MailScanner Losing it's Efficiency {Scanned}
Scott Silva
ssilva at sgvwater.com
Thu Sep 25 20:06:39 IST 2008
on 9-25-2008 11:25 AM Alex Neuman van der Hans spake the following:
> Which rulesemporium rules do you recommend?
>
Looking at 100,000 messages in the database I get good hits on sare_unsub and
the various sare_html. I also get good hits on the kam list
(http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf)
and razor.
I added the following for some blacklists that I didn't see included with
spamassassin. Play with the scores if you need to;
-----------------------------------------------------------------------------------
header RCVD_IN_PSBL eval:check_rbl('psbl', 'psbl.surriel.com.')
describe RCVD_IN_PSBL Received via a relay in PSBL
tflags RCVD_IN_PSBL net
score RCVD_IN_PSBL 0 1.50 0 1.50
header RCVD_IN_UCE_PFSM_1 eval:check_rbl('UCE_PFSM_1',
'dnsbl-1.uceprotect.net')
describe RCVD_IN_UCE_PFSM_1 Received via a relay in UCE_PFSM_1
tflags RCVD_IN_UCE_PFSM_1 net
score RCVD_IN_UCE_PFSM_1 0 1.50 0 1.50
header RCVD_IN_UCE_PFSM_2 eval:check_rbl('UCE_PFSM_2',
'dnsbl-2.uceprotect.net')
describe RCVD_IN_UCE_PFSM_2 Received via a relay in UCE_PFSM_2
tflags RCVD_IN_UCE_PFSM_2 net
score RCVD_IN_UCE_PFSM_2 0 1.50 0 1.50
header RCVD_IN_UCE_PFSM_3 eval:check_rbl('UCE_PFSM_3',
'dnsbl-3.uceprotect.net')
describe RCVD_IN_UCE_PFSM_3 Received via a relay in UCE_PFSM_3
tflags RCVD_IN_UCE_PFSM_3 net
score RCVD_IN_UCE_PFSM_3 0 2.50 0 2.50
header MONSTER_JOBS Subject =~ /Monster Job \#/i
describe MONSTER_JOBS Monster Job Resume replies
score MONSTER_JOBS -3.00
body L_DRUGS11 /([CVAXP] ){5}/
header L_DRUGS12 MESSAGEID
=~/^<[a-f0-9]{12}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[a-zA-Z]+>/
meta L_DRUGS1 L_DRUGS11 && L_DRUGS12
score L_DRUGS1 5
describe L_DRUGS1 Strange Message-ID and Spam signature in body.
header DNS_FROM_MPBULK_RHSBL eval:check_rbl_from_host('mprhs',
'bulk.rhs.mailpolice.com.')
describe DNS_FROM_MPBULK_RHSBL From: sender listed in bulk.rhs.mailpolice.com
tflags DNS_FROM_MPBULK_RHSBL net
score DNS_FROM_MPBULK_RHSBL 2.0
urirhsbl URIBL_BULK_MPRHS bulk.rhs.mailpolice.com. A
body URIBL_BULK_MPRHS eval:check_uridnsbl('URIBL_BULK_MPRHS')
describe URIBL_BULK_MPRHS Contains a URL listed in the MailPolice bulk
senders list
tflags URIBL_BULK_MPRHS net
score URIBL_BULK_MPRHS 2.0
urirhsbl URIBL_PORN_MPRHS porn.rhs.mailpolice.com. A
body URIBL_PORN_MPRHS eval:check_uridnsbl('URIBL_PORN_MPRHS')
describe URIBL_PORN_MPRHS Contains a URL listed in the MailPolice porn
domains list
tflags URIBL_PORN_MPRHS net
score URIBL_PORN_MPRHS 2.0
urirhsbl URIBL_FRAUD_MPRHS fraud.rhs.mailpolice.com. A
body URIBL_FRAUD_MPRHS eval:check_uridnsbl('URIBL_FRAUD_MPRHS')
describe URIBL_FRAUD_MPRHS Contains a URL listed in the MailPolice fraud
domains list
tflags URIBL_FRAUD_MPRHS net
score URIBL_FRAUD_MPRHS 2.0
header RCVD_IN_SPAMCANNIBAL eval:check_rbl('spamcannibal',
'bl.spamcannibal.org.')
describe RCVD_IN_SPAMCANNIBAL Received via a relay in SpamCannibal
tflags RCVD_IN_SPAMCANNIBAL net
score RCVD_IN_SPAMCANNIBAL 0 1.50 0 1.50
header RCVD_IN_MSRBL eval:check_rbl('msrbl', 'combined.rbl.msrbl.net.')
describe RCVD_IN_MSRBL Received via a relay in MSRBL
tflags RCVD_IN_MSRBL net
score RCVD_IN_MSRBL 0 1.50 0 1.50
header RCVD_IN_BACKSCATTER eval:check_rbl('msrbl',
'ips.backscatterer.org.')
describe RCVD_IN_BACKSCATTER Received via a relay in Backscatter.org
tflags RCVD_IN_BACKSCATTER net
score RCVD_IN_BACKSCATTER 0 1.50 0 1.50
#---added 8/1/2006 to combat image spam
rawbody INLINE_IMAGE /src\s*=\s*["']cid:/i
describe INLINE_IMAGE Inline Images
score INLINE_IMAGE 2.0
#added 11/27/2007 as a spam test
#Many of the spams originating from hotmail addresses here have a
#Reply-To: address in a yahoo domain.
header __HC_FROM_HOTMAIL From =~ /\@hotmail\./
describe __HC_FROM_HOTMAIL email From hotmail user
header __HC_REPLY_YAHOO Reply-To =~ /\@yahoo\./
describe __HC_REPLY_YAHOO Reply-To yahoo user
meta HC_HOTMAIL_YAHOO ( __HC_FROM_HOTMAIL && __HC_REPLY_YAHOO)
describe HC_HOTMAIL_YAHOO From hotmail, reply to Yahoo
score HC_HOTMAIL_YAHOO 20
-----------------------------------------------------------------------------------
--
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080925/55a86ea3/signature.bin
More information about the MailScanner
mailing list