Hey, Matt, Thanks for the feedback and link to a new resource which I had not heard of before.
I have an IPFILE with about 300 class C addresses in it. It grows a little bigger every day. It seems that some IPs blocks have basically been ceded to the spammers which is fine by me. It makes them much easier to filter out if they keep using the same IP addresses over and over. I use per-domain spam filtering. My current HOLD weights range from 5 to 10. My current DELETE weight is 40. Entries in my IPFILE are given 12 points. My plan is to break the IPs for the "Capital Letter" spammer out into a separate file with maybe a weight of 24 or so. Currently I not doing ANY spam filtering based on content. I'm using the default tests for DJM. I have added about 4 IP4R tests which aren't part of the default. And I have 4 main custom tests. One IPFILE, one FROMFILE, and 2 FILTER files. One FILTER file has common known spamming domains which show up in the HELO part of the conversation. The other FILTER file has common known spamming domains which show up in the REVDNS. I assign each test 12 points. Typically failure of only 2 of these will not push someone above the DELETE weight. Failure of three typically will. Believe it or not with this setup I am catching 99% of the spam that is sent to us. And I'm glad I don't have to do any CPU intenstive body searching. I found out what a ROKSO spammer is, http://www.spamhaus.org/rokso/. Cool information. How did you know this particular one was ROKSO based on the SenderBase entry? Thanks, Dan ----- Original Message ----- From: "Matthew Bramble" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, November 14, 2003 4:31 PM Subject: Re: [Declude.JunkMail] Who Is This Spammer? > Dan, > > Try searching SenderBase.org for the domains or class C's to verify what > is being used currently and then do reverse DNS lookups on the > surrounding IP space to see if a similar pattern exists with the other > addresses. You might also identify the guy in the event that one block > appears on SBL (linked from SenderBase.org) and add in other known > blocks to your filter. Here is an example of one of his address spaces: > > http://www.senderbase.org/search?searchString=216.9.176.0 > > Hey, what do you know, SBL does have this guy marked, and he's a ROKSO > spammer. Their lists might be incomplete though. > > I've found unfortunately that this type of spammer seems to be splitting > up some of their space on only portions of netblocks, maybe to avoid > detection by perma-listing RBL's like SBL. Places like SpamCop will > expire their blocks, so if they jump around like the Pexicom guy, he can > keep his space mostly clean and spam from them for a much longer time > before he is tagged for the entire netblock. > > Please share your findings with the list. I for one am interested in > moving spammers with static IP's at least up above my fail weight, and > others can save processing by blocking them at the router or in IMail's > access control list. Blocking by IP with the ipfile type of filter is > also the fastest Declude method and it protects from them changing names > to get past your filters. Sounds like you might have already come to > that conclusion. > > Matt ----------------------------------------------------------------------- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
