On Sat, Apr 25, 2009 at 11:06:47PM +0100, Ned Slider wrote: > John Hardin wrote: >> On Fri, 24 Apr 2009, LuKreme wrote: >> >>> On 24-Apr-2009, at 10:41, Igor Chudov wrote: >>> >>>> I get a shipload of spams like this one: >>>> >>>> http://igor.chudov.com/tmp/spam007.txt >>> >>> Scores very high here. >>> >>> 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist >>> [URIs: tgifