,
good or bad.
# Ruleset: jared_porno.cf
# Description: Jared's rules for SpamAssassin
# Applicability: Southeastern US; service-oriented companies
# Version: 01.020
# Created: 06/25/2006
# Modified: 01/28/2010
# License: GPL
# Current Maintainer: Jared Hall
#
######################################################
# Assumptions: Based on a Spam Score of 10.
# English language.
# Sender uses a spell checker.
######################################################
##############################
# Body Rules #
##############################
body TBI_GOPORN1 /\/go\.go\.php/
score TBI_GOPORN1 7.0
body TBI_BESTPORN /\/the\.best\.php/
score TBI_BESTPORN 7.0
uri TBI_CRAZY8 /[a-z]{4,16}8{4,7}\.(com|us|cn)/
score TBI_CRAZY8 7.0
###############################
# Composite Rules #
###############################
# There are no spaces in the following values except for the meta.
header __TBI_HOTMAIL_PORN1_1 From =~
/\@(hotmail\.com|live\.com|windowslive\.com|live\.ru|tagged\.com|live\.fr)/i
uri __TBI_HOTMAIL_PORN1_2 /spaces\.live\.com/i
uri __TBI_HOTMAIL_PORN1_3 /jimdo\.com/i
uri __TBI_HOTMAIL_PORN1_4 /friendster\.com/i
uri __TBI_HOTMAIL_PORN1_5 /groups\.yahoo\.com/i
meta TBI_HOTMAIL_PORN1 (__TBI_HOTMAIL_PORN1_1 &&
(__TBI_HOTMAIL_PORN1_2 || __TBI_HOTMAIL_PORN1_3 || __TBI_HOTMAIL_PORN1_4
|| __TBI_HOTMAIL_PORN1_5))
score TBI_HOTMAIL_PORN1 6.0
###############################
# subject rules #
###############################
# WARNING: The rule listed immediately below triggers on the standard
Hotmail
# multipart header format. This will artificially increase scoring for ALL
# web-based Hotmail messages received:
header FACEBOOK_HOTBOT1 Content-Type =~
/boundary="_[0-9a-f]{8}\-[0-9a-f]{4}\-[0-9a-f]{4}\-[0-9a-f]{4}\-[0-9a-f]{12}_"/
score FACEBOOK_HOTBOT1 4.0
# NOTE: The following KWORD rules are standalone words that may occur in
# porn Subject headers. There are no spaces in these values.
header TBI_ADULT_KWORD Subject =~
/\b(masturbating|fistnig|hardcore|peins|orgasm|Inrestiosn|fcuked|haard|fuuck|suuck|naughteist|sltus|swe\-et|psusy|lutsful|bolnde|seexy|actrses|obejct|inseritons|Seex|ainmals|groupsex|emornously|eonmrously|jiucy|booteid|hugee|coock|bolndes|blcak|sle\-eping|giirl|adulllt|tiitz|nymphomovie|brunettez|Wehros|Heotstt|chixx|loevly|aass|titts|cokked|ppussy|deeep|thorat|aisan|cihck|somking|Harodcre|weell|huung|goood|aanal|tittay|adultsite|jizezd|giirlz|puree|staisfaction|Experineced|sluut|nasssty|girlz|potohs|Serecn|Petervrs|Hosettt|pneetration|pictrues|bootay|Assiiann|Teeenz|Innconet|Bithecs|Footjob|Roselution|amat\-ure|Orgy|tpoless|pus\-sy|titties|tittie|s\|ut|fuking|cokkz|fuukk|bolwing|dikk|hannndjob|orgies|chix|HardKore|Unesnroecd|Caroton|hawtest|babez|Sceern|squiirt|chikz|sqquirt|l01ita|Hsttoet|cocksmokers|sexoholic|fuck\-friend|fuckfriend|fuckbuddy|ganngbanngs|hardhugedicks|Mtoehr|Htetsot|Carttooon|Animmme|ganggbanng|Wrehos|Wreho|Hoettst|piiissing|Hott|Incneont|Bitechs|tiit|tcuked|amaznig|berast|Seex\-starevd|fmeale|mas\-sage|desiers|fol\-lower|ladiez)\b/i
score TBI_ADULT_KWORD 4.0
header TBI_ADULT_KWORD1 Subject =~
