NOBODY EVER ANSWERS QUESTIONS TO THIS LIST

James Gray james at gray.net.au
Mon Dec 15 06:44:04 GMT 2008 

On 15/12/2008, at 3:17 PM, Bjorgen T. Eatinger wrote:

> 1. NOBODY EVER ANSWERS QUESTIONS TO THIS LIST---Why?
>
> 2. There has been (for at least the last 3 weeks) a recent huge  
> flood of emails that are setup to "appear" to have originated from  
> the same email address which the SPAM is being sent to, and the  
> addresses are perfectly valid addresses stored on our email server  
> (NOT ACCOUNTS, but valid ALIASES).
>
> For example a valid alias on our mail server would be: booking at edenaudio.com
>
> The SPAM email is SENT to that email address and is also setup to  
> COME from that address.
>
> Has there been any discussion or attempts to get rid of this most  
> annoying new type of SPAM?  I don't see it as very difficult to  
> catch, as the following conditions are always TRUE in all cases:
>
> a. SAME FROM ADDRESS AS THE TO ADDRESS (this is normally only done  
> when testing)
>
> b. Almost every email contains "status" in the subject
>
> c. Every email always contains HTML and the words "click here" in  
> every one (see below)
>
> I believe any one of these items would work to stop this flood of  
> email (especially b or c).  Can you please let me know how I could  
> implement any one or all of these methods?


Whoa dude - slow down.  Maybe I missed it, but I haven't seen any  
previous questions from you on this matter.  Maybe I missed them too?   
BTW, starting a post to *any* list with "NOBODY EVER ANSWERS QUESTIONS  
TO THIS LIST" is almost guaranteed way to construct a self-fulfilling  
prophesy ;)

In answer to your questions, the same TO/FROM address I'll leave for  
someone else and the remainder of your analysis should be enough.   
Simply add the following to /etc/MailScanner/spamassassin.prefs.conf:

header __SUBJ_STATUS	Subject =~ /status/i
body __BODY_CLK_HERE	/click here/i
rawbody __BODY_HTML	/(?:\<p\>|\<div\>|\<html\>)/i
meta MYSPAM_RULE_1		(__SUBJ_STATUS && __BODY_CLK_HERE && __BODY_HTML)
describe MYSPAM_RULE_1	This message appears to be spam
score MYSPAM_RULE_1		6.0

This isn't perfect, but it should give you a starting point.

For future reference, if you have some web space where you can put a  
RAW, copy of the message other people can have a look at it and  
together we can make some rules to address your specific problem.  In  
future, if you flame everyone on the list with accusations of ignoring  
you, I personally will do exactly that :)  I have been active (for  
various values of active) on this list for several years and always  
found this community attentive, informative and extremely helpful.   
Please be polite and show respect - especially if you expect the same  
in return.

Peace,

James
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2417 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081215/b8fdc71e/smime.bin

More information about the MailScanner mailing list