OK, Mouss 2008/3/18, mouss <[EMAIL PROTECTED]>: > Loren Wilton wrote: > >> Hi, I'm kinda getting tired of reporting these mails (both to my local > >> SA and to SpamCop), and so are my customers. My problem is that the > >> spammers are using a large ISP's mail server, and that particular ISP > >> (as all the others here in Argentina) don't bother checking the abuse > >> reports. What drives me crazy is the little score it lacks to go > >> devnulled... > >> > >> Anyway, here's a sample: http://pastebin.com/m3c0e5b9 > > > > The main problem here is that the standard SA rules are in english and > > the mail is in spanish (or something close to that I suppose). My > > Spanish is incredibly rusty, but just scanning the mail I see dozens > > of phrases I'd try to match on to add points for this sort of thing. > > Of course, I'd need a few dozen examples (at least!) to even consider > > writing any rules for this sort of thing. It would be better if a > > native speaker wrote the rules than someone not that familiar with the > > language. > > > > In any case, you can try blacklisting the address of the CD company, > > try rules against cheap CDs, try ruels against mail advertizing > > pictures of nice colored girls (presumably where all of the color is > > visible at once), and a half dozen other seemingly pretty obvious > > stock phrases. > > > > Of course, you need a bunch of these mails so you can compile a phrase > > list, and you ideally need some way to do a masscheck against spam and > > ham to make sure you aren't accidentally catching a lot of ham. But > > you should be able to get the first of those requirements trivially, > > and if you are careful and start with low scores and monitor the logs > > for the rules that are hitting you should be able to adjust scores > > safely and successfuly. > > > > Justin has a tool that makes rules based on phrases found in ham and > > spam. This is an automated form of doing what I suggest above by > > hand. I don't know if those tools are part of the SA package, but > > they might be. If so, they could probably be used to advantage. > > > > Loren > > > > > how about something like > > header NONFQHELO_DYN1 X-Spam-Relays-Untrusted =~ /^[^\]]+ > rdns=\S*[^a-z]{9}\S+ helo=[^\.\s]+ /i > score NONFQHELO_DYN1 3.0 > describe NONFQHELO_DYN1 non fqdn helo from dynamic client > > ?
I'll go with this, and tomorrow we'll see. Thanks a LOT to everybody for their suggestions. They've gone right into my documentation folder ;-) > > > Regards, Luis