/\b(dolwnoad|Mhoter|Moehtr|Mheotr|Weomn|Woemn|Motehr|MILF|Hsoettt|asolhess|Psortitutes|Hettost|sukked|hotchicks|hardk0re|Exxtreme|Lveoly|Harcrode|Harcorde|Prtety|Ptrety|Sohcking|Uneosncred|Fuck1ng|Fucekd|V1de0|Lveoly|Suck1ng|cum|Horny|V1de0s|Wmoen|Cutset|ExxPlicit|gangbanngers|c0ck|horse-hung|hunniez|prostitootes|Mtoher|fukk|Hardkore|peverrt|Sloohcgirl|Solhocgirl|Psrotituts|Hardc0re|lezbo|lezbos|gangbang|FlirtingCams|ass2mouth|c0kk|cumshot|Hardocore|V1de0|amature|galz|gothix|chik|Blowjob|cok|mega\-site|ana1|anna1|Posrtituts|Petvrres|preverts|lezbian|slsuts|dzcreet|peervrt|Petrevr|Petrrve|pevrret|c0ckz|puzzies|fuking|suking|teein|undrseses|tesaes|lingreie|upskirt|colelge|bolnde|coock|Nuaghty|stal\-lions|lrage|diick|fuiicked|fukking|Amature|Sexy|p0rno|Pverert|Psortitute|Harrcdoe|Mtehor|squirrtiting|Nakked|sekx|Po\-rno|pussay|fucked|matrue|wfies|exterme|btotles|pis\-sing|golry|hoole|sukcs|mysteriuos|coock|frdiay|fukcs|huung|balck|guuys|faical|lesiban|seex|scnee|tiits|virign|aass|Facefucked|gerat|shownig|penetraets|tihgt|feamle|pantyohse|lesbain|ggiant|finegrs|secreatry|Cllips|Playffully|PPetite|Jizzed)\b/i
score TBI_ADULT_KWORD1 4.0
header TBI_ADULT_KWORD2 Subject =~
/\b(dirlled|giirl|strpaon|bsuty|porsntar|chetsed|scuks|rdehead|loevs|bieng|fcuked|relaly|haard|getitng|gruop|hoome|viedo|sohwing|posnig|total\-ly|naekd|fucking|ofender|\-on\-|bceomes|deepthroat|pornstars|thearte|laregr|hcik|tkaes|fsits|as\-shole|pmuping|actoin|asain|porsntar|inexperineced|amtaeur|scuking|lrage|diick|thiis|viedo|At\-tractive|butsy|woamn|enjyos|bangnig|strapon|slutty|paisnluts|Naguhty|sltus|ccoks|cuum|Doggystyle|htotie|kikny|wifee|bziarre|sepculum|plaay|get\-ting|Dominatrix|femdom|facail|kisisng|expsoes|bsuty|grilfriends|pe\-eing|fetsih|frnezy|aass|muoth|atcion|amaetur|miilf|cumhsot|tiiny|bkiini|swe\-et|che\-ek|smoknig|brnuette|twaat|bnaged|sutffed|panteis|patnyhouse|insatibale|pusises|pleausre|cleavgae|bestiailty|Zo\-ophilia|penetratoin|ExtremeAn|dirlled|sucikng|prievte|dsipirited|masturbaets|expeirence|Cmoe|leesbo|ccleaning|wiild|sFucked|tolpess|ppaarazzi|pcitures|strraight|righht|miini|sikrt|wihte|thnog|Pantyhos|rrready|bruntete|gaggnig|muoth|skin\-ny|booy|diong|Pigtaile|DeepAss|Nakeedd|Blakck|Moutthh|Fucekd|Skirtt|bootay|TripleX|Prono|Frrom|Eretced|PPneis)\b/i
score TBI_ADULT_KWORD2 4.0
header TBI_ADULT_KWORD3 Subject =~
/\b(LLegged|Bruentte|CuCtie|Suukcs|hoole|Fxoy|Brrunette|Spreadss|stufffing|cihck|surpprisse|facce|bbehind|bnaged|Msity|sperads|twaat|Dirt\]|fucknig|sults|gteting|Blnode|Wrohe|pooths|pthoos|phoots|poohts|pothos|Wreohs|froom|behnid|salve|sluut|poosies|Levoly|sekx|suxx|cawk|chi1d|p0rn|Inoencnt|hettsot|birngs|Awmoese|sences|sneces|Hteostt|seexy|bluee|fukk|tieed|bruntete|maaid|sukcing|coock|TThiis|Loevs|Pian|sekx|phantasies|leSkin|kesHerT|pornstar|hores|hussies|whorez|onliine|blowjob|fuk|assiann|whomb|Dlownoad|oCme|arrea|wrehe|aunnt|pumpetd|Homeamde|Hardccoree|Laddbyoy|Handdjob|Sprurts|Oevr|cumhsot|pus\-syhole|weell|huung|licekd|aass|bagned|pefrect|hloes|Pnoro|bdsm|amatuer|ssesion|fcaial|fucekd|cameltoe|hosre|fcuk|anyanimal|Odler|WWtih|Cureves|Tonngue|Polsih|Hnetai|BBtich|BBlad|HHumped|Cihck|lvoes|bieng|Aisan|bicth|Chbuby|taeking|sohwer|aamteur|Hrony|Lucking|Couggar|Masturrbatess|Jizz|Hunrgy|Ponro|Porno|y0ung|Harcodre|Bitcehs|Wrhoe|Unserconed|Hnetai|Ccok|Awoesme|M0vies|MMos|viirginity|aamteur|Rooom|broing|natsy|ejnoys|miost|Interr)\b/i
score TBI_ADULT_KWORD3 4.0
header TBI_ADULT_KWORD4 Subject =~
/\b(Graceufl|Cuurly|Bbabe|Havvingg|Timme|Shoewr|Cbain|Fcuking|Withth|Watns|GGGuGys|Insdie|AAAnd|Siwng|Gorgeuos|Bbae|SSpraeding|Penetrtaion|RRed|Strpips|Blacck|Biknii|Shoows|Hiary|sIvaeigrI|Tihgt|brunet\-te|shouw|HHorny|Fiiiriing|wtih|doues|bolwjob|piee|muoth|idnian|teeen|scuks|balck|daick|bfeore|inetrracial|esex|babee|PPPerttttyy|Sltus|Sepw|Jziz|Isnide|babe\;|metting|lap\-ping|psusy|Hout|esexy|strip\-ping|beibe|Maturee|Grranny|WWhoree|LLoving|PPussyy|PPluggnig|Plaesurres|Herslef|VVibbrator|Wihle|ToTp|0riingal|ebo|tilll|mutuaal|Rutttishh|HHeentai|Hoeny|Gettiing|WWWet|PPussy|Hummped|BBig|Dicsonuted)\b/i
