RE: [Declude.JunkMail] Earthlink Porn Spam

[Mark E. Smith]

Matt, Can you resend that filter? I checked on the archive and the attachment isn't there. Thanks.   Mark From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, November 02, 2004 12:36 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Earthlink Porn Spam Danny, It's a special construct that I use to kludge a way to provide a difference in scoring of last hop DNSBL hits and prior-hop DNSBL hits.  For instance, if you score a test on the last 3 hops and it hits an open relay type of list on the first hop, that isn't anywhere nearly as indicative of spam as a last hop open relay hit. With Declude, you can kludge it so that you can score both the last hop only or all hops.  If I get a hit for both SPAMCOP(ALL) and SPAMCOP(LAST), this means that SpamCop hit minimally on the last hop.  If I only get a hit for SPAMCOP(ALL), that means that the hit was on a prior hop.  Yes, this is most definitely very effective, and I absolutely do wish there was a better way to do this in Declude by assigning the range of hops to test per entry in your config.  An example of how to configure this with SpamCop would be as follows:     SPAMCOP(LAST)        dnsbl    %IP4R%.bl.spamcop.net            127.0.0.2    4    0     SPAMCOP(ALL)        ip4r    bl.spamcop.net                127.0.0.2    2    0 This is primarily effective with DNSBL's that track primarily open relays and not necessary with most static spammer lists although SBL has been acting like idiots as of late and including random blocks all the way up to whole class B's on residential class networks which severely weakens the value of SBL when scored the same on every hop. As far as my filter goes, you can remove all of the lines beginning with the one targeting SNIFFER hits.  It will work just fine without these, but I included them just for good measure as I expect the spam patterns to change eventually.  I do of course expect to see spammers cracking AUTH with much more frequency, and Earthlink at least appears to be inept at stopping it since this has been happening for over 3 months now and growing in scope. Matt Danny K wrote: Matt,   What does the (ALL) do as in "SPAMCOP(ALL)"?      -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Matt Sent: Monday, November 01, 2004 1:47 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Earthlink Porn Spam i360 Support wrote: I am still getting a ton of porn spam from Earthlink. I report it but it does not help much.   Any suggestions on how to stop this crap?   Attached is the filter that I use to kill this stuff.  Last I checked, there were two different spammers that were cracking AUTH to get this stuff through, and their patterns don't seem to have changed, although they probably will and/or more will come. Matt -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================