> Can you repost that with full headers?
Yes, I have to wait for more to come through though as I have gotten into
the habit of just deleting the FNs.
> No DNSBL hits on the URI domain?
No, the domains change too quickly, so I almost never get DNSBL hits for
these. I have DNSBL greylisting front-ending SA as well, and I get no hits
there either. It is really annoying. Usually someone will submit and
URIBL_BLACK will hit after a few though. I've added a meta for the URL
check (below) and URIBL_BLACK and DCC_CHECK, maybe all I really need to do
is bump up the meta score for this combination?
> We'd need more than one sample URI to do a good job. Have you been
> collecting a corpus?
Not of a FN set. I should collect this.
> I notice that this URI has a format that may be a good spam sign: the
> domain name, followed by a long string of unpunctuated text gibberish.
Here is what I have been using (from previous help from this mail list!):
uri SSS_URI30 /\bhttp:\/\/[^\.\/]+\.(?i:com|net|info|biz)\/\w{30}\b/
uri SSS_URI30 1.5
this uri rule does work very well. but they change the length sometimes, so
I have a few rules that handle different lengths. Maybe I should use 29,31
instead of just 30 for example?
Am I being too conservative? Should I consider bumping the score of this up
more? And my meta up more perhaps?
--
View this message in context:
http://www.nabble.com/please-help%2C-getting-hammered-with-snowshoe-spam-tp21627042p21628431.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
