You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Igor Chudov <ic...@Algebra.Com> on 2007/10/21 06:27:41 UTC
Top spam hosters, how to decline email mentioning them
I was looking at this article
http://en.wikipedia.org/wiki/E-mail_spam
It claims that "only five countries are hosting 99.68% of the global
spammer websites", of which the foremost is China, hosting 73.58% of
all web sites referenced within spam.[30]
I already refuse all email coming from China (and Korea). Never
regretted this.
Now, I also want to ignore all emails mentioning all China and Korea
hosted websites (not just .cn, but also .coms and so on that have
Chinese IPs).
I will have to not do so with Russia hosted sites, due to me being a
Russian by origin.
Is there some tool that I could use to accomplish that?
thanks
i
Re: Top spam hosters, how to decline email mentioning them
Posted by Nigel Frankcom <ni...@blue-canoe.com>.
On Mon, 22 Oct 2007 00:07:17 -0700, Bill Landry <bi...@inetmsg.com>
wrote:
>I don't how one could determine the IP address associated with a URL in
>the body of a message at the MTA level without accepting the message
>first for further processing. The best you could do at the MTA level is
>block URLs that have a certain extension like .cn, but that's not what
>the OP was asking for, and explicitly stated as much.
A very good point.... I'll shut up now :-D
Nigel
Re: Top spam hosters, how to decline email mentioning them
Posted by Bill Landry <bi...@inetmsg.com>.
Nigel Frankcom wrote the following on 10/21/2007 11:22 PM -0800:
> On Sat, 20 Oct 2007 23:27:41 -0500, Igor Chudov <ic...@Algebra.Com>
> wrote:
>
>
>> I was looking at this article
>>
>> http://en.wikipedia.org/wiki/E-mail_spam
>>
>> It claims that "only five countries are hosting 99.68% of the global
>> spammer websites", of which the foremost is China, hosting 73.58% of
>> all web sites referenced within spam.[30]
>>
>> I already refuse all email coming from China (and Korea). Never
>> regretted this.
>>
>> Now, I also want to ignore all emails mentioning all China and Korea
>> hosted websites (not just .cn, but also .coms and so on that have
>> Chinese IPs).
>>
>> I will have to not do so with Russia hosted sites, due to me being a
>> Russian by origin.
>>
>> Is there some tool that I could use to accomplish that?
>>
>
> Perhaps it's a translation thing; but I was under the impression he
> wanted to drop these early, not run them through the entire mail/sa
> process first?
>
> (In defence of my MTA comments :-D)
>
> Nigel
>
I don't how one could determine the IP address associated with a URL in
the body of a message at the MTA level without accepting the message
first for further processing. The best you could do at the MTA level is
block URLs that have a certain extension like .cn, but that's not what
the OP was asking for, and explicitly stated as much.
Bill
Re: Top spam hosters, how to decline email mentioning them
Posted by Nigel Frankcom <ni...@blue-canoe.com>.
On Sat, 20 Oct 2007 23:27:41 -0500, Igor Chudov <ic...@Algebra.Com>
wrote:
>I was looking at this article
>
> http://en.wikipedia.org/wiki/E-mail_spam
>
>It claims that "only five countries are hosting 99.68% of the global
>spammer websites", of which the foremost is China, hosting 73.58% of
>all web sites referenced within spam.[30]
>
>I already refuse all email coming from China (and Korea). Never
>regretted this.
>
>Now, I also want to ignore all emails mentioning all China and Korea
>hosted websites (not just .cn, but also .coms and so on that have
>Chinese IPs).
>
>I will have to not do so with Russia hosted sites, due to me being a
>Russian by origin.
>
>Is there some tool that I could use to accomplish that?
Perhaps it's a translation thing; but I was under the impression he
wanted to drop these early, not run them through the entire mail/sa
process first?
(In defence of my MTA comments :-D)
Nigel
Re: Top spam hosters, how to decline email mentioning them
Posted by Loren Wilton <lw...@earthlink.net>.
>It claims that "only five countries are hosting 99.68% of the global
>spammer websites", of which the foremost is China, hosting 73.58% of
>all web sites referenced within spam.[30]
>
>Now, I also want to ignore all emails mentioning all China and Korea
>hosted websites (not just .cn, but also .coms and so on that have
>Chinese IPs).
>
>I will have to not do so with Russia hosted sites, due to me being a
>Russian by origin.
>
>Is there some tool that I could use to accomplish that?
You would probably be better off by simply adding some points for site
references to known spam sites, rather than simply assuming that everything
referencing a given country is spam.
URIBL does precisely this, and is a standard SA network test. If you don't
have it enabled you should enable it.
