You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by JP Kelly <li...@jpkvideo.net> on 2012/10/01 18:53:31 UTC
short prolific spam
I am getting a bunch of particularly annoying spam which always has a short html body message similar to:
HELLO dude
Any ideas how to combat this spam?
Here is an example:
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smallgod.net
X-Spam-Status: No, score=6.3 required=7.0 tests=BAYES_50,DCC_CHECK,
HTML_MESSAGE,RCVD_IN_SORBS_WEB autolearn=no version=3.3.1
X-Spam-LocalCF: procByLocalCf
X-Spam-Report:
* 1.5 RCVD_IN_SORBS_WEB RBL: SORBS: sender is an abusable web server
* [87.204.239.251 listed in dnsbl.sorbs.net]
* 0.4 HTML_MESSAGE BODY: HTML included in message
* 0.5 BAYES_50 BODY: Bayes spam probability is 40 to 60%
* [score: 0.5616]
* 3.9 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)
X-Spam-jpkvideo: jpkPrefUsed
Received: (qmail 32278 invoked from network); 1 Oct 2012 09:44:49 -0700
Received: from mx2.smallgod.net (72.10.53.122)
by mail.smallgod.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 1 Oct 2012 09:44:49 -0700
Received: (qmail 3393 invoked from network); 1 Oct 2012 09:44:49 -0700
Received: from 87-204-239-251.ip.netia.com.pl (87.204.239.251)
by mx2.smallgod.net with SMTP; 1 Oct 2012 09:44:48 -0700
Received: from apache by sterkinekor.com with local (Exim 4.67)
(envelope-from <fi...@sterkinekor.com>)
id KI47ED-67D0M2-W8
for <jp...@jpkvideo.com>; Mon, 1 Oct 2012 21:14:48 +0430
To: <jp...@jpkvideo.com>
Subject: hello
X-PHP-Script: sterkinekor.com/sendmail.php for 87.204.239.251
From: "Octavio Herron" <fi...@sterkinekor.com>
X-Sender: "Octavio Herron" <fi...@sterkinekor.com>
X-Mailer: PHP
X-Priority: 1
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="------------05070400107050204080604"
Message-Id: <56...@sterkinekor.com>
Date: Mon, 1 Oct 2012 21:14:48 +0430
This is a multi-part message in MIME format.
--------------05070400107050204080604
Content-Type: text/plain; charset="us-ascii"; format=flowed
HELLO dude
--------------05070400107050204080604
Content-Type: text/html; charset="iso-8859-2"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body bgcolor="#ffffff" text="#000000" vlink="black" alink="gray">
<p>
HELLO dude<br>
</p>
</body>
</html>
--------------05070400107050204080604--
Re: short prolific spam
Posted by Richard Doyle <rd...@islandnetworks.com>.
On 10/01/2012 09:53 AM, JP Kelly wrote:
> I am getting a bunch of particularly annoying spam which always has a short html body message similar to:
>
> HELLO dude
>
> Any ideas how to combat this spam?
Lower your threshold to 5.
>
> Here is an example:
>
> X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smallgod.net
> X-Spam-Status: No, score=6.3 required=7.0 tests=BAYES_50,DCC_CHECK,
> HTML_MESSAGE,RCVD_IN_SORBS_WEB autolearn=no version=3.3.1
> X-Spam-LocalCF: procByLocalCf
> X-Spam-Report:
> * 1.5 RCVD_IN_SORBS_WEB RBL: SORBS: sender is an abusable web server
> * [87.204.239.251 listed in dnsbl.sorbs.net]
> * 0.4 HTML_MESSAGE BODY: HTML included in message
> * 0.5 BAYES_50 BODY: Bayes spam probability is 40 to 60%
> * [score: 0.5616]
> * 3.9 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)
> X-Spam-jpkvideo: jpkPrefUsed
> Received: (qmail 32278 invoked from network); 1 Oct 2012 09:44:49 -0700
> Received: from mx2.smallgod.net (72.10.53.122)
> by mail.smallgod.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 1 Oct 2012 09:44:49 -0700
> Received: (qmail 3393 invoked from network); 1 Oct 2012 09:44:49 -0700
> Received: from 87-204-239-251.ip.netia.com.pl (87.204.239.251)
> by mx2.smallgod.net with SMTP; 1 Oct 2012 09:44:48 -0700
> Received: from apache by sterkinekor.com with local (Exim 4.67)
> (envelope-from <fitness8@>)
> id KI47ED-67D0M2-W8
> for <jp...@jpkvideo.com>; Mon, 1 Oct 2012 21:14:48 +0430
> To: <jp...@jpkvideo.com>
> Subject: hello
> X-PHP-Script: sterkinekor.com/sendmail.php for 87.204.239.251
> From: "Octavio Herron" <fi...@sterkinekor.com>
> X-Sender: "Octavio Herron" <fi...@sterkinekor.com>
> X-Mailer: PHP
> X-Priority: 1
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="------------05070400107050204080604"
> Message-Id: <56...@sterkinekor.com>
> Date: Mon, 1 Oct 2012 21:14:48 +0430
>
> This is a multi-part message in MIME format.