score TBI_ADULT_KWORD4 4.0
# NOTE: The following STRING rules are strings that may occur in
# porn Subject headers. There are no spaces in these values.
header TBI_ADULT_STRING1 Subject =~
/(Coveredboobs|HugeCock|PosingNaked|HardcoreFucking|AnalRedhead|LewdVldeos|CookAndFuck|SweEtCicks|Vvhores|P0rrrn|AnimeCuties|CutiesReveal|TheirPanties|MouthfulCxum|SweEtShaven|CreamyPussy|Blowjob|cumhsot|CumShot|TeenFucked|GetFacial|SwallowTheCum|PetitteTits|FuckedHardcore|SIutsFuuking|HornyOlder|BlackDick|JuicyTiin|LovesRiding|HugeBoobed|GetsFisted|TiinSIIuts|Womanfuck|ThreesomeSex|BlondeMilf|GirlBendsOver|GoatFuuking|ChickGags|LatexSlut|HotChick|BigCock|AndFucks|GirlFuuks|LadyEnjoys|SuckingAndRiding|SmokingGirl|CookVvhores|SweetAss|atking|BrunetteSucks|FarrnFuuking|AmateurSucking|SixyTiin|TiinageSlt|AnimeCuties|TheirPanties|FatDicks|SexyCutie|LatexStocking|NikkiCox|ShowsLuscious)/i
score TBI_ADULT_STRING1 4.0
header TBI_ADULT_STRING2 Subject =~
/(HorceCook|Fuuking|Z0OP0rrrnM|TinnyiGirI|TiinageVvhores|SalaciousVldeos|Facefuck|BigCooksFuuking|FtucedOn|EbonyHottie|teasedand|ChicksInLatex|HottieSucking|SexyBeauty|HotThreesome|GrubbySIuts|creamyfacials|GetsFucked|Ejaculation|cleavageis|SIutsScrewing|FuukEachOther|FuukedBy|BlondeMilf|SltFuuked|getdephiled|BallLicing|HerBigTits|MatureHousewife|HoTSIuts|TrimmedPussy|Buttfuced|CuteInnocent|AsianTezen|cokz|hotamature|ttited|blodne|babee|geramn|stgae|sohwing|PosingOnSofa|inPanties|SpreadsWide|NastyChick|Maztyrbate|MasturbateWith|CuteAngels|AnirnalFuuking|GlrIWantToCurn|GuysFuuking|MeetEatingFarrn|NastyWhore|SatisfyHerLust|AnnallSix|TabooPorn|GettingFuuked|se_xy|ThisGirl|TightLatina|FromHer|HornyLover|CelebrityHottie|StockingedMilf|StraightTwink)/i
score TBI_ADULT_STRING2 4.0
header TBI_ADULT_STRING3 Subject =~
/(SlttyChik|SexTeacher|StrippedDown|TightPussy|SlttyGirIs|ToyingHer|TightPuzzy|DirtyBitches|AnimalCock|godedss|womenen|BigCooks|cliit|YouNGGlrIfriends|ToplessPhotos|TiinageGirIs|LatexFinger|LatexNurse|BackawardsCowgirl|SpanishBabe|LatexFucking|BeautifulTranny|AwesomeHardcore|DogFucking|FuckingAss|DickSucked|GivenAFacial|BlackPricks|SIIutsHaard|WangWithPleasure|TotallyNude|GirlsPlay|SexGames|SpreadsHerLegs|ChickCum|ThreeLesbians|vhoreHo1es|LonelyGal|wh0rez|Dowlnoadable|Prsotitute|Prsotitutes|hardxxxcore|Mhoetr|Hoetstt|PennySt0cks|PR3SCR1PT\!0N|pronno|Harcrdoe|YouHaveNothingToLose|Psortituts|Exepsod|prveert|Perertv|Prtreev|Prevetr|Perrvet|Prrveet|BlackBooty|PussyTaking|ShowingHer|GiveHead|AnalPumping|SucksJuicy|GayCocks)/i
score TBI_ADULT_STRING3 4.0
header TBI_ADULT_STRING4 Subject =~
/(Pveretr|pvreret|Pevertr|Prostitute|Posrtitute|Htestot|Pterty|Bacdokor|Werohs|Woerhs|Dirtayhot|Meothr|farrm|farrrmm|Cumbarn|galelrie|Metohr|Whroe|Hrony|Porstitute|Whroe|Meohtr|aseohsls|fileld|Mehotr|Hsteott|Mmomy|Wmeon|Nveer|Whroes|Mthoer|Harocdre|Worhe|Backd00r|Mteohr|Wemon|GetsItOn|BigBreast|MonsterCock|IntoHerAss|BlondeTeenie|FreshBody|LusciousCleavage|HotPiss|BlondeG|I_am_a_sex|GangbangedHard|Can\-I\-take)/i
score TBI_ADULT_STRING4 4.0
# NOTE: The following ADULT rules are groupings that may occur in
# porn Subject headers. Mind the spaces.
header TBI_ADULT1 Subject =~ /(giving head|cocks
splitting|juicy hooters|squirt hot|creamy load|squirting milk|Spanking
Punishment|fantasy stocking|blake of teens|facial love|romance
pictures|black hardcore|Sofa Sex|young nurse|Jelena Jensen|Petite
Twats|fuck smother|Girl Slobs|Gaping Asshole|finds sex|Blonde
Spreading|Tease Her Naughty|See Through Top|Black Lingerie|Naked
Body|Cute Amateur|female porn|Pussy Lick|Fucked Hard|Leashes His
Laziest|Pretty Angel|Just Lunch Dating|View photos of singles|plastic
erotic|long tits|cowgirl couples|Perverted Fitness|Goes Topless|Firm
Tits|Perfect Busty|Pretty honey|Hairy Snatch)/i
score TBI_ADULT1 4.0
header TBI_ADULT2 Subject =~ /(forbidden site|camel toe|huge
load in her|super sucker|adult personals|Vaginas that squirt|online
dating profiles|get laid from this|extreme lolita|want to blow you|Naked
amateurs|Mature sex|Amateur girls needing|Extreme Bondage|XXX
photos|chicks are sexy|fuk video|Redhead In|Getting DPed|Latex
Corset|Glass Dildo|bare shaking|Animal Penis|Fucking Herself|Pierced
Nipples|shoots his load|Russian blonde|check these chicks|Foot
Fucks|Jizzed On|Over Sexed|Ebony Tramp|Double Penetrated|oral
sex|insatiable women|fucking sex|sex craving|fuck action|girlfriend
uploading)/i
score TBI_ADULT2 4.0
header TBI_ADULT3 Subject =~ /(tons of tits|web actshion|big
breast movies|girl nxet door| orgies|fresh Nude|nymphets|Cheating House
Wife|indecent sexual exploits|ass\-to\-mouth|love\-starved
girls|Housewife cheating|Nxet Door Girls|Wet Chick|Real Housewife|Wet
Housewife|Fucked so hard|Long Broadband Movie|In The Ass|pussy
culture|flickr sex|Pussies Filmed|intimacy loves|bondage egyptian|Old
Nympho|Thong Panties|Luscious Wanking|ho ttest|b\] abes|Titty