Loren
Re: Top spam hosters, how to decline email mentioning them
Posted by Nigel Frankcom <ni...@blue-canoe.com>.
On Sat, 20 Oct 2007 23:27:41 -0500, Igor Chudov <ic...@Algebra.Com>
wrote:
>I was looking at this article
>
> http://en.wikipedia.org/wiki/E-mail_spam
>
>It claims that "only five countries are hosting 99.68% of the global
>spammer websites", of which the foremost is China, hosting 73.58% of
>all web sites referenced within spam.[30]
>
>I already refuse all email coming from China (and Korea). Never
>regretted this.
>
>Now, I also want to ignore all emails mentioning all China and Korea
>hosted websites (not just .cn, but also .coms and so on that have
>Chinese IPs).
>
>I will have to not do so with Russia hosted sites, due to me being a
>Russian by origin.
>
>Is there some tool that I could use to accomplish that?
Blocks of that type are more usually done at the MTA level. You'd need
to post your server details before anyone could offer advice.
If I recall right there are lists of netblocks you can use, though I
think they integrate differently with different servers.
In short, post your mail server details and perhaps someone will be
able to offer some suggestions. Mine allows keyword blocking but that
can come back and bite you.
HTH
Nigel
Re: Top spam hosters, how to decline email mentioning them
Posted by "Steven W. Orr" <st...@syslang.net>.
On Sunday, Oct 21st 2007 at 00:27 -0000, quoth Igor Chudov:
=>I was looking at this article
=>
=> http://en.wikipedia.org/wiki/E-mail_spam
=>
=>It claims that "only five countries are hosting 99.68% of the global
=>spammer websites", of which the foremost is China, hosting 73.58% of
=>all web sites referenced within spam.[30]
=>
=>I already refuse all email coming from China (and Korea). Never
=>regretted this.
=>
=>Now, I also want to ignore all emails mentioning all China and Korea
=>hosted websites (not just .cn, but also .coms and so on that have
=>Chinese IPs).
=>
=>I will have to not do so with Russia hosted sites, due to me being a
=>Russian by origin.
=>
=>Is there some tool that I could use to accomplish that?
I realize that this is a spamassassin list, but I do have another trick
that I use:
http://countries.nerd.dk/
So in my sendmail.mc I have the following incantations:
FEATURE(enhdnsbl,`tr.countries.nerd.dk', `SPAM from Turkey:$&{client_addr} rejected',`t')dnl
FEATURE(enhdnsbl,`kr.countries.nerd.dk', `SPAM from Korea:$&{client_addr} rejected',`t')dnl
FEATURE(enhdnsbl,`cn.countries.nerd.dk', `SPAM from China:$&{client_addr} rejected',`t')dnl
This then just rejects them at the first tickle of a packet from them.
--
Time flies like the wind. Fruit flies like a banana. Stranger things have .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net
Re: Top spam hosters, how to decline email mentioning them
Posted by Derek Harding <de...@innovyx.com>.
JP Kelly wrote:
> that makes sense to me but after that it says "THE CODE" followed by a
> bunch of code.
> i am unclear on what needs to be done with this code.
Typically you put it in a file called something like URICountry.pm and
then load it in your local.cf or vN.pre (eg. v320.pre) using the
loadplugin directive.
Derek
Re: Top spam hosters, how to decline email mentioning them
Posted by Bill Landry <bi...@inetmsg.com>.
JP Kelly wrote the following on 10/21/2007 11:41 AM -0800:
> this looks interesting to me as well
> i am a little confused about how to use/install it
>
> on the page you provided a link to it says under "USAGE" to "add the
> following to your local.cf file"
> ------------
> loadplugin Mail::SpamAssassin::Plugin::URICountry
>
> uricountry URICOUNTRY_XX XX
> header URICOUNTRY_XX eval:check_uricountry('URICOUNTRY_XX')
> describe URICOUNTRY_XX Contains a URI hosted in XX
> tflags URICOUNTRY_XX net
> score URICOUNTRY_XX 2.0
> ------------
> Where XX is replaced with the 2 character country code of your choice.
> (e.g. CN, KR, RO, RU, IN etc.)
>
> that makes sense to me but after that it says "THE CODE" followed by a
> bunch of code.
> i am unclear on what needs to be done with this code.
>
> any light shed on this will be greatly appreciated.
>
"THE CODE" will go into a file named "URICountry.pm" and placed in the
same directory as your local.cf file (usually /etc/mail/spamassassin/).
As for the rules, I prefer to create a separate .cf file for them rather
than place them in local.cf (e.g., URICountry.cf), but that is simply a
matter of personal preference - I just like to keep my local.cf clean of
any rules and only use it for configuration settings.
