Debora is a huge spammers!!!!
Matt Hampton
matt at coders.co.uk
Mon Nov 13 08:17:06 GMT 2006
Glenn Steen wrote:
> On 12/11/06, Michael S. <admin at thenamegame.com> wrote:
>> I did a grep on Debora in my logs and although that ip reveals the
>> same ip
>> as what you have the rest are from all different ips so ip blocking
>> wont do
>> it.
> Look through the stuff since the begining of this month... Had 28
> matches, where 3 would've been false positives with a rule rejecting
> anyone named debora.*@.* ... would be unacceptable to me. And MS cauth
> the other ones so...:-).
Gone back through my logs and only 185 got as far as MS - of these 11
were not identified as spam and of these only 6 were false negatives.
Of those 6 - 3 were caused by SA timeouts. I was getting Razor hits on
the rest and Bayes was > 60% on two of them. The lowest score was 2.5,
the highest 4.76.
I haven't (touch wood) had a false negative since the 5th.
The majority (at least an order of magnitude larger) were blocked at
connection level. I haven't had a chance to work out which milters hit
the most but I have the following installed:
milter-link, smf-sav, smf-grey (patched to only greylist if the sending
IP is on an RBL) and smf-spf (reject only on fails).
>
> If saw this in very large numbers, I might be tempted do try
> capitalise it... But I'm afraid that if you cannot find something else
> they have in common (and that you can easily identify at SMTP time),
> you wouldn't be able to use this at all.
> For me, looking at the headers for the 28, nothing really popped out.
>
The only thing that I saw was they All had X-Priority: 3(normal) set.
matt
More information about the MailScanner
mailing list