You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Ned Slider <ne...@unixmail.co.uk> on 2010/05/26 18:05:53 UTC

Re: url spam from Hotmail

On 05/26/2010 09:33 PM, Lennart Johansson wrote:
> My first post, please don't kill me for doing some things wrong.
> I see quite a few of these from hotmail orginating from China.
> http://pastebin.com/q308E7ZG
> SA score:	
> Score	Matching Rule	Descriptioncached	not	
> result=0.002	
> 4	krav	
> spam	autolearn=not	
> 0.00	BAYES_50	Bayesian spam probability is 40 to 60%
> 0.00	HTML_MESSAGE	HTML included in message
>
> Perhaps this is simple to detect if you know how to write the right rule, but I don't.
> Right now it score very low, and I try to learn SA to detect.
> Anybody got any suggestion how to catch them directly?
>
>
> Best regards
> /Lelle
>
>
>

I mostly catch these with Bayes training. Your example hit BAYES_95 here.

I also score all mail FROM hotmail.com (2-3 points) and then whitelist 
legitimate hotmail senders. Hotmail are not to big to block here and I'm 
sick of the crap they spew.

Finally,

X-Originating-IP: [123.161.74.4]

is listed in Spamhaus (SPL) and I deep parse headers so I got a hit on this.

Unfortunately you can't simply write a rule to combine From Hotmail and 
has any URI as all mail from Hotmail has a URI in the footer.

Re: url spam from Hotmail

Posted by Ned Slider <ne...@unixmail.co.uk>.

On 05/26/2010 05:29 PM, Karsten Bräckelmann wrote:
>
> Also, these Hotmail injected footers always use long-ish URIs with a
> path, no? In that case, a meta with __URI_NO_PATH could help. Something
> like this.
>
>    uri __URI_NO_PATH  m~^https?://[^/]+/?$~
>
>

That's possibly a good idea. I was thinking of trying to collate all 
known Hotmail Signature/footer URIs and do a meta for Hotmail with URI 
other than those that commonly appear in Hotmail footers.

In the end I just decided From Hotmail was worth 3 points and 
whitelisted the 20 or so known hotmail sender addresses that appear in 
my logs.

Re: url spam from Hotmail

Posted by Karsten Bräckelmann <gu...@rudersport.de>.

> > I see quite a few of these from hotmail orginating from China.

> X-Originating-IP: [123.161.74.4]
> 
> is listed in Spamhaus (SPL) and I deep parse headers so I got a hit on this.

Unlike PBL and XBL, Spamhaus SBL is safe for deep-parsing. Which SA does
for this part (only) of ZEN.

> Unfortunately you can't simply write a rule to combine From Hotmail and 
> has any URI as all mail from Hotmail has a URI in the footer.

A meta rule from Hotmail and originating from China might be possible,
though. If that really is a common pattern. *And* acceptable for your
user-base.

Also, these Hotmail injected footers always use long-ish URIs with a
path, no? In that case, a meta with __URI_NO_PATH could help. Something
like this.

  uri __URI_NO_PATH  m~^https?://[^/]+/?$~


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}