I disagree with placing the "loadplugin" line in the cf file. The
proper place for this entry is in init.pre so that it gets loaded before
any rulesets, and can be referenced as:
loadplugin Mail::SpamAssassin::Plugin::URICountry
/etc/mail/spamassassin/URICountry.pm
Also, at the top of your ruleset you should add:
ifplugin Mail::SpamAssassin::Plugin::URICountry
and at the end:
endif
For example:
==========
ifplugin Mail::SpamAssassin::Plugin::URICountry
uricountry URICOUNTRY_CN CN
header URICOUNTRY_CN eval:check_uricountry('URICOUNTRY_CN')
describe URICOUNTRY_CN Contains a URI hosted in China
tflags URICOUNTRY_CN net
score URICOUNTRY_CN 2.5
uricountry URICOUNTRY_HK HK
header URICOUNTRY_HK eval:check_uricountry('URICOUNTRY_HK')
describe URICOUNTRY_HK Contains a URI hosted in Hong Kong
tflags URICOUNTRY_HK net
score URICOUNTRY_HK 2.5
uricountry URICOUNTRY_IN IN
header URICOUNTRY_IN eval:check_uricountry('URICOUNTRY_IN')
describe URICOUNTRY_IN Contains a URI hosted in India
tflags URICOUNTRY_IN net
score URICOUNTRY_IN 2.5
endif
==========
This will allow you to comment out the URICourntry "loadplugin" line in
your init.pre file if you should want to disable the URICourntry test
without having to remove the URICounrty.cf file (it will not load the
ruleset unless the plugin has been pre-loaded).
Bill
Re: Top spam hosters, how to decline email mentioning them
Posted by JP Kelly <li...@jpkvideo.net>.
this looks interesting to me as well
i am a little confused about how to use/install it
on the page you provided a link to it says under "USAGE" to "add the
following to your local.cf file"
------------
loadplugin Mail::SpamAssassin::Plugin::URICountry
uricountry URICOUNTRY_XX XX
header URICOUNTRY_XX eval:check_uricountry('URICOUNTRY_XX')
describe URICOUNTRY_XX Contains a URI hosted in XX
tflags URICOUNTRY_XX net
score URICOUNTRY_XX 2.0
------------
Where XX is replaced with the 2 character country code of your
choice. (e.g. CN, KR, RO, RU, IN etc.)
that makes sense to me but after that it says "THE CODE" followed by
a bunch of code.
i am unclear on what needs to be done with this code.
any light shed on this will be greatly appreciated.
jp kelly
On Oct 20, 2007, at 10:10 PM, Bill Landry wrote:
> Take a look at the URICountry plugin:
>
> http://wiki.apache.org/spamassassin/URICountryPlugin
>
> That should do what you want.
>
> Bill
Re: Top spam hosters, how to decline email mentioning them
Posted by Bill Landry <bi...@inetmsg.com>.
Igor Chudov wrote the following on 10/20/2007 9:27 PM -0800:
> I was looking at this article
>
> http://en.wikipedia.org/wiki/E-mail_spam
>
> It claims that "only five countries are hosting 99.68% of the global
> spammer websites", of which the foremost is China, hosting 73.58% of
> all web sites referenced within spam.[30]
>
> I already refuse all email coming from China (and Korea). Never
> regretted this.
>
> Now, I also want to ignore all emails mentioning all China and Korea
> hosted websites (not just .cn, but also .coms and so on that have
> Chinese IPs).
>
> I will have to not do so with Russia hosted sites, due to me being a
> Russian by origin.
>
> Is there some tool that I could use to accomplish that?
>
Take a look at the URICountry plugin:
http://wiki.apache.org/spamassassin/URICountryPlugin
That should do what you want.
Bill
Re: Top spam hosters, how to decline email mentioning them
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Sat, 2007-10-20 at 23:27 -0500, Igor Chudov wrote:
> I was looking at this article
>
> http://en.wikipedia.org/wiki/E-mail_spam
>
> It claims that "only five countries are hosting 99.68% of the global
> spammer websites", of which the foremost is China, hosting 73.58% of
> all web sites referenced within spam.[30]
Now that's one number.
Please note that this article is dated June 30th, 2004. Rather ancient
in terms of Spam. Just have a look at the "absolute numbers" in that
very Wikipedia article.
Also, the Wikipedia article does not claim it, but cite it. According to
the cited Commtouch report, the number is based on one *month* and
actually decreased by 4.5% from the previous month. At a rate like this,
there is no spam-vertised URL hosted in China today...
Anyway, according to my own, personal stats, China does indeed host the
most sites (out of the set I picked for observation a while ago, which
does not include the USA, for example). My numbers don't even come close
to 73% though...
guenther
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}