Wank|Fucked In Her Mouth|on his pipe|Bound And Violated|big
monster|Mat\] ure)/i
score TBI_ADULT3 4.0
header TBI_ADULT4 Subject =~ /(loads all over her|Seepd
Video|Jack Rabbit Vibrator|Fuck their mouth|fucking on private|Wild
college girls|try animal sex|FCUK and suck|Fucked in mouth|Carootn
Bitch|Cartoon Bitch|Nasty Skinny|chubby love|nude ageism|loves
relationships|Cooch Ripped|Stockings Gal|Off Her Skirt|Of Boobies|dream
teen|blowing strippers|Glory Hole|Retro Teenager|gets fingered|Round
Ass|Horny Bbw|Her crack is|Topless Busty|Pussy Pounded|Displaying Her
Butt|Frreckled|Bruentte|Deetphroat|RRidingg|Asian Amateur|Black
Shemale|Long Cock.)/i
score TBI_ADULT4 4.0
header TBI_ADULT5 Subject =~ /(thick dick|Broadband
Flicks|Mature Mtheor|likes big dick|DVD Clicks|Mature Married|Cute
Housewires|high speed DVD|ADSL Video|Cute Amateur|Cute Next Door
Girl|Dirty Woman|pumped by animals|ADSL Flick|DSL Flick|Broadband
Flick|doggy dick|Cute Woman caught on video|Bizzare Lady caught|Lady
caught on video|Broadband Ready DVD Movie|Broadband Ready Movie|ADSL DVD
Movie|Huge Sized|Broadband Video|tons of flicks|Broadband DVD Movie|Wild
Naughty Locals|gay wives|Stripping Panties|Petite Black|nude
passion|Double Penetration|Gets Naughty|Her Silky Legs|Posing
Outdoor|Poses Upside Down|Round Butt)/i
score TBI_ADULT5 4.0
header TBI_ADULT6 Subject =~ /(while her boyfriend
watches|their boyfriends watch|an online dating profile|Blondes on
Blacks|amateurs can suck|Sucking Big Dick|fisting females|bang their
girlfriends|kinky shit|Hung guys giving|fuck orgies|her boss makes her|4
her bonus|fucked hard|campus sex|Extreme Voyeur|Anime Girls|Dirty
Average Girls|DVD Vidoes|Gets Naughty|concert tits|Cleavage Show|Spreads
Her Legs|cunt stars|Big Dildo|see my pics|Gets Huge|Her Nice Bod|Fat
Cocky|Doctor Fucks|Gorgeous sweet|babee worships|her lovers)/i
score TBI_ADULT6 4.0
header TBI_ADULT7 Subject =~ /(Natural Boobs|Loves To
Suck|clits suck|girls gush|streaming live massive|Adult XXX|XXX
Broadband|Lonely housewifes|Lonely housewives|Crysp Clear|Jackrabbit
Vibrator|meet a mature woman|barely legal amateurs|Bisexual
orgies|Mature Woman Seduced|Voyeur Peeping|Supreb Broadband|hotties
suck|Call me now on this number|Enjoying Themselves With Dick|Caresses
Her Legs|Strips Wild|Naked Ass|On Cock|porn video|Adorable Young|Stud
Screw Her|muscular hentai|Teasing Her Slave|have a great body|Tiny
Tits|Hairy Slit|Babe Gets Bound)/i
score TBI_ADULT7 4.0
header TBI_ADULT8 Subject =~ /(hunt college girls|in\-depth
spy footage|female wife looking for someone|sorority hazings caught|fuk
fests|remastered adult videos|Girlz on guyz|party sez site|girls caught
on tape|Web reality site|pin-up goddess|babes begging|Websitez of
Adult|pound the shit|mothers asshole|intimate encounter|Normal girls
flip|XX\-X|Erotica|Finest Chix|gang bang|view 4 free|jerking
dudes|pickup MILFs|girls with girls video|FUK your partner|Singles in
Your Area|live eva|surgery pix|porn san|bondage egyptian|Young
Plumper|Watch Her Teasing|Natural Tits|Petite Body|Spreads Her|Her
Clit|couple pounding)/i
score TBI_ADULT8 4.0
header TBI_ADULT9 Subject =~ /(xxx movie|oralteens|toon
girls|licking one dick|cow girlz|married mom cheating|piss flicks|golden
shower|girls with body hair|Big Roselution|pussy fisting|paid to put
out|TripleXX\-X|tricked into sex|eXXXtreme|Crystal Clear Movies|up her
butt|megga site|fuck porn|porn pooths|Dirty Next
Door|ho\-n\-ey|pu_ss_y|Young Bitch|Her Knockers|Babes Toying|Reverse
Cowgirl|spread sucks|Rough Hard Sex|Stripping Pink|Fake Tits|pl\] ay|her
hole|Gorgeous Doctor)/i
score TBI_ADULT9 4.0
header TBI_ADULT10 Subject =~ /(hentai hardcore|hentai
pimp|PIXXX|messy facial|pornstar video|amateur
babes|S_e_x|girlxs|MILF\'s|hentai art|hard\-kore|xxx videos|Pussies
parted|latina xxx|Uncensored farm|mega sick|piss on her|farm
sex|bangable chick|hentai images|sukk|dildo|adult movie|tranny sex|ass
site|Just update my blog|Hidden In Ladies Room|offenders actress|Cowgirl
And Missionary|Pierced Clit|pussy drinking|Her Dildo|sexes it
up|Wide\-open Arse|Red High Heels|Girl Get Choked|Spreads Her)/i
score TBI_ADULT10 4.0
header TBI_ADULT11 Subject =~ /(pervert action|prveret
action|Pervert Women|Pervert Female|Bored\? Horny\?|This is a nice
photo|Find a local hook up|so many local girls|horny\?
naughty\?|shemale|Fresh Young Teen|Giving Handjob|Stripping
Seductively|Seduce A Stud|Naked Cheerleader|fist to please|Muff
Diving|Hardcore action|Titty biting|blowing her boss|Yummy Novice|dirty
photos on Facebook)/i
score TBI_ADULT11 4.0
Robert Fitzpatrick wrote:
> Could I get someone to run an example of smut spam I cannot seem to
> block in SA 3.2.5? This is a typical message that has been hammering one
> or two customers and despite learning many of these messages with bayes,
> still they continue...
