Re: "German" spam not hitting any DNSBLs, almost no rules

[Karsten Bräckelmann]

On Sun, 2009-03-01 at 09:44 -0700, Jake Maul wrote:
> Howdy,
> 
> Lately I've been getting a lot of spam like this:
> 
> http://pastebin.com/m58b01a0b
> http://pastebin.com/me13959a
> 
> The domain changes, but it's virtually always in the .de TLD
> ("somedomain.de"). RelayCountries has this to say about that message
> (I'm in the US, btw):
> [31067] dbg: metadata: X-Relay-Countries: GB

If you got the RelayCountry plugin enabled, here's a simple rule to
score direct MUA to MX spam:

  header      RELAY_MUA_TO_MX  X-Relay-Countries =~ /^..$/
  describe    RELAY_MUA_TO_MX  Single Relay, direct client to MX
  score       RELAY_MUA_TO_MX  0.5


> They don't seem to trigger any remote tests at all.... DNSBLs, URIBLs,
> Pyzor, Razor, or Botnet. The only local tests triggered are BAYES_99,
> MIME_HTML_ONLY, and a custom test I wrote which triggers when it sees
> the word 'drugstore' in the body, in all caps.
> 
> Any ideas on how to make this a more solid hit? Anyone else seeing this?

Hey, both of them got a score of 7.1. :)

Anyway, for better hits: The domain is listed in URIBL -- as a 2tld
free-hoster domain. mail.ru isn't, but rb.mail.ru is. This setting helps
to get a URIBL_BLACK hit (requires SpamAssassin 3.2.4 or higher):

  util_rb_2tld  mail.ru

There are a lot more 2tlds listed by URIBL, updated infrequently.
Googling for the setting should bring up an sa-update channel.


Also, it might be worth considering to slightly raise the BAYES_9x
scores and checking out the iXhash plugin. (My samples with these URIs
usually do hit this, though they are looking slightly different.)

If really all of these do have the same (non-ru) From TLD, maybe even
consider a meta-rule combining non-scoring sub-rules for the From TLD
and an RU uri.

HTH, pick a few. ;)

  guenther


Oh, and your X-Spam-Report header does look a little excessive, doesn't
it?

-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}