On Mon, 21 Jul 2008, [ISO-8859-2] Micha? J?czalik wrote: > Hello, > > I've noticed a huge increase of spam rate in past 2-3 weeks. Most of it > are messages with some quite normal Subject:, often (but not neccesarily) > referring to some fake event (i.e. some politician stabbed to death) and > there's only a link, sometimes together with a single sentence, in the > body. How to fight this? Bayes doesn't catch this much, perhaps because > these messages contain few text. > > I don't have example of a message of exactly this kind at this moment, but > this one below is similar. Well, it does catch DRUGS_ERECTILE, so it's an > easier case, but most of these spams don't refer to viagra and usually > scores BAYES_50 (max) and nothing more. > > X-Spam-Level: *** > X-Spam-Status: No, score=3.6 required=3.9 tests=BAYES_50,DRUGS_ERECTILE, > HTML_MESSAGE autolearn=no version=3.2.5 > [...] > Received: from 190-95-40-158.bk18-dsl.surnet.cl > (190-95-40-158.bk18-dsl.surnet.cl [190.95.40.158]) > by xxxxxxxx (8.12.8/8.12.8) with SMTP id m6LH0TnX015727 > for <[EMAIL PROTECTED]>; Mon, 21 Jul 2008 19:00:29 +0200 > Message-ID: <[EMAIL PROTECTED]> > From: "World Pharmacy -A22 " <[EMAIL PROTECTED]> > Subject: Sale on all items.. viagra for $1 > Date: Mon, 21 Jul 2008 17:00:32 GMT > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="-------=_NextPart_191_031A_0000040D.00007EC0" > X-Priority: 3 > X-MSMail-Priority: Normal > X-MimeOLE: Microsoft MimeOLE V6.00.2900.2527 > > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> > <HTML> > <body> > <h2> > <a href="http://www.geocities.com/bettyaphdjnx/";> see site </a></h2> > > </body></html>
First thing, do you have network tests turned off? That IP address hit 5 different DNSBL lists here, some of which we use at the SMTP level so that message would not even made it in our front door. ;) (I realize that it might not have been listed earlier today). Install the BOTNET plugin, it will add points to those PC-on-DSL/CABLE clients, even before they get listed in DNSBLs. I'm guessing that the kind of message you are referring to looks more like: Date: Mon, 21 Jul 2008 11:49:04 +0200 From: Froskary <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: CNN Wire: Obama arrives in Iraq B-52 bomber crashes off island of Guam http://pelledilunaaXXXXX.it/begin.html These are not strictly speaking spam, they're actually trojan bot messages attempting to get people to download a trojan onto their PCs. (If you are foolish enough to read that message on a PC and click on that link, you are pOwn3d.) Those things seem to regularly hit BOTNET, DNSBLs like Spamhaus & abuseat-CBL, and the URLs tend to get listed in SURBL/URIBL. -- Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{