>
> http://mx1.webtent.net/test.msg
>
> I am using Sanesecurity as well as the saupdates.
>
> --Robert
>
>
>
Re: [SPAM:9.6] Re: Smut spam
Posted by Christian Brel <br...@copperproductions.co.uk>.
On Sat, 30 Jan 2010 09:32:31 +0000
Ned Slider <ne...@unixmail.co.uk> wrote:
> Christian Brel wrote:
> >
> > header __HOTMAIL_SPX1 ALL =~ /Received\:.{1,30}hotmail\.com/i
> > body __HOTMAIL_SPX2 /http\:\/\/groups\.yahoo\.com/
> > meta HOTMAIL_SPAM_GY (__HOTMAIL_SPX1 && __HOTMAIL_SPX2)
> > score HOTMAIL_SPAM_GY 0.0
> >
>
> If I may...
>
> To match only Received headers:
>
> header __HOTMAIL_SPX1 Received =~ /.{1,30}hotmail\.com/i
>
> which incidentally will also match entries from
> this-is-not-hotmail.com
> - may or may not be what you intended.
Indeed. It's probably fair to say that anyone using
'this-is-not-hotmail' would not really fall into my 'must have mail
from' senders, but that's just a view.
>
> There is already a "from Hotmail" rule in 20_head_tests.cf for use in
> meta rules that may suffice?
>
> header __FROM_HOTMAIL_COM From =~ /\@hotmail\.com\b/i
>
> Also, you can use a uri rule for URIs, for example:
>
> uri __HOTMAIL_SPX2 m{https?://groups\.yahoo\.com\b}
>
It was a 'for instance' not a solid rule Ned, but as you've gone to
so much trouble please feel free to finish the job and offer the whole
rule :-)
Re: Smut spam
Posted by John Wilcock <jo...@tradoc.fr>.
Le 30/01/2010 10:32, Ned Slider a écrit :
> There is already a "from Hotmail" rule in 20_head_tests.cf for use in
> meta rules that may suffice?
>
> header __FROM_HOTMAIL_COM From =~ /\@hotmail\.com\b/i
Bear in mind, however, that not all hotmail users have hotmail.com
domains. There are plenty of hotmail.cctld domains, for a start.
John.
--
-- Over 4000 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages - www.tradoc.fr
Re: Smut spam
Posted by Ned Slider <ne...@unixmail.co.uk>.
Christian Brel wrote:
>
> header __HOTMAIL_SPX1 ALL =~ /Received\:.{1,30}hotmail\.com/i
> body __HOTMAIL_SPX2 /http\:\/\/groups\.yahoo\.com/
> meta HOTMAIL_SPAM_GY (__HOTMAIL_SPX1 && __HOTMAIL_SPX2)
> score HOTMAIL_SPAM_GY 0.0
>
If I may...
To match only Received headers:
header __HOTMAIL_SPX1 Received =~ /.{1,30}hotmail\.com/i
which incidentally will also match entries from this-is-not-hotmail.com
- may or may not be what you intended.
There is already a "from Hotmail" rule in 20_head_tests.cf for use in
meta rules that may suffice?
header __FROM_HOTMAIL_COM From =~ /\@hotmail\.com\b/i
Also, you can use a uri rule for URIs, for example:
uri __HOTMAIL_SPX2 m{https?://groups\.yahoo\.com\b}
Re: Smut spam
Posted by Christian Brel <br...@copperproductions.co.uk>.
On Fri, 29 Jan 2010 14:34:46 -0500
Adam Katz <an...@khopis.com> wrote:
> Robert Fitzpatrick wrote:
> >>> http://mx1.webtent.net/test.msg
> > http://mx1.webtent.net/test2.msg
>
> The first one now also hits razor ... can't say one way or another
> about how it hit earlier, but I'd suggest double-checking to ensure
> you use the plugin as it's pretty useful across the board.
>
>
> I suppose this is more an sa-dev question, but perhaps it might be
> worthwhile to have a freemail_networks category (much like
> trusted_networks) that would allow limited parsing beyond the freemail
> providers' networks into the system that connected to it. This must
> not affect the last-external checks as it would then trigger all the
> dynamic rDNS detectors, and we'd also have to be wary about SPF etc,
> but it might be quite useful for DNSBL.
>
> I'm sure the freemail plugin already does much of this work.
I'm not sure that it does - looking at the comments at the top of
the .pm it says;
"# If From-address is freemail, and Reply-To or address found in mail
body is # a different freemail address, return success."
In the context we have here, and in general terms for the variety of
spam received via Hotmail - it's a vector, but not overly useful with
this specific type of 'hotspam'.
Looking back at my Hotmail spam it consists of a 50/50ish mix of 419
(where the freemail plugin could be useful) and links. Many are to
staging posts like groups.yahoo.com and can be trivially wiped out with
stuff like:
header __HOTMAIL_SPX1 ALL =~ /Received\:.{1,30}hotmail\.com/i
body __HOTMAIL_SPX2 /http\:\/\/groups\.yahoo\.com/
meta HOTMAIL_SPAM_GY (__HOTMAIL_SPX1 && __HOTMAIL_SPX2)
score HOTMAIL_SPAM_GY 0.0
But where random, changing domain names are used this tactic will never
work. You'll spend your life writing rules.
It's not conceivable to block HOTMAIL as we have a generation of money
spending customers who use it as their primary mail. It would result in
a serious loss of genuine mail. So the vectors that can be used are
very narrow.
This brings me back to the X-Originating-IP: [x.x.x.x] header. We can't
block this on a PBL, but we *can* on a REPUTATION based list like that
offered by Barracuda. In fact one of those is catching on the BBL:
[78.175.50.246 listed in b.barracudacentral.org] - but I can't say how
long it's been on there - I've only checked it this morning.
