Hi,
Investigate adding the SEM_FRESH rules - this domain was created less
than five days ago.
https://spameatingmonkey.com/services
OK, how do I get those rules installed? I've only installed KAM rules
using a channel. I don't see anything similar for SEM rules. I see the
page you linked to says to drop this into the config:
# SEM-FRESH
urirhssub SEM_FRESH fresh.spameatingmonkey.net. A 2
body SEM_FRESH eval:check_uridnsbl('SEM_FRESH')
describe SEM_FRESH Contains a domain registered less than 5 days ago
tflags SEM_FRESH net
score SEM_FRESH 0.5
Just copy them to a file ending in ".cf" in your local spamassassin
rules directory like you did with the rule you created below.
I've never seen anything like this before. Looks like this is the
documentation for that:
https://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_URIDNSBL.html
That's instructions for enabling the URIDNSBL, which is probably already
enabled.
Check for something like this in your init.pre file
loadplugin Mail::SpamAssassin::Plugin::URIDNSBL
Invalid List-ID. You can then use that with other weirdness in a meta.
header __LIST_ID_DOMAIN_IN_BRACKETS List-id =~ /<([\w-]+)(\.[\w-]+)+>/
meta LIST_ID_IMPROPER_FORMAT __HAS_LIST_ID &&
!__LIST_ID_DOMAIN_IN_BRACKETS
score LIST_ID_IMPROPER_FORMAT 0.001
describe LIST_ID_IMPROPER_FORMAT List-id has improper format
You lost me here. The spam has this:
List-Id: MzY3NDAxMi01Nzg2LTU= <MzY3NDAxMi01Nzg2LTU=.list-id.mailin.fr>
That's not legit? It's in brackets.
It's matching on the text before the brackets.
I believe the new Esp module that works to identify bad sendgrid
accounts also has support for sendinblue accounts, but to what extent?
X-Mailer: Sendinblue
To start, I wrote this rule that I think will probably work well because
it doesn't make sense for any order information is going to come from a
mailing list.
# fake order spam
header __LOCAL_FAKE_ORDER_SUBJ Subject =~ /your.order/i
header __LOCAL_FAKE_ORDER_1 X-Mailer =~ /Sendinblue/i
header __LOCAL_FAKE_ORDER_2 List-Id =~ /./
meta LOCAL_FAKE_ORDER _LOCAL_FAKE_ORDER_SUBJ + (__LOCAL_FAKE_ORDER_2 +
__LOCAL_FAKE_ORDER_3 >= 1)
score LOCAL_FAKE_ORDER 3.0
That's great, but probably doesn't have much longevity.
You can also use the following for the presence of a header:
header __LOCAL_FAKE_ORDER_2 exists:List-Id
Regards,
Dave