Any new techniques?

Max Kipness max at inmindlabs.com
Mon Feb 16 17:51:41 GMT 2015


Hi,

I've been using MailScanner for some time, and I've noticed many
different trends in spam attempts. I've currently got my latest server
on Centos 7.0 with DCC, Pyzor, Razor2, many custom spamassassin rules,
SpamCOP, SpamHaus, and Barracuda and URIBL checks.

As an overall total, tons of spam is caught, but it seems like the
spammers still figure out ways to get around. Just this morning I've
gotten several news ones that get around everything. I used Bayes and do
not use auto learn (which I think is a big mistake) and EVERY spam
message that gets by is tagged with BAYES_99/BAYES_999 so no problem
there. However my guess is I'm getting early spam before it gets listed
on the blacklists and URBLs, etc. Probably if I tested them again with
spamassassin about 5 minutes after received they would get caught by a
bunch of tests.

I've noticed the spammers will break up words with spaces, dashes, etc.
I've also noticed they will register a domain name, send as that domain
name, and then have a URL with that domain name in it, which seems
legitimate.

I normally will study the email, look for obvious patterns to create a
rule for any other similar emails.

But I'm just wondering if anyone else does anything differently, or
there are any other tests I can try. I could raise my Bayes score, but I
don't want the decision of spam/not spam based just on Bayes. It's
pretty good with Ham, but not 100%.

Also, Is there a way to create your own on-server URIBL, that way as
soon as an email comes in with a URL that was not detected by the
official URIBL, I could create a small program to add it locally?

Thanks,
Max


More information about the MailScanner mailing list