It would also be very useful to GEO check this IP as often it's from
somewhere like Turkey, Brazil, China et al. It seems logical to extend
the functionality of the Relay Countries plugin to look for this
header - or add an 'originates from' section to it. I'm no developer so
I can't say if this would be trivial - but I feel it would be a useful
thing to do.
Re: Smut spam
Posted by Adam Katz <an...@khopis.com>.
Robert Fitzpatrick wrote:
>>> http://mx1.webtent.net/test.msg
> http://mx1.webtent.net/test2.msg
The first one now also hits razor ... can't say one way or another
about how it hit earlier, but I'd suggest double-checking to ensure
you use the plugin as it's pretty useful across the board.
I suppose this is more an sa-dev question, but perhaps it might be
worthwhile to have a freemail_networks category (much like
trusted_networks) that would allow limited parsing beyond the freemail
providers' networks into the system that connected to it. This must
not affect the last-external checks as it would then trigger all the
dynamic rDNS detectors, and we'd also have to be wary about SPF etc,
but it might be quite useful for DNSBL.
I'm sure the freemail plugin already does much of this work.
Re: [SPAM:9.6] Smut spam
Posted by Ned Slider <ne...@unixmail.co.uk>.
Robert Fitzpatrick wrote:
> On Fri, 2010-01-29 at 16:19 +0000, Christian Brel wrote:
>> On Fri, 29 Jan 2010 11:09:49 -0500
>> Robert Fitzpatrick <li...@webtent.net> wrote:
>>
>>> Could I get someone to run an example of smut spam I cannot seem to
>>> block in SA 3.2.5? This is a typical message that has been hammering
>>> one or two customers and despite learning many of these messages with
>>> bayes, still they continue...
>>>
>>> http://mx1.webtent.net/test.msg
>>>
>>> I am using Sanesecurity as well as the saupdates.
>>>
>>> --Robert
>>>
>> Do the links always point to: globalnamesgroup.com or do they vary?
>
> All different, even the content, here is another example...
>
> http://mx1.webtent.net/test2.msg
>
>
Nothing much hitting on either of those examples here either (the first
one now hits uri black but probably didn't at the time you received it).
Keep learning them through bayes is about all I can suggest.
Are these all from hotmail? The amount of spam emanating from hotmail is
getting ridiculous lately. If you're a small server you could possibly
penalize all mail from hotmail and then whitelist known good senders for
your clients but that's getting a bit extreme.
Re: [SPAM:9.6] Re: [SPAM:9.6] Smut spam
Posted by Christian Brel <br...@copperproductions.co.uk>.
On Fri, 29 Jan 2010 11:28:31 -0500
Robert Fitzpatrick <li...@webtent.net> wrote:
> On Fri, 2010-01-29 at 16:19 +0000, Christian Brel wrote:
> > On Fri, 29 Jan 2010 11:09:49 -0500
> > Robert Fitzpatrick <li...@webtent.net> wrote:
> >
> > > Could I get someone to run an example of smut spam I cannot seem
> > > to block in SA 3.2.5? This is a typical message that has been
> > > hammering one or two customers and despite learning many of these
> > > messages with bayes, still they continue...
> > >
> > > http://mx1.webtent.net/test.msg
> > >
> > > I am using Sanesecurity as well as the saupdates.
> > >
> > > --Robert
> > >
> >
> > Do the links always point to: globalnamesgroup.com or do they vary?
>
> All different, even the content, here is another example...
>
> http://mx1.webtent.net/test2.msg
>
About the best I can come up with:
In both cases the originating IP header leads to a bad/listed IP:
X-Originating-IP: [78.175.50.246]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
RUNNING REPORT
TYPE: single IP 78.175.50.246
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
78.175.50.246 listed in b.barracudacentral.org.
78.175.50.246 listed in PBL (ISP)
X-Originating-IP: [109.75.193.116]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
RUNNING REPORT
TYPE: single IP 109.75.193.116
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
109.75.193.116 listed in PBL (SPAMHAUS)
109.75.193.116 listed in dnsbl-2.uceprotect.net.
109.75.193.116 listed in dnsbl-3.uceprotect.net.
BUT!
AFAIK SA would not block on these and I guess that is because Hotmail
users tend to connect with a web browser from dynamic connections.
Therefore blocking them on an a dynamic space policy list (PBL) could
result in shed loads of FP's.
I'm not sure if the RelayCountry module would pick these up ???? One is
in Turkey, the other gives me an Unknown AS number or IP network error
(I have an old whois client).
This is good spam that defeats SpamAssassin pretty easily as the sender
(hotmail) is mostly globally trusted. I agree with the other poster that
the amount of Spam from Hotmail is a royal pain in the backside, but
this is a spam filter and there needs to be a way to block this kind of
stuff.
Perhaps there needs to be some meta rules such as;
'comes from hotmail, has a single link, originating IP is in a Country
that is often seen sending spam, lots of broken encoded characters
before the HTML section'. But I am to the world of writing rules what
Myra Hindley was to child care.
Re: [SPAM:9.6] Smut spam
Posted by Robert Fitzpatrick <li...@webtent.net>.
On Fri, 2010-01-29 at 16:19 +0000, Christian Brel wrote:
> On Fri, 29 Jan 2010 11:09:49 -0500
> Robert Fitzpatrick <li...@webtent.net> wrote:
>
> > Could I get someone to run an example of smut spam I cannot seem to
> > block in SA 3.2.5? This is a typical message that has been hammering
> > one or two customers and despite learning many of these messages with
> > bayes, still they continue...
> >
> > http://mx1.webtent.net/test.msg
> >
> > I am using Sanesecurity as well as the saupdates.
> >
> > --Robert
> >
>
> Do the links always point to: globalnamesgroup.com or do they vary?
All different, even the content, here is another example...
http://mx1.webtent.net/test2.msg
Re: [SPAM:9.6] Smut spam
Posted by Christian Brel <br...@copperproductions.co.uk>.
