MailScanner Losing it's Efficiency {Scanned}

Randal, Phil prandal at herefordshire.gov.uk
Fri Sep 26 12:18:22 IST 2008 

header   __HC_FROM_HOTMAIL      From =~ /\@(?:live|hotmail)\./
describe __HC_FROM_HOTMAIL      email From hotmail or live user

is a better rule than my original  

header    __HC_FROM_HOTMAIL	From =~ /\@hotmail\./
describe  __HC_FROM_HOTMAIL	email From hotmail user


FreeMail.pm from http://sa.hege.li/FreeMail.pm is also useful.

Cheers,

Phil
--
Phil Randal
Networks Engineer
Herefordshire Council
Hereford, UK

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Scott
Silva
Sent: 25 September 2008 20:07
To: mailscanner at lists.mailscanner.info
Subject: Re: MailScanner Losing it's Efficiency {Scanned}

on 9-25-2008 11:25 AM Alex Neuman van der Hans spake the following:
> Which rulesemporium rules do you recommend?
> 
Looking at 100,000 messages in the database I get good hits on
sare_unsub and the various sare_html. I also get good hits on the kam
list
(http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf)
and razor.

I added the following for some blacklists that I didn't see included
with spamassassin. Play with the scores if you need to;
------------------------------------------------------------------------
-----------

header   RCVD_IN_PSBL          eval:check_rbl('psbl',
'psbl.surriel.com.')
describe RCVD_IN_PSBL          Received via a relay in PSBL
tflags   RCVD_IN_PSBL          net
score    RCVD_IN_PSBL          0 1.50 0 1.50

header   RCVD_IN_UCE_PFSM_1          eval:check_rbl('UCE_PFSM_1', 
'dnsbl-1.uceprotect.net')
describe RCVD_IN_UCE_PFSM_1          Received via a relay in UCE_PFSM_1
tflags   RCVD_IN_UCE_PFSM_1          net
score    RCVD_IN_UCE_PFSM_1          0 1.50 0 1.50

header   RCVD_IN_UCE_PFSM_2          eval:check_rbl('UCE_PFSM_2', 
'dnsbl-2.uceprotect.net')
describe RCVD_IN_UCE_PFSM_2          Received via a relay in UCE_PFSM_2
tflags   RCVD_IN_UCE_PFSM_2          net
score    RCVD_IN_UCE_PFSM_2          0 1.50 0 1.50

header   RCVD_IN_UCE_PFSM_3          eval:check_rbl('UCE_PFSM_3', 
'dnsbl-3.uceprotect.net')
describe RCVD_IN_UCE_PFSM_3          Received via a relay in UCE_PFSM_3
tflags   RCVD_IN_UCE_PFSM_3          net
score    RCVD_IN_UCE_PFSM_3          0 2.50 0 2.50

header   MONSTER_JOBS	Subject =~ /Monster Job \#/i
describe MONSTER_JOBS	Monster Job Resume replies
score    MONSTER_JOBS	-3.00

body L_DRUGS11 /([CVAXP] ){5}/
header L_DRUGS12 MESSAGEID
=~/^<[a-f0-9]{12}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[a-zA-Z]+>/
meta L_DRUGS1 L_DRUGS11 && L_DRUGS12
score L_DRUGS1 5
describe L_DRUGS1 Strange Message-ID and Spam signature in body.

header   DNS_FROM_MPBULK_RHSBL	eval:check_rbl_from_host('mprhs', 
'bulk.rhs.mailpolice.com.')
describe DNS_FROM_MPBULK_RHSBL	From: sender listed in
bulk.rhs.mailpolice.com
tflags   DNS_FROM_MPBULK_RHSBL	net
score    DNS_FROM_MPBULK_RHSBL	2.0


urirhsbl  URIBL_BULK_MPRHS  bulk.rhs.mailpolice.com.   A
body      URIBL_BULK_MPRHS  eval:check_uridnsbl('URIBL_BULK_MPRHS')
describe  URIBL_BULK_MPRHS  Contains a URL listed in the MailPolice bulk
senders list
tflags    URIBL_BULK_MPRHS  net
score     URIBL_BULK_MPRHS  2.0


urirhsbl  URIBL_PORN_MPRHS  porn.rhs.mailpolice.com.   A
body      URIBL_PORN_MPRHS  eval:check_uridnsbl('URIBL_PORN_MPRHS')
describe  URIBL_PORN_MPRHS  Contains a URL listed in the MailPolice porn

domains list
tflags    URIBL_PORN_MPRHS  net
score     URIBL_PORN_MPRHS  2.0


urirhsbl  URIBL_FRAUD_MPRHS  fraud.rhs.mailpolice.com.   A
body      URIBL_FRAUD_MPRHS  eval:check_uridnsbl('URIBL_FRAUD_MPRHS')
describe  URIBL_FRAUD_MPRHS  Contains a URL listed in the MailPolice
fraud 
domains list
tflags    URIBL_FRAUD_MPRHS  net
score     URIBL_FRAUD_MPRHS  2.0

header   RCVD_IN_SPAMCANNIBAL          eval:check_rbl('spamcannibal', 
'bl.spamcannibal.org.')
describe RCVD_IN_SPAMCANNIBAL          Received via a relay in
SpamCannibal
tflags   RCVD_IN_SPAMCANNIBAL          net
score    RCVD_IN_SPAMCANNIBAL          0 1.50 0 1.50

header   RCVD_IN_MSRBL          eval:check_rbl('msrbl',
'combined.rbl.msrbl.net.')
describe RCVD_IN_MSRBL          Received via a relay in MSRBL
tflags   RCVD_IN_MSRBL          net
score    RCVD_IN_MSRBL          0 1.50 0 1.50

header   RCVD_IN_BACKSCATTER          eval:check_rbl('msrbl', 
'ips.backscatterer.org.')
describe RCVD_IN_BACKSCATTER          Received via a relay in
Backscatter.org
tflags   RCVD_IN_BACKSCATTER          net
score    RCVD_IN_BACKSCATTER          0 1.50 0 1.50

#---added 8/1/2006 to combat image spam
rawbody         INLINE_IMAGE    /src\s*=\s*["']cid:/i
describe        INLINE_IMAGE    Inline Images
score           INLINE_IMAGE    2.0



#added 11/27/2007 as a spam test
#Many of the spams originating from hotmail addresses here have a
#Reply-To: address in a yahoo domain.

header    __HC_FROM_HOTMAIL	From =~ /\@hotmail\./
describe  __HC_FROM_HOTMAIL	email From hotmail user

header    __HC_REPLY_YAHOO	Reply-To =~ /\@yahoo\./
describe  __HC_REPLY_YAHOO	Reply-To yahoo user

meta	    HC_HOTMAIL_YAHOO	( __HC_FROM_HOTMAIL && __HC_REPLY_YAHOO)
describe  HC_HOTMAIL_YAHOO	From hotmail, reply to Yahoo
score	    HC_HOTMAIL_YAHOO	20

------------------------------------------------------------------------
-----------


-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

More information about the MailScanner mailing list