I've been being hit by this type of spam quite hard lately, but finally found a way to stop it. Make sure you are running the SARE html and adult rulesets. Then add to your local CF:
score SARE_HTML_URI_NODOT2 2.0 score SARE_HTML_A_HIDEtst2 4.0 This spammer's emails ALWAYS hit these 2 rules, so I bumped up the scores quite a bit. I haven't had any false positives as a result. My users were getting quite annoyed because these spam messages were quite offensive and always sneaking through intil they hit the SURBL's. After making this change, I'm catching 100% of them. Shawn -----Original Message----- From: Chris Santerre [mailto:[EMAIL PROTECTED] Sent: Friday, September 03, 2004 2:56 PM To: 'Gordon Thagard' Cc: Spamassassin-Talk (E-mail) Subject: RE: Those sneaky porno spammers >-----Original Message----- >From: Gordon Thagard [mailto:[EMAIL PROTECTED] >Sent: Friday, September 03, 2004 2:29 PM >To: users@spamassassin.apache.org >Subject: Those sneaky porno spammers > > >Solaris 9 >Postfix 2.1.x >Spamassassin 2.64 >Amavisd-new-20030616-p10 >Clamav-0.74 >Bayes >Razor >DCC > >Hello All, > >I have setup what I consider to be a very good MTA for our >College which >is fending off a 49/51% SPAM/HAM ratio and dealing with many thousands >of emails a day. While the system does a very good job of detecting >SPAM, there is one brand of porno SPAM that is constantly evading our >defenses. It usually has a white, grey, blue or purple background, >giberish words and hardcore, explicit porno pics from an >third-party web >server. I've turned off viewing non-local images. Plus I have lowered >the SPAM threshold to 4.0 and setup Bayes learning with access limited >to our domain only. After setting up Bayes, I didn't get this >particlar >porno SPAM for a few days but then it started up again and >nothing I do >can stop it. One of two things happens: > >1. There are zero spam headers added to the email in my INBOX or, >2. It gets a 3.8 spam rating and is delivered. > >I have included both examples from today's barrage as attachments. Any >help would be greatly appreciated. > >-- One of those is already in SURBL. erimomisaki.com is 201.12.78.140 [ rbl lookup ] domain registered: 08-27-2004 [ full whois ] * URIBL: ws.surbl.org: not listed [ report ] * URIBL: sc.surbl.org: listed [Message body contains SpamCop spamvertised domain.] * URIBL: ob.surbl.org: listed [Blocked, See: http://www.surbl.org/lists.html#ob] * URIBL: multi.surbl.org: listed [Blocked, erimomisaki.com on lists [sc][ob], See: http://www.surbl.org/lists.html] * URIBL: ab.surbl.org: not listed The other would be soon, but we have some technical dificulties in the submission department today :) So I say use SURBL. --Chris