On Fri, 29 Jan 2010 11:09:49 -0500
Robert Fitzpatrick <li...@webtent.net> wrote:
> Could I get someone to run an example of smut spam I cannot seem to
> block in SA 3.2.5? This is a typical message that has been hammering
> one or two customers and despite learning many of these messages with
> bayes, still they continue...
>
> http://mx1.webtent.net/test.msg
>
> I am using Sanesecurity as well as the saupdates.
>
> --Robert
>
Do the links always point to: globalnamesgroup.com or do they vary?
Re: Smut spam
Posted by Martin Gregorie <ma...@gregorie.org>.
On Fri, 2010-01-29 at 11:09 -0500, Robert Fitzpatrick wrote:
> Could I get someone to run an example of smut spam I cannot seem to
> block in SA 3.2.5? This is a typical message that has been hammering one
> or two customers and despite learning many of these messages with bayes,
> still they continue...
>
> http://mx1.webtent.net/test.msg
>
> I am using Sanesecurity as well as the saupdates.
>
This scores 2.0 on my copy of 3.2.5 with none of my private rules
firing. It would be interesting to know what else fired if you'd
supplied a complete set of headers.
Anyway:
- The URI in the message footer is the same in both messages:
https://signup.live.com/signup.aspx?id=3D60969
so you could write a rule to match that.
- FWIW globalnamesgroup.com is registered in Kursk, Russia
I can't see anything else to go on apart from the live.com URI.
Personally, I've yet to see anything but spam from live com, so I add a
heavy positive score to any message where:
- the body contains URIs referencing spaces.live.com or livejournal.com
- are not sent from the live.com domain or that are in a Sourceforge
mailing list.
Martin
Re: Smut spam
Posted by Jared Hall <jh...@tbi.net>.
These rules may be useful for taking care of Hotmail offenders.
I believe the RelayCountry plugin can address that also, in
a "broad brush" fashion.
# Ruleset: jared_head.cf
# Description: Jared's rules for SpamAssassin
# Applicability: Southeastern US; service-oriented companies
# Version: 01.021
# Created: 06/27/2006
# Modified: 01/30/2010
# License: GPL
# Current Maintainer: Jared Hall
#
######################################################
# Assumptions: Based on a Spam Score of 10.
# English language.
# Sender uses a spell checker.
######################################################
# NOTE: The following HOTMAIL_IP rulesets trigger on the
X-Originating-IP header
# inserted by Hotmail. Most of these are international IP addresses,
and cause
# me no harm (See Applicability). There are no spaces in the ruleset
values.
header TBI_HOTMAIL_IP X-Originating-IP =~
/\[(76\.18\.115\.122|189\.12\.163\.|218\.37\.13\.|190\.48\.130\.|24\.44\.249\.13|24\.131\.110\.47|87\.105\.214\.120|87\.2\.231\.183|76\.17\.71\.137|88\.179\.186\.222|58\.49\.166\.176|218\.163\.217\.|125\.33\.253\.|59\.12\.227\.4|211\.173\.140\.126|59\.58\.117\.|218\.233\.0\.|200\.118\.174\.|220\.120\.28\.|69\.121\.142\.117|82\.105\.73\.|121\.96\.100\.|92\.72\.201\.178|76\.229\.95\.201|71\.225\.110\.190|61\.109\.43\.62|66\.190\.197\.111|81\.190\.76\.7|200\.204\.78\.|61\.255\.40\.|78\.58\.134\.|84\.3\.226\.|123\.236\.22\.|190\.1\.31\.|83\.20\.245\.|94\.72\.149\.189|147\.47\.210\.192|189\.15\.222\.201|110\.164\.246\.|112\.71\.26\.|157\.157\.93\.145|78\.177\.53\.|195\.29\.197\.28|68\.213\.199\.253|217\.209\.210\.189|76\.19\.34\.123|24\.94\.180\.63|217\.197\.150\.|112\.202\.141\.|85\.27\.34\.|194\.79\.100\.|203\.100\.169\.)/
score TBI_HOTMAIL_IP 4.0
header TBI_HOTMAIL_IP1 X-Originating-IP =~
/\[(190\.36\.155\.|125\.14\.210\.|66\.252\.12\.173|189\.220\.66\.|66\.252\.12\.180|117\.195\.65\.|66\.252\.12\.198|83\.10\.78\.|74\.232\.106\.215|89\.74\.234\.|117\.195\.243\.|94\.241\.27\.70|134\.176\.50\.121|75\.22\.22\.137|24\.94\.180\.63|124\.9\.34\.|121\.185\.203\.|83\.84\.27\.|89\.235\.0\.|83\.10\.78\.|91\.77\.45\.11|121\.169\.34\.|217\.119\.152\.|124\.122\.66\.|59\.92\.239\.|81\.242\.19\.|68\.42\.198\.32|114\.47\.108\.|203\.162\.3\.|88\.229\.135\.|87\.99\.25\.|142\.242\.2\.|213\.110\.96\.|114\.26\.214\.|89\.172\.231\.|217\.119\.117\.|76\.18\.77\.222|85\.193\.240\.|115\.22\.140\.|201\.9\.193\.|70\.124\.2\.|189\.116\.211\.|94\.112\.48\.|212\.111\.4\.|98\.219\.141\.152|24\.44\.71\.192|121\.132\.122\.|98\.219\.140\.131|196\.206\.102\.|123\.237\.90\.|71\.236\.90\.89|207\.5\.201\.180|88\.239\.199\.)/
