[Declude.JunkMail] How to add extra points to this

[Goran Jovanovic]

Hi   Here are the headers from a bunch of SPAM that is slipping through.   Subject:    Re: Para7mcy news To:         [EMAIL PROTECTED] From:       [EMAIL PROTECTED] REV DNS:    corporativos244254-29.etb.net.co Date:       06 Mar 2006 at 02:42:18 Tests Failed:     IPNOTINMX [0], NOLEGITCONTENT [0], SNIFFER [7], INV-URIBL [15], SIZE-BT-1KB-5KB [1] Weight:           23 Spool File: De7c016fa0086126d.smd   To view the E-mail, just click the attachment.   Headers: Received: from nicsweb.com [201.244.254.29] by mail1.omeganetworksolutions.net   (SMTPD32-8.15) id A7C116FA0086; Mon, 06 Mar 2006 02:41:53 -0500 Message-ID: <[EMAIL PROTECTED]> Reply-To: "Pallav Jenkins" <[EMAIL PROTECTED]> From: "Pallav Jenkins" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: Para7mcy news Date: Mon, 6 Mar 2006 02:41:25 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative;       boundary="----=_NextPart_000_0001_01C640C7.764CC4D0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106   As you can see the sending server is not blacklisted. SNIFFER and invURIBL pick it up but it is not high enough (need 30 to delete).   I checked the IP http://www.dnsstuff.com/tools/whois.ch?ip=201.244.254.29 and it belongs to ETB in Columbia   I check senderbase http://www.senderbase.org/search?searchString=201.244.254.29 from what I understand a magnitude of 2.7 is not a lot   Checking DNSSTUFF now http://www.dnsstuff.com/tools/ip4r.ch?ip=201.244.254.29 shows that it is blacklisted by CBL CSMA-SBL DNSBLNETAUT1 SBL-XBL SPAMCOP   Arrgh – it was listed a little while after this message went through.   In any case does anyone have any good ideas on how to block this SPAM when it is not on the black lists?   I have thought of writing a filter that checks for both SNIFFER and INVURIBL and if the subject has the word NEWS in it then add another 5 (or so points).   Goran Jovanovic Omega Network Solutions --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.