>-----Original Message----- >From: Technical [mailto:[EMAIL PROTECTED] >Sent: Friday, May 07, 2004 5:19 AM >To: [EMAIL PROTECTED] >Subject: Porn Spam That Got Through > > >Hi > >We run SpamAssassin 2.63 on our mail server with the following rules:
*snip excellent rule list!* >The email in the following URL got through with a very low score, could >anyone explain why or suggest rules for me to add? >http://www.ginnungagap.net/spam/spam20040502.txt > >Thanks, > >John Taylor First, now this is the way to ask a question about a spam!! Nice job! Ok, this spam was kind of tricky. The reason I never got it is it is blocked on a lot of RBLs, but not SURBL! Results: Positive=7, Negative=25 (2004-05-07 14:17:15 UTC) @COUNTRY/country: 221.232/16: 553 COUNTRY CHINA - http://hatcheck.org/google?china; http://hatcheck.org/sbl?china @SPAM/spamsource: 221.232.163/24: 553 SPEWS [1] CHINANET-HB, see http://spews.org/ask.cgi?S2893 CBL/abuseat.org: 553 CBL Proxy/Trojan [Remove] SPEWS/spews.org: 221.232.163/24: 553 SPEWS2 [1] CHINANET-HB, see http://spews.org/ask.cgi?S2893 BLARS/block.blars.org: INET 127.1.0.32 RFC_IPWH/ipwhois.rfc-ignorant.org: $ has inaccurate or missing WHOIS data at the RIR FIVETEN/china.spam: added 2003-08-16; http://www.shop321.com on 218.80.151.1; added 2003-08-16; http://www.bearch11.com on 61.232.226.3; added 2003-08-16; http://www.great12ssa.com on 61.174.153.41; added 2003-06-28; http://www.herbalpillsonline.biz on 61.131.62.58; added 2003-04-09; http://www.coolstats.com on 218.246.33.55, moved to 211.99.203.213; added 2003-06-21; http://red.ecablenetwork.com on 61.129.70.183, moved to 211.98.112.186; added 2003-06-07; http://www.ehostz.org on 218.28.3.188; added 2001-04-19; china does not seem to care about spam If you don't use the RBLs, you could write a local rule for that IP. There isn't a lot to go on. They obfuscate just enough but I'm surprised this phrase triggered nothing: "i love to swallow" How many times does that show up in ham? (don't answer that!) I'm adding smackthisass.com to bigevil in next update. (Should be tomorrow, I've already updated for today.) The whois data for that domain is definetly bogus. Unles there is a New York, AL? :-) --Chris
