Stock image spam blocking
Matt Kettler
mkettler at evi-inc.com
Tue Apr 25 19:35:26 IST 2006
Derek Chee wrote:
> Hi,
>
> We've been getting bombarded recently with a lot of the embedded GIF
> image OTCBB stock, pump and dump spam. The one with the random subject,
> from and sender lines.
>
> Has anybody had any luck creating SpamAssassin rules that would help
> boost the score? Or better yet a good RBL that blocks them? For RBLs,
> we only run the Spamhaus lists. Being a university, we can't run a very
> aggressive RBL list as it would cause too many complaints about blocking
> legitimate email.
>
the SARE stock ruleset helps here. As do hash-based tests like Razor and DCC.
Finally, many seem to be sent from DUL listed hosts.
The most recent one I got here scored with:
X-EVI-MailScanner-SpamCheck: spam, SpamAssassin (score=18.206, required 5,
autolearn=spam, BAYES_80 2.00, EXTRA_MPART_TYPE 1.09,
HELO_DYNAMIC_IPADDR2 3.82, HTML_90_100 0.11, HTML_IMAGE_ONLY_08 3.13,
HTML_MESSAGE 0.00, INFO_GREYLIST_NOTDELAYED -0.00,
MIME_HTML_MOSTLY 1.10, RAZOR2_CF_RANGE_51_100 0.50,
RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CHECK 0.50,
RCVD_IN_SORBS_DUL 2.05, SARE_GIF_ATTACH 0.75, SARE_GIF_STOX 1.66)
So we have a good variety of optional SA bits at work here:
Razor: 2.50
RBLs: 2.05
SARE: 2.41
Both SARE_GIF_ATTACH and SARE_GIF_STOX live in:
http://www.rulesemporium.com/rules/70_sare_stocks.cf
More information about the MailScanner
mailing list