Spam from hotmail,yahoo and live.com getting throught

JC Putter jcputter at numata.co.za
Tue Dec 23 06:52:18 GMT 2008


Thank you very much, really!!!



-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Scott Silva
Sent: 22 December 2008 09:37 PM
To: mailscanner at lists.mailscanner.info
Subject: Re: Spam from hotmail,yahoo and live.com getting throught

on 12-20-2008 1:47 AM JC Putter spake the following:
> How can i setup mailscanner to do those URI,DNS blacklist checks???
>
> That is what i need,
>
> Thank you very much for the reply...
>
Here are some rules you can add to spam.assassin.prefs.conf. Some of them are quite old, but you can play with them;

header   RCVD_IN_PSBL          eval:check_rbl('psbl', 'psbl.surriel.com.')
describe RCVD_IN_PSBL          Received via a relay in PSBL
tflags   RCVD_IN_PSBL          net
score    RCVD_IN_PSBL          0 1.50 0 1.50

header   RCVD_IN_UCE_PFSM_1          eval:check_rbl('UCE_PFSM_1',
'dnsbl-1.uceprotect.net')
describe RCVD_IN_UCE_PFSM_1          Received via a relay in UCE_PFSM_1
tflags   RCVD_IN_UCE_PFSM_1          net
score    RCVD_IN_UCE_PFSM_1          0 1.50 0 1.50

header   RCVD_IN_UCE_PFSM_2          eval:check_rbl('UCE_PFSM_2',
'dnsbl-2.uceprotect.net')
describe RCVD_IN_UCE_PFSM_2          Received via a relay in UCE_PFSM_2
tflags   RCVD_IN_UCE_PFSM_2          net
score    RCVD_IN_UCE_PFSM_2          0 1.50 0 1.50

header   RCVD_IN_UCE_PFSM_3          eval:check_rbl('UCE_PFSM_3',
'dnsbl-3.uceprotect.net')
describe RCVD_IN_UCE_PFSM_3          Received via a relay in UCE_PFSM_3
tflags   RCVD_IN_UCE_PFSM_3          net
score    RCVD_IN_UCE_PFSM_3          0 2.50 0 2.50

header   DNS_FROM_MPBULK_RHSBL  eval:check_rbl_from_host('mprhs',
'bulk.rhs.mailpolice.com.')
describe DNS_FROM_MPBULK_RHSBL  From: sender listed in bulk.rhs.mailpolice.com
tflags   DNS_FROM_MPBULK_RHSBL  net
score    DNS_FROM_MPBULK_RHSBL  2.0


urirhsbl  URIBL_BULK_MPRHS  bulk.rhs.mailpolice.com.   A
body      URIBL_BULK_MPRHS  eval:check_uridnsbl('URIBL_BULK_MPRHS')
describe  URIBL_BULK_MPRHS  Contains a URL listed in the MailPolice bulk senders list
tflags    URIBL_BULK_MPRHS  net
score     URIBL_BULK_MPRHS  2.0


urirhsbl  URIBL_PORN_MPRHS  porn.rhs.mailpolice.com.   A
body      URIBL_PORN_MPRHS  eval:check_uridnsbl('URIBL_PORN_MPRHS')
describe  URIBL_PORN_MPRHS  Contains a URL listed in the MailPolice porn domains list
tflags    URIBL_PORN_MPRHS  net
score     URIBL_PORN_MPRHS  2.0


urirhsbl  URIBL_FRAUD_MPRHS  fraud.rhs.mailpolice.com.   A
body      URIBL_FRAUD_MPRHS  eval:check_uridnsbl('URIBL_FRAUD_MPRHS')
describe  URIBL_FRAUD_MPRHS  Contains a URL listed in the MailPolice fraud domains list
tflags    URIBL_FRAUD_MPRHS  net
score     URIBL_FRAUD_MPRHS  2.0