> --------------05070400107050204080604
> Content-Type: text/plain; charset="us-ascii"; format=flowed
>
> HELLO dude
>
> --------------05070400107050204080604
> Content-Type: text/html; charset="iso-8859-2"
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
> <html>
> <head>
> <meta http-equiv="content-type" content="text/html; charset=UTF-8">
> </head>
> <body bgcolor="#ffffff" text="#000000" vlink="black" alink="gray">
> <p>
> HELLO dude<br>
> </p>
> </body>
> </html>
>
> --------------05070400107050204080604--
>
Re: short prolific spam
Posted by Alexandre Boyer <bi...@gmail.com>.
Hi there,
first, your threshold is high. You may want to lower it a little bit.
Then, if it's always the same phrase, rule it:
body __AYOY /HELLO dude/
Then meta this with other thing you may see a lot in those spams:
meta ME_SPAM RCVD_IN_SORBS_WEB && __AYOY
score ME_SPAM 2.0
meta ME_DCC DCC_CHECK && __AYOY
score ME_DCC 2.0
meta ME_GETRIDOFIT ME_SPAM && ME_DCC
score ME_GETRIDOFIT 2.0
You may also prefer to work with specific headers and this kind of
thing, but the basoc idea is there.
Hope this helps.
Alex, from prypiat.
Yes, I recycle.
On 12-10-01 12:53 PM, JP Kelly wrote:
> I am getting a bunch of particularly annoying spam which always has a short html body message similar to:
>
> HELLO dude
>
> Any ideas how to combat this spam?
>
> Here is an example:
>
> X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smallgod.net
> X-Spam-Status: No, score=6.3 required=7.0 tests=BAYES_50,DCC_CHECK,
> HTML_MESSAGE,RCVD_IN_SORBS_WEB autolearn=no version=3.3.1
> X-Spam-LocalCF: procByLocalCf
> X-Spam-Report:
> * 1.5 RCVD_IN_SORBS_WEB RBL: SORBS: sender is an abusable web server
> * [87.204.239.251 listed in dnsbl.sorbs.net]
> * 0.4 HTML_MESSAGE BODY: HTML included in message
> * 0.5 BAYES_50 BODY: Bayes spam probability is 40 to 60%
> * [score: 0.5616]
> * 3.9 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)
> X-Spam-jpkvideo: jpkPrefUsed
> Received: (qmail 32278 invoked from network); 1 Oct 2012 09:44:49 -0700
> Received: from mx2.smallgod.net (72.10.53.122)
> by mail.smallgod.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 1 Oct 2012 09:44:49 -0700
> Received: (qmail 3393 invoked from network); 1 Oct 2012 09:44:49 -0700
> Received: from 87-204-239-251.ip.netia.com.pl (87.204.239.251)
> by mx2.smallgod.net with SMTP; 1 Oct 2012 09:44:48 -0700
> Received: from apache by sterkinekor.com with local (Exim 4.67)
> (envelope-from <fi...@sterkinekor.com>)
> id KI47ED-67D0M2-W8
> for <jp...@jpkvideo.com>; Mon, 1 Oct 2012 21:14:48 +0430
> To: <jp...@jpkvideo.com>
> Subject: hello
> X-PHP-Script: sterkinekor.com/sendmail.php for 87.204.239.251
> From: "Octavio Herron" <fi...@sterkinekor.com>
> X-Sender: "Octavio Herron" <fi...@sterkinekor.com>
> X-Mailer: PHP
> X-Priority: 1
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="------------05070400107050204080604"
> Message-Id: <56...@sterkinekor.com>
> Date: Mon, 1 Oct 2012 21:14:48 +0430
>
> This is a multi-part message in MIME format.
> --------------05070400107050204080604
> Content-Type: text/plain; charset="us-ascii"; format=flowed
>
> HELLO dude
>
> --------------05070400107050204080604
> Content-Type: text/html; charset="iso-8859-2"
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
> <html>
> <head>
> <meta http-equiv="content-type" content="text/html; charset=UTF-8">
> </head>
> <body bgcolor="#ffffff" text="#000000" vlink="black" alink="gray">
> <p>
> HELLO dude<br>
> </p>
> </body>
> </html>
>
> --------------05070400107050204080604--