You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Christian Brel <br...@copperproductions.co.uk> on 2010/01/29 18:05:18 UTC

Re: [SPAM:9.6] Re: [SPAM:9.6] Smut spam

On Fri, 29 Jan 2010 11:28:31 -0500
Robert Fitzpatrick <li...@webtent.net> wrote:

> On Fri, 2010-01-29 at 16:19 +0000, Christian Brel wrote:
> > On Fri, 29 Jan 2010 11:09:49 -0500
> > Robert Fitzpatrick <li...@webtent.net> wrote:
> > 
> > > Could I get someone to run an example of smut spam I cannot seem
> > > to block in SA 3.2.5? This is a typical message that has been
> > > hammering one or two customers and despite learning many of these
> > > messages with bayes, still they continue...
> > > 
> > > http://mx1.webtent.net/test.msg
> > > 
> > > I am using Sanesecurity as well as the saupdates.
> > > 
> > > --Robert
> > > 
> > 
> > Do the links always point to: globalnamesgroup.com or do they vary?
> 
> All different, even the content, here is another example...
> 
> http://mx1.webtent.net/test2.msg
> 

About the best I can come up with:

In both cases the originating IP header leads to a bad/listed IP:

X-Originating-IP: [78.175.50.246]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
RUNNING REPORT
TYPE: single IP 78.175.50.246
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
78.175.50.246	 listed in b.barracudacentral.org. 
78.175.50.246	 listed in PBL (ISP) 

X-Originating-IP: [109.75.193.116]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
RUNNING REPORT
TYPE: single IP 109.75.193.116
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
109.75.193.116	 listed in PBL (SPAMHAUS) 
109.75.193.116	 listed in dnsbl-2.uceprotect.net. 
109.75.193.116	 listed in dnsbl-3.uceprotect.net. 

BUT!
AFAIK SA would not block on these and I guess that is because Hotmail
users tend to connect with a web browser from dynamic connections.
Therefore blocking them on an a dynamic space policy list (PBL) could
result in shed loads of FP's.

I'm not sure if the RelayCountry module would pick these up ???? One is
in Turkey, the other gives me an Unknown AS number or IP network error
(I have an old whois client).

This is good spam that defeats SpamAssassin pretty easily as the sender
(hotmail) is mostly globally trusted. I agree with the other poster that
the amount of Spam from Hotmail is a royal pain in the backside, but
this is a spam filter and there needs to be a way to block this kind of
stuff.

Perhaps there needs to be some meta rules such as;
'comes from hotmail, has a single link, originating IP is in a Country
that is often seen sending spam, lots of broken encoded characters
before the HTML section'. But I am to the world of writing rules what
Myra Hindley was to child care.