header   RCVD_IN_SPAMCANNIBAL          eval:check_rbl('spamcannibal',
'bl.spamcannibal.org.')
describe RCVD_IN_SPAMCANNIBAL          Received via a relay in SpamCannibal
tflags   RCVD_IN_SPAMCANNIBAL          net
score    RCVD_IN_SPAMCANNIBAL          0 1.50 0 1.50

header   RCVD_IN_MSRBL          eval:check_rbl('msrbl', 'combined.rbl.msrbl.net.')
describe RCVD_IN_MSRBL          Received via a relay in MSRBL
tflags   RCVD_IN_MSRBL          net
score    RCVD_IN_MSRBL          0 1.50 0 1.50

header   RCVD_IN_BACKSCATTER          eval:check_rbl('msrbl',
'ips.backscatterer.org.')
describe RCVD_IN_BACKSCATTER          Received via a relay in Backscatter.org
tflags   RCVD_IN_BACKSCATTER          net
score    RCVD_IN_BACKSCATTER          0 1.50 0 1.50



#---added 8/1/2006 to combat image spam
rawbody         INLINE_IMAGE    /src\s*=\s*["']cid:/i
describe        INLINE_IMAGE    Inline Images
score           INLINE_IMAGE    2.0


#---added 01/03/2007 to add scores based on country header __RCVD_IN_NERDS eval:check_rbl('nerds','zz.countries.nerd.dk.')
describe __RCVD_IN_NERDS        Received from a spam country
tflags __RCVD_IN_NERDS          net

header RCVD_IN_NERDS_CN eval:check_rbl_sub('nerds','127.0.0.156')
describe RCVD_IN_NERDS_CN       Received from China
tflags RCVD_IN_NERDS_CN         net
score RCVD_IN_NERDS_CN          2.0

header RCVD_IN_NERDS_KR eval:check_rbl_sub('nerds','127.0.0.154')
describe RCVD_IN_NERDS_KR       Received from South Korea
tflags RCVD_IN_NERDS_KR         net
score RCVD_IN_NERDS_KR          2.0

#added 11/27/2007 as a spam test
#Many of the spams originating from hotmail addresses here have a
#Reply-To: address in a yahoo domain.

header    __HC_FROM_HOTMAIL     From =~ /\@hotmail\./
describe  __HC_FROM_HOTMAIL     email From hotmail user

header    __HC_REPLY_YAHOO      Reply-To =~ /\@yahoo\./
describe  __HC_REPLY_YAHOO      Reply-To yahoo user

meta        HC_HOTMAIL_YAHOO    ( __HC_FROM_HOTMAIL && __HC_REPLY_YAHOO)
describe  HC_HOTMAIL_YAHOO      From hotmail, reply to Yahoo
score       HC_HOTMAIL_YAHOO    20

add_header all Relay-Country _RELAYCOUNTRY_

#Added 12/02/2008 hostkarma tests

header __RCVD_IN_JMF
eval:check_rbl('JMF-lastexternal','hostkarma.junkemailfilter.com.')
describe __RCVD_IN_JMF Sender listed in JunkEmailFilter tflags __RCVD_IN_JMF net

header RCVD_IN_JMF_W eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1') describe RCVD_IN_JMF_W Sender listed in JMF-WHITE tflags RCVD_IN_JMF_W net nice score RCVD_IN_JMF_W -5

header RCVD_IN_JMF_BL eval:check_rbl_sub('JMF-lastexternal', '127.0.0.2') describe RCVD_IN_JMF_BL Sender listed in JMF-BLACK tflags RCVD_IN_JMF_BL net score RCVD_IN_JMF_BL 3.5

header RCVD_IN_JMF_BR eval:check_rbl_sub('JMF-lastexternal', '127.0.0.4') describe RCVD_IN_JMF_BR Sender listed in JMF-BROWN tflags RCVD_IN_JMF_BR net score RCVD_IN_JMF_BR 1.0

#Added 12/02/2008 hostkarma tests



--
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!



This message has been scanned by Nexus Mail Gateway



More information about the MailScanner mailing list