MailScanner Losing it's Efficiency {Scanned}

Alex Neuman van der Hans alex at rtpty.com
Thu Sep 25 20:37:26 IST 2008 

Excellent! Sounds like a good article for the wiki...

---

Alex Neuman
Reliant Technologies
+507 6781-9505
Skype: alexneuman

On Sep 25, 2008, at 2:06 PM, Scott Silva <ssilva at sgvwater.com> wrote:

> on 9-25-2008 11:25 AM Alex Neuman van der Hans spake the following:
>> Which rulesemporium rules do you recommend?
> Looking at 100,000 messages in the database I get good hits on  
> sare_unsub and the various sare_html. I also get good hits on the  
> kam list (http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf 
> )
> and razor.
>
> I added the following for some blacklists that I didn't see included  
> with spamassassin. Play with the scores if you need to;
> --- 
> --- 
> --- 
> --- 
> --- 
> --------------------------------------------------------------------
>
> header   RCVD_IN_PSBL          eval:check_rbl('psbl',  
> 'psbl.surriel.com.')
> describe RCVD_IN_PSBL          Received via a relay in PSBL
> tflags   RCVD_IN_PSBL          net
> score    RCVD_IN_PSBL          0 1.50 0 1.50
>
> header   RCVD_IN_UCE_PFSM_1          eval:check_rbl('UCE_PFSM_1',  
> 'dnsbl-1.uceprotect.net')
> describe RCVD_IN_UCE_PFSM_1          Received via a relay in  
> UCE_PFSM_1
> tflags   RCVD_IN_UCE_PFSM_1          net
> score    RCVD_IN_UCE_PFSM_1          0 1.50 0 1.50
>
> header   RCVD_IN_UCE_PFSM_2          eval:check_rbl('UCE_PFSM_2',  
> 'dnsbl-2.uceprotect.net')
> describe RCVD_IN_UCE_PFSM_2          Received via a relay in  
> UCE_PFSM_2
> tflags   RCVD_IN_UCE_PFSM_2          net
> score    RCVD_IN_UCE_PFSM_2          0 1.50 0 1.50
>
> header   RCVD_IN_UCE_PFSM_3          eval:check_rbl('UCE_PFSM_3',  
> 'dnsbl-3.uceprotect.net')
> describe RCVD_IN_UCE_PFSM_3          Received via a relay in  
> UCE_PFSM_3
> tflags   RCVD_IN_UCE_PFSM_3          net
> score    RCVD_IN_UCE_PFSM_3          0 2.50 0 2.50
>
> header   MONSTER_JOBS    Subject =~ /Monster Job \#/i
> describe MONSTER_JOBS    Monster Job Resume replies
> score    MONSTER_JOBS    -3.00
>
> body L_DRUGS11 /([CVAXP] ){5}/
> header L_DRUGS12 MESSAGEID =~/^<[a-f0-9]{12}\$[a-f0-9]{8}\$[a-f0-9] 
> {8}\@[a-zA-Z]+>/
> meta L_DRUGS1 L_DRUGS11 && L_DRUGS12
> score L_DRUGS1 5
> describe L_DRUGS1 Strange Message-ID and Spam signature in body.
>
> header   DNS_FROM_MPBULK_RHSBL    eval:check_rbl_from_host('mprhs',  
> 'bulk.rhs.mailpolice.com.')
> describe DNS_FROM_MPBULK_RHSBL    From: sender listed in  
> bulk.rhs.mailpolice.com
> tflags   DNS_FROM_MPBULK_RHSBL    net
> score    DNS_FROM_MPBULK_RHSBL    2.0
>
>
> urirhsbl  URIBL_BULK_MPRHS  bulk.rhs.mailpolice.com.   A
> body      URIBL_BULK_MPRHS  eval:check_uridnsbl('URIBL_BULK_MPRHS')
> describe  URIBL_BULK_MPRHS  Contains a URL listed in the MailPolice  
> bulk senders list
> tflags    URIBL_BULK_MPRHS  net
> score     URIBL_BULK_MPRHS  2.0
>
>
> urirhsbl  URIBL_PORN_MPRHS  porn.rhs.mailpolice.com.   A
> body      URIBL_PORN_MPRHS  eval:check_uridnsbl('URIBL_PORN_MPRHS')
> describe  URIBL_PORN_MPRHS  Contains a URL listed in the MailPolice  
> porn domains list
> tflags    URIBL_PORN_MPRHS  net
> score     URIBL_PORN_MPRHS  2.0
>
>
> urirhsbl  URIBL_FRAUD_MPRHS  fraud.rhs.mailpolice.com.   A
> body      URIBL_FRAUD_MPRHS  eval:check_uridnsbl('URIBL_FRAUD_MPRHS')
> describe  URIBL_FRAUD_MPRHS  Contains a URL listed in the MailPolice  
> fraud domains list
> tflags    URIBL_FRAUD_MPRHS  net
> score     URIBL_FRAUD_MPRHS  2.0
>
> header   RCVD_IN_SPAMCANNIBAL           
> eval:check_rbl('spamcannibal', 'bl.spamcannibal.org.')
> describe RCVD_IN_SPAMCANNIBAL          Received via a relay in  
> SpamCannibal
> tflags   RCVD_IN_SPAMCANNIBAL          net
> score    RCVD_IN_SPAMCANNIBAL          0 1.50 0 1.50
>
> header   RCVD_IN_MSRBL          eval:check_rbl('msrbl',  
> 'combined.rbl.msrbl.net.')
> describe RCVD_IN_MSRBL          Received via a relay in MSRBL
> tflags   RCVD_IN_MSRBL          net
> score    RCVD_IN_MSRBL          0 1.50 0 1.50
>
> header   RCVD_IN_BACKSCATTER          eval:check_rbl('msrbl',  
> 'ips.backscatterer.org.')
> describe RCVD_IN_BACKSCATTER          Received via a relay in  
> Backscatter.org
> tflags   RCVD_IN_BACKSCATTER          net
> score    RCVD_IN_BACKSCATTER          0 1.50 0 1.50
>
> #---added 8/1/2006 to combat image spam
> rawbody         INLINE_IMAGE    /src\s*=\s*["']cid:/i
> describe        INLINE_IMAGE    Inline Images
> score           INLINE_IMAGE    2.0
>
>
>
> #added 11/27/2007 as a spam test
> #Many of the spams originating from hotmail addresses here have a
> #Reply-To: address in a yahoo domain.
>
> header    __HC_FROM_HOTMAIL    From =~ /\@hotmail\./
> describe  __HC_FROM_HOTMAIL    email From hotmail user
>
> header    __HC_REPLY_YAHOO    Reply-To =~ /\@yahoo\./
> describe  __HC_REPLY_YAHOO    Reply-To yahoo user
>
> meta        HC_HOTMAIL_YAHOO    ( __HC_FROM_HOTMAIL &&  
> __HC_REPLY_YAHOO)
> describe  HC_HOTMAIL_YAHOO    From hotmail, reply to Yahoo
> score        HC_HOTMAIL_YAHOO    20
>
> --- 
> --- 
> --- 
> --- 
> --- 
> --------------------------------------------------------------------
>
>
> -- 
> MailScanner is like deodorant...
> You hope everybody uses it, and
> you notice quickly if they don't!!!!
>
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list