Hi

 

Here are the headers from a bunch of SPAM that is slipping through.

 

Subject:    Re: Para7mcy news

To:         [EMAIL PROTECTED]

From:       [EMAIL PROTECTED]

REV DNS:    corporativos244254-29.etb.net.co

Date:       06 Mar 2006 at 02:42:18

Tests Failed:     IPNOTINMX [0], NOLEGITCONTENT [0], SNIFFER [7], INV-URIBL

[15], SIZE-BT-1KB-5KB [1]

Weight:           23

Spool File: De7c016fa0086126d.smd

 

To view the E-mail, just click the attachment.

 

Headers:

Received: from nicsweb.com [201.244.254.29] by mail1.omeganetworksolutions.net

  (SMTPD32-8.15) id A7C116FA0086; Mon, 06 Mar 2006 02:41:53 -0500

Message-ID: <[EMAIL PROTECTED]>

Reply-To: "Pallav Jenkins" <[EMAIL PROTECTED]>

From: "Pallav Jenkins" <[EMAIL PROTECTED]>

To: [EMAIL PROTECTED]

Subject: Re: Para7mcy news

Date: Mon, 6 Mar 2006 02:41:25 -0500

MIME-Version: 1.0

Content-Type: multipart/alternative;

      boundary="----=_NextPart_000_0001_01C640C7.764CC4D0"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2800.1106

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

 

As you can see the sending server is not blacklisted. SNIFFER and invURIBL pick it up but it is not high enough (need 30 to delete).

 

I checked the IP http://www.dnsstuff.com/tools/whois.ch?ip=201.244.254.29 and it belongs to ETB in Columbia

 

I check senderbase http://www.senderbase.org/search?searchString=201.244.254.29 from what I understand a magnitude of 2.7 is not a lot

 

Checking DNSSTUFF now http://www.dnsstuff.com/tools/ip4r.ch?ip=201.244.254.29 shows that it is blacklisted by CBL CSMA-SBL DNSBLNETAUT1 SBL-XBL SPAMCOP

 

Arrgh – it was listed a little while after this message went through.

 

In any case does anyone have any good ideas on how to block this SPAM when it is not on the black lists?

 

I have thought of writing a filter that checks for both SNIFFER and INVURIBL and if the subject has the word NEWS in it then add another 5 (or so points).

 

Goran Jovanovic

Omega Network Solutions

--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.

Reply via email to