Entries tagged as anti-spamMonday, October 4. 2010XING SPAM FAILSunday, August 1. 2010SPAM FAIL![]() Subject: Lieber Freund Wednesday, May 7. 2008Muschel-Agenten![]() Subject: Sie Won £ 250.000.00! [...] [...] Wir glücklich zu verkünden, ziehen Sie die der Yahoo Lotterie Intl Inc Programme am 6. Mai 2008 in London. Sie sind daher genehmigt worden ist, um Anspruch auf eine Gesamtsumme von zweihundertfünfzig tausend britische Pfund (£ 250.000,00) für den 6. Mai 2008 promo Lotterie gewinnen, [...]. YAHOO sammelt alle E-Mail-ID des Menschen, die sich an Yahoo! E-Mail, MSN, Hotmail, AOL, AltaVista, and others online. Unter den Milliarden, abonnieren Sie uns, nur fünf Menschen wird sich für Gewinne. [...] [...] Deshalb wird Ihnen geraten, zitieren die folgenden Informationen an die Muschel-Agent zu erleichtern ihnen die Bearbeitung der Übertragung Ihrer Fonds ohne Verzögerung. [...] Thursday, May 1. 2008SORBS is way too restrictive![]() RBLs enable mail admins to automatically block incoming mail based on DNS lookups. But I noticed that my MTA was again blocking Google and Hotmail completely, again due to the overly restrictive SORBS blacklist. This is inacceptable collateral damage, so I suggest you don’t use SORBS if you intend to receive mail from large-scaled customer sites. SpamAssassin still gives scores for that blacklist, but not enough to trigger a blocking by only that single list.
Wednesday, July 25. 2007Hallo Gurke![]() Subject: xu Hallo Hallo {, MAILTO_USERNAME} Wednesday, July 18. 2007Current anti-spam measures![]() For the sake of documentation, I list the enhancements I configured for SpamAssassin since February:
Recently, PDF spam has become “popular”. Therefore I enabled some more things to accomplish this:
Sure, as soon as we catch enough of that new PDF spam, spammers might change to some other document file format, such as DOC or RTF or even ODF, and we are forced to scan those attached documents for spam text or even for contained images that contain spam text, what we are already considering with FuzzyOCR. There must be some better way, actually. However, I had to reduce the score of the Botnet plugin, as the default value of The fight continues.
Wednesday, February 21. 2007192.168.0.951![]() Recently, on the SpamAssassin mailing list, someone was reporting that a newbie spammer seemed to have forgotten to replace variables with values. Someone else noted that the construction
CODE: Received: from 192.168.0.%RND_DIGIT
might lead to weird and impossible IP addresses. Now, I really found that in my spam quarantine:
CODE: Received: from unknown (HELO service3.colo.trueswitch.com) \
([<strong></strong>]) (envelope-sender <rvadur@minermail.com>) \
by mail.trueswitch.com (qmail-ldap-1.03) with SMTP for \
<info@xxxxxxxxxxx.com>; Sun, 14 Jan 2007 22:54:12 -0000
Friday, February 16. 2007Counteracting the spammers![]() SpamAssassin is doing a good job on my site. It successfully protects my users’ mailboxes for some years now. However, during the last months spamming has increased significantly around the world. Luckily, only few spam is getting through, but a handful of spam mails a day is already too much for the pampered user. So I searched for current enhancements. So far I had only used Debian Etch’s standard spamassassin and amavisd-new packages. I consider greylisting as a solution for days where I see no other choice. I can imagine my users being confused because they receive an expected mail not immediately. So I installed three enhancements for SpamAssassin: The first one is available from Debian ‘unstable’, whereas the other two simply go into /etc/spamassassin. The SpamAssassin Rules Emporium provides a lot of other rules I haven’t tried yet. The rules are already having some hits adding a lot to the spam score of messages. Here are examples from within 24 hours: FUZZY_OCR=7.000 (twice), FUZZY_OCR=8.000, FUZZY_OCR=9.000 (5 times), FUZZY_OCR=10.000 (twice), BOTNET_OCNNEJP=5 (3 times), BOTNET_SHAWCABLE=5, SARE_STOCK_MSG_ID2=2.22 (5 times), SARE_GIF_ATTACH=0.75 (16 times), SARE_GIF_STOX=1.66 (6 times), SARE_PROLOSTOCK_SYM3=1.66 (8 times), SARE_MLH_Stock1=1.66 (12 times), SARE_RMML_Stock26=1.12, SARE_MLB_Stock1=1.66 (3 times), SARE_MLB_Stock3=0.794 (7 times), SARE_LWOILCO=0.388 (twice), SARE_LWSYMFMT=1.66, SARE_PROLOSTOCK_SYM4=2.66, SARE_PROLOSTOCK_SYM1=1.66, SARE_LWSHORTT=0.794. So, it was worth the no effort. For those who wonder why there are only few hits, Postfix is already doing most of the job by rejecting bad connections.
