> -----Original Message----- > From: Christopher M. Iarocci [mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 24, 2004 10:06 AM > To: Kevin Peuhkurinen > Cc: Bob George; [EMAIL PROTECTED] > Subject: Re: A new (?) type of Spam > > > Kevin Peuhkurinen wrote: > > > Would you mind emailing me that L_RCVD_IN_MANY rule you have? > > Thanks, > > Kevin > > > > Bob George wrote: > > > >> Rubin Bennett wrote: > >> > >>> [...] > >>> And is it just me, or have the spammers figured out a few > new tricks > >>> that are giving SA a really hard time? I used to get 1-2 > spams per > >>> week > >>> that made it through SA, and now (last 2 weeks or so) I'm getting > >>> 10-15/day (out of a total of about 125-150 spams) that are getting > >>> through. Is there a magic combination of rulesets that > folks are using > >>> to stop these messages? > >>> I'm using antidrug, backhair, bigevil, evilnumbers, chickenpox, > >>> mr_wiggly, header_abuse, and tripwire. I have a well > trained Bayes > >>> database (all of the messages sneaking through seem to be utterly > >>> baffling Bayes), and I'm using DCC and Razor2. > >> > >> > >> > >> Here's how it scored here: > >> Content analysis details: (19.0 points, 5.0 required) > >> > >> pts rule name description > >> > >> 0.1 HTML_MESSAGE BODY: HTML included in message > >> 5.4 BAYES_99 BODY: Bayesian spam > probability is 99 to > >> 100% < -- Note: It didn't trick bayes here! > >> [score: 1.0000] > >> 0.3 MIME_HTML_ONLY BODY: Message only has > text/html MIME parts > >> 1.5 L_TINYFONT_1 BODY: Body contains very small font > >> 0.7 MK_BAD_HTML_02 BODY: Bad HTML form. Breaking > lines with > >> paragraphs > >> . > >> 1.7 RM_rbt_Font0Pt BODY: HTML includes 0- or 1-point font > >> size; invisib > >> le text > >> 2.2 AFF_ID URI: URL contains AFF_ID= > >> 1.2 RCVD_IN_SORBS_SOCKS RBL: SORBS: sender is open SOCKS proxy > >> server > >> [220.78.47.207 listed in > dnsbl.sorbs.net] > >> 0.7 RCVD_IN_DSBL RBL: Received via a relay in > list.dsbl.org > >> > [<http://dsbl.org/listing?ip=220.78.47.207>] > >> 1.5 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in > bl.spamcop.net > >> [Blocked - see > >> <http://www.spamcop.net/bl.shtml?220.78.47.207>] > >> 0.5 RCVD_IN_NJABL_PROXY RBL: NJABL: sender is an open proxy > >> [220.78.47.207 listed in > dnsbl.njabl.org] > >> 0.1 RCVD_IN_NJABL RBL: Received via a relay in > dnsbl.njabl.org > >> [220.78.47.207 listed in > dnsbl.njabl.org] > >> 0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS > >> [220.78.47.207 listed in > dnsbl.sorbs.net] > >> 3.0 L_RCVD_IN_MANY Message received in more than 2 RBLs > >> > >> Note that the L_ scores are locals I've added. There's some > >> duplication between sets. > >> > This was just posted on this list yesterday > afternoon........................ > > meta RCVD_IN_MANY > (RCVD_IN_DSBL+RCVD_IN_NJABL+RCVD_IN_OPM+RCVD_IN_SORBS) > 2 > describe RCVD_IN_MANY Found in 3 or more DSBLs > score RCVD_IN_MANY 2.0 > > Chris >
This rule will ONLY work for SA version 2.50 and higher. Just thought I would mention that :) --Chris (2.4x and PROUD!)
