You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Ned Slider <ne...@unixmail.co.uk> on 2010/05/26 18:05:53 UTC
Re: url spam from Hotmail
On 05/26/2010 09:33 PM, Lennart Johansson wrote:
> My first post, please don't kill me for doing some things wrong.
> I see quite a few of these from hotmail orginating from China.
> http://pastebin.com/q308E7ZG
> SA score:
> Score Matching Rule Descriptioncached not
> result=0.002
> 4 krav
> spam autolearn=not
> 0.00 BAYES_50 Bayesian spam probability is 40 to 60%
> 0.00 HTML_MESSAGE HTML included in message
>
> Perhaps this is simple to detect if you know how to write the right rule, but I don't.
> Right now it score very low, and I try to learn SA to detect.
> Anybody got any suggestion how to catch them directly?
>
>
> Best regards
> /Lelle
>
>
>
I mostly catch these with Bayes training. Your example hit BAYES_95 here.
I also score all mail FROM hotmail.com (2-3 points) and then whitelist
legitimate hotmail senders. Hotmail are not to big to block here and I'm
sick of the crap they spew.
Finally,
X-Originating-IP: [123.161.74.4]
is listed in Spamhaus (SPL) and I deep parse headers so I got a hit on this.
Unfortunately you can't simply write a rule to combine From Hotmail and
has any URI as all mail from Hotmail has a URI in the footer.
Re: url spam from Hotmail
Posted by Ned Slider <ne...@unixmail.co.uk>.
On 05/26/2010 05:29 PM, Karsten Bräckelmann wrote:
>
> Also, these Hotmail injected footers always use long-ish URIs with a
> path, no? In that case, a meta with __URI_NO_PATH could help. Something
> like this.
>
> uri __URI_NO_PATH m~^https?://[^/]+/?$~
>
>
That's possibly a good idea. I was thinking of trying to collate all
known Hotmail Signature/footer URIs and do a meta for Hotmail with URI
other than those that commonly appear in Hotmail footers.
In the end I just decided From Hotmail was worth 3 points and
whitelisted the 20 or so known hotmail sender addresses that appear in
my logs.
Re: url spam from Hotmail
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
> > I see quite a few of these from hotmail orginating from China.
> X-Originating-IP: [123.161.74.4]
>
> is listed in Spamhaus (SPL) and I deep parse headers so I got a hit on this.
Unlike PBL and XBL, Spamhaus SBL is safe for deep-parsing. Which SA does
for this part (only) of ZEN.
> Unfortunately you can't simply write a rule to combine From Hotmail and
> has any URI as all mail from Hotmail has a URI in the footer.
A meta rule from Hotmail and originating from China might be possible,
though. If that really is a common pattern. *And* acceptable for your
user-base.
Also, these Hotmail injected footers always use long-ish URIs with a
path, no? In that case, a meta with __URI_NO_PATH could help. Something
like this.
uri __URI_NO_PATH m~^https?://[^/]+/?$~
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}