Spam from hotmail,yahoo and live.com getting throught

Scott Silva ssilva at sgvwater.com
Mon Dec 22 19:37:12 GMT 2008 

on 12-20-2008 1:47 AM JC Putter spake the following:
> How can i setup mailscanner to do those URI,DNS blacklist checks???
> 
> That is what i need,
> 
> Thank you very much for the reply...
> 
Here are some rules you can add to spam.assassin.prefs.conf. Some of them are
quite old, but you can play with them;

header   RCVD_IN_PSBL          eval:check_rbl('psbl', 'psbl.surriel.com.')
describe RCVD_IN_PSBL          Received via a relay in PSBL
tflags   RCVD_IN_PSBL          net
score    RCVD_IN_PSBL          0 1.50 0 1.50

header   RCVD_IN_UCE_PFSM_1          eval:check_rbl('UCE_PFSM_1',
'dnsbl-1.uceprotect.net')
describe RCVD_IN_UCE_PFSM_1          Received via a relay in UCE_PFSM_1
tflags   RCVD_IN_UCE_PFSM_1          net
score    RCVD_IN_UCE_PFSM_1          0 1.50 0 1.50

header   RCVD_IN_UCE_PFSM_2          eval:check_rbl('UCE_PFSM_2',
'dnsbl-2.uceprotect.net')
describe RCVD_IN_UCE_PFSM_2          Received via a relay in UCE_PFSM_2
tflags   RCVD_IN_UCE_PFSM_2          net
score    RCVD_IN_UCE_PFSM_2          0 1.50 0 1.50

header   RCVD_IN_UCE_PFSM_3          eval:check_rbl('UCE_PFSM_3',
'dnsbl-3.uceprotect.net')
describe RCVD_IN_UCE_PFSM_3          Received via a relay in UCE_PFSM_3
tflags   RCVD_IN_UCE_PFSM_3          net
score    RCVD_IN_UCE_PFSM_3          0 2.50 0 2.50

header   DNS_FROM_MPBULK_RHSBL	eval:check_rbl_from_host('mprhs',
'bulk.rhs.mailpolice.com.')
describe DNS_FROM_MPBULK_RHSBL	From: sender listed in bulk.rhs.mailpolice.com
tflags   DNS_FROM_MPBULK_RHSBL	net
score    DNS_FROM_MPBULK_RHSBL	2.0


urirhsbl  URIBL_BULK_MPRHS  bulk.rhs.mailpolice.com.   A
body      URIBL_BULK_MPRHS  eval:check_uridnsbl('URIBL_BULK_MPRHS')
describe  URIBL_BULK_MPRHS  Contains a URL listed in the MailPolice bulk
senders list
tflags    URIBL_BULK_MPRHS  net
score     URIBL_BULK_MPRHS  2.0


urirhsbl  URIBL_PORN_MPRHS  porn.rhs.mailpolice.com.   A
body      URIBL_PORN_MPRHS  eval:check_uridnsbl('URIBL_PORN_MPRHS')
describe  URIBL_PORN_MPRHS  Contains a URL listed in the MailPolice porn
domains list
tflags    URIBL_PORN_MPRHS  net
score     URIBL_PORN_MPRHS  2.0


urirhsbl  URIBL_FRAUD_MPRHS  fraud.rhs.mailpolice.com.   A
body      URIBL_FRAUD_MPRHS  eval:check_uridnsbl('URIBL_FRAUD_MPRHS')
describe  URIBL_FRAUD_MPRHS  Contains a URL listed in the MailPolice fraud
domains list
tflags    URIBL_FRAUD_MPRHS  net
score     URIBL_FRAUD_MPRHS  2.0

header   RCVD_IN_SPAMCANNIBAL          eval:check_rbl('spamcannibal',
'bl.spamcannibal.org.')
describe RCVD_IN_SPAMCANNIBAL          Received via a relay in SpamCannibal
tflags   RCVD_IN_SPAMCANNIBAL          net
score    RCVD_IN_SPAMCANNIBAL          0 1.50 0 1.50

header   RCVD_IN_MSRBL          eval:check_rbl('msrbl', 'combined.rbl.msrbl.net.')
describe RCVD_IN_MSRBL          Received via a relay in MSRBL
tflags   RCVD_IN_MSRBL          net
score    RCVD_IN_MSRBL          0 1.50 0 1.50

header   RCVD_IN_BACKSCATTER          eval:check_rbl('msrbl',
'ips.backscatterer.org.')
describe RCVD_IN_BACKSCATTER          Received via a relay in Backscatter.org
tflags   RCVD_IN_BACKSCATTER          net
score    RCVD_IN_BACKSCATTER          0 1.50 0 1.50



#---added 8/1/2006 to combat image spam
rawbody         INLINE_IMAGE    /src\s*=\s*["']cid:/i
describe        INLINE_IMAGE    Inline Images
score           INLINE_IMAGE    2.0


#---added 01/03/2007 to add scores based on country
header __RCVD_IN_NERDS eval:check_rbl('nerds','zz.countries.nerd.dk.')
describe __RCVD_IN_NERDS        Received from a spam country
tflags __RCVD_IN_NERDS          net

header RCVD_IN_NERDS_CN eval:check_rbl_sub('nerds','127.0.0.156')
describe RCVD_IN_NERDS_CN       Received from China
tflags RCVD_IN_NERDS_CN         net
score RCVD_IN_NERDS_CN          2.0

header RCVD_IN_NERDS_KR eval:check_rbl_sub('nerds','127.0.0.154')
describe RCVD_IN_NERDS_KR       Received from South Korea
tflags RCVD_IN_NERDS_KR         net
score RCVD_IN_NERDS_KR          2.0

#added 11/27/2007 as a spam test
#Many of the spams originating from hotmail addresses here have a
#Reply-To: address in a yahoo domain.

header    __HC_FROM_HOTMAIL	From =~ /\@hotmail\./
describe  __HC_FROM_HOTMAIL	email From hotmail user

header    __HC_REPLY_YAHOO	Reply-To =~ /\@yahoo\./
describe  __HC_REPLY_YAHOO	Reply-To yahoo user

meta	    HC_HOTMAIL_YAHOO	( __HC_FROM_HOTMAIL && __HC_REPLY_YAHOO)
describe  HC_HOTMAIL_YAHOO	From hotmail, reply to Yahoo
score	    HC_HOTMAIL_YAHOO	20

add_header all Relay-Country _RELAYCOUNTRY_

#Added 12/02/2008 hostkarma tests

header __RCVD_IN_JMF
eval:check_rbl('JMF-lastexternal','hostkarma.junkemailfilter.com.')
describe __RCVD_IN_JMF Sender listed in JunkEmailFilter
tflags __RCVD_IN_JMF net

header RCVD_IN_JMF_W eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1')
describe RCVD_IN_JMF_W Sender listed in JMF-WHITE
tflags RCVD_IN_JMF_W net nice
score RCVD_IN_JMF_W -5

header RCVD_IN_JMF_BL eval:check_rbl_sub('JMF-lastexternal', '127.0.0.2')
describe RCVD_IN_JMF_BL Sender listed in JMF-BLACK
tflags RCVD_IN_JMF_BL net
score RCVD_IN_JMF_BL 3.5

header RCVD_IN_JMF_BR eval:check_rbl_sub('JMF-lastexternal', '127.0.0.4')
describe RCVD_IN_JMF_BR Sender listed in JMF-BROWN
tflags RCVD_IN_JMF_BR net
score RCVD_IN_JMF_BR 1.0

#Added 12/02/2008 hostkarma tests



-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081222/f2981f68/signature.bin

More information about the MailScanner mailing list