score TBI_HOTMAIL_IP1 4.0
header TBI_HOTMAIL_IP2 X-Originating-IP =~
/\[(212\.178\.14\.|174\.88\.205\.120|80\.232\.217\.152|187\.89\.229\.|122\.100\.150\.|66\.189\.228\.145|114\.42\.95\.|77\.239\.69\.54|121\.149\.179\.|87\.222\.179\.|124\.158\.68\.|41\.196\.242\.|72\.131\.32\.128|123\.176\.77\.|190\.205\.30\.|187\.20\.114\.|87\.222\.224\.|118\.83\.16\.|116\.84\.132\.|123\.240\.43\.|96\.8\.67\.|41\.219\.230\.|119\.205\.60\.|125\.26\.206\.|110\.35\.214\.|85\.214\.149\.|85\.171\.167\.|109\.72\.119\.|109\.64\.107\.|111\.184\.112\.|189\.174\.99\.|51\.75\.0\.|187\.40\.198\.|112\.186\.66\.|189\.35\.116\.|83\.229.48\.|219\.93\.52\.|89\.123\.210\.|82\.128\.69\.|186\.40\.8\.|188\.25\.184\.|112\.149\.192\.|123\.236\.110\.|124\.158\.70\.|80\.125\.173\.|94\.21\.142\.|92\.113\.145\.|218\.20\.129\.|95\.190\.83\.|41\.210\.5\.|190\.11\.164\.|77\.112\.130\.|116\.71\.95\.|221\.160\.102\.|67\.197\.209\.|189\.83\.239\.|41\.250\.204\.|122\.42\.179\.|217\.227\.219\.|213\.60\.172\.|190\.209\.151\.)/
score TBI_HOTMAIL_IP2 4.0
header TBI_HOTMAIL_IP3 X-Originating-IP =~
/\[(117\.200\.243\.|187\.153\.223\.|118\.137\.227\.|62\.150\.202\.|203\.91\.166\.|188\.26\.13\.|96\.8\.67\.|96\.8\.71\.|121\.152\.54\.|41\.246\.39\.|91\.201\.193\.|123\.22\.121\.|187\.34\.145\.|117\.200\.243\.|41\.245\.0\.|125\.128\.0\.|201\.232\.156\.|112\.166\.248\.|99\.245\.0\.|111\.251\.92\.|121\.188\.246\.|188\.24\.20\.|189\.131\.33\.|114\.39\.176\.|83\.57\.90\.|82\.51\.74\.|123\.192\.96\.|88\.103\.74\.|211\.255\.150\.|85\.81\.170\.|189\.105\.136\.|124\.49\.149\.|145\.97\.232\.|115\.117\.234\.|81\.196\.181\.|201\.233\.122\.|189\.190\.36\.|81\.172\.53\.|122\.169\.43\.|118\.96\.206\.|190\.80\.151\.|121\.158\.70\.|186\.40\.102\.|168\.226\.100\.|117\.192\.134\.|190\.42\.233\.|86\.44\.200\.|89\.101\.251\.|121\.55\.140\.|189\.165\.147\.|117\.201\.112\.|189\.103\.5\.|188\.24\.122\.|81\.83\.161\.|123\.240\.249\.|221\.232\.182\.|123\.194\.217\.|190\.174\.12\.|195\.211\.236\.|203\.236\.90\.|80\.31\.100\.|187\.20\.214\.|201\.66\.127\.)/
score TBI_HOTMAIL_IP3 4.0
header TBI_HOTMAIL_IP4 X-Originating-IP =~
/\[(194\.144\.5\.|113\.162\.71\.|41\.140\.252\.|200\.117\.198\.|190\.174\.129\.|200\.88\.144\.|110\.32\.138\.|189\.47\.2\.|121\.162\.1\.|123\.237\.97\.|121\.144\.83\.|109\.242\.198\.|93\.84\.104\.|87\.23\.147\.|190\.228\.164\.|92\.239\.132\.|219\.73\.67\.|79\.51\.142\.|85\.15\.208\.|212\.73\.146\.|201\.161\.61\.|77\.123\.87\.|190\.196\.105\.|77\.230\.11\.|189\.154\.90\.|78\.88\.226\.|121\.184\.234\.|117\.204\.163\.|190\.28\.249\.|190\.74\.255\.|84\.215\.92\.|87\.56\.121\.|93\.107\.147\.|189\.171\.156\.|123\.176\.8\.|219\.85\.136\.|217\.132\.131\.|145\.236\.209\.|93\.173\.241\.|78\.3\.40\.|123\.16\.129\.|58\.248\.165\.|219\.254\.138\.|83\.85\.142\.|200\.77\.4\.|59\.92\.122\.|95\.17\.248\.|121\.132\.137\.|117\.195\.38\.|201\.152\.222\.|188\.24\.56\.|189\.111\.198\.|201\.41\.92\.|88\.227\.139\.|187\.15\.183\.|59\.178\.87\.|87\.198\.254\.|77\.203\.157\.|94\.208\.175\.|222\.255\.29\.|201\.211\.94\.|189\.1\.217\.|189\.154\.90\.|109\.75\.193\.)/
score TBI_HOTMAIL_IP4 4.0
header TBI_HOTMAIL_IP5 X-Originating-IP =~
/\[(190\.148\.27\.|80\.109\.2\.|193\.252\.61\.|111\.171\.48\.|116\.33\.251\.|79\.188\.250\.|202\.70\.41\.|222\.69\.166\.|219\.241\.57\.|222\.69\.162\.|95\.102\.210\.|95\.37\.250\.|117\.241\.242\.|190\.189\.109\.|113\.167\.117\.|84\.252\.56\.|114\.46\.140\.|123\.20\.110\.|195\.252\.113\.|116\.68\.67\.|123\.17\.228\.|121\.137\.62\.|222\.253\.164\.|188\.186\.197\.|115\.59\.74\.|222\.69\.166\.|78\.175\.50\.|222\.69\.163\.|189\.77\.28\.|77\.225\.238\.|190\.172\.253\.|88\.241\.223\.|121\.133\.191\.|210\.93\.97\.|193\.220\.24\.|190\.152\.228\.|79\.100\.96\.|118\.43\.170\.|118\.43\.213\.|222\.237\.78\.|115\.49\.91\.|222\.69\.166\.)/
score TBI_HOTMAIL_IP5 4.0
Robert Fitzpatrick wrote:
> Could I get someone to run an example of smut spam I cannot seem to
> block in SA 3.2.5? This is a typical message that has been hammering one
> or two customers and despite learning many of these messages with bayes,
> still they continue...
>
> http://mx1.webtent.net/test.msg
>
> I am using Sanesecurity as well as the saupdates.
>
> --Robert
>
>
>