best way to combat porn email

Randal, Phil prandal at herefordshire.gov.uk
Mon Apr 20 14:29:09 IST 2009 

All these emails contain links to websites hosted on <random
name>.<letter>.interia.pl, so a high-scoring spamassassin uri rule can
easily catch these.

uri      MY_INTERIA     /^http:\/\/.{1,30}\.interia\.pl/i
describe MY_INTERIA     Suspicious interia.pl links
score	   MY_INTERIA	5

They also all claim to be sent via Thunderbird ("User-Agent: Thunderbird
2.0.0.21 (Windows/20090302)"), so you could create a meta rule cobining
both those factors.

Cheers,

Phil

--
Phil Randal | Networks Engineer
Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division
Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
Tel: 01432 260160
email: prandal at herefordshire.gov.uk

Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council.

This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error please
contact the sender immediately and destroy all copies of it.

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Raymond
Norton
Sent: 20 April 2009 14:14
To: MailScanner discussion
Subject: Re: best way to combat porn email



Steve Freegard wrote:
> Raymond Norton wrote:
>   
>> I also have the following in main.cf of postfix, so not sure why it 
>> got through in the first place:
>> smtpd_client_restrictions =
>>        reject_rbl_client sbl-xbl.spamhaus.org,
>>     
>
> Change that to zen.spamhaus.org...
>
>   
>>        reject_rbl_client list.dsbl.org
>>     
>
> Remove this; it's been dead for months and is now pointing at dead 
> nameservers to time-out all queries.
>
>   
I found that out yesterday, and made the change.


I am back on my main mailscanner this morning, and am seeing email like
the following come through. It seems bayes is fine. What can I add or
change to catch this type of garbage:

79.48.183.69      host69-183-static.48-79-b.business.telecomitalia.it  
    Italy      [  ]     [  ]     [  ]     [  ]
ID:    A435A136D54.B555F
Message Headers:    Received: from qlpa.telecomitalia.it 
(host69-183-static.48-79-b.business.telecomitalia.it [79.48.183.69])
     by relay-4.lctn.org (Postfix) with SMTP id A435A136D54
     for <jmetcalf at gsl.k12.mn.us>; Mon, 20 Apr 2009 08:09:40 -0500 (CDT)
Message-ID: <49EC739F.3391675 at vkb.com>
Date: Mon, 20 Apr 2009 13:09:41 +0000
From: Divine <saner at vkb.com>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: jmetcalf at gsl.k12.mn.us
Subject: Muultiple Orgasms - How to Give Her Multiple Miracles Every
Time
Content-Type: multipart/alternative;
boundary="------------203835226114440204389968"
From:   
saner at vkb.com    [Add to Whitelist | Add to Blacklist]
To:    jmetcalf at gsl.k12.mn.us
Subject:    Muultiple Orgasms - How to Give Her Multiple Miracles Every
Time
Size:    3.5Kb
Anti-Virus/Dangerous Content Protection
Virus:     N
Blocked File:     N
Other Infection:     N
SpamAssassin
Spam:     N   Action(s): deliver, header, "X-Spam-Status:, No"
High Scoring Spam:     N
SpamAssassin Spam:     N
Listed in RBL:     N
Spam Whitelisted:     N
Spam Blacklisted:     N
SpamAssassin Autolearn:     N
SpamAssassin Score:    2.32
Spam Report:   
    Score    Matching Rule    Descriptioncached    not     
    score=2.316     
3    required     
-0.18    BAYES_40    Bayesian spam probability is 20 to 40%
0.00    HTML_MESSAGE    HTML included in message
0.50    RAZOR2_CF_RANGE_51_100    Razor2 gives confidence level above
50%
1.50    RAZOR2_CF_RANGE_E4_51_100    Razor2 gives engine 4 confidence 
level above 50%
0.50    RAZOR2_CHECK    Listed in Razor2 (http://razor.sf.net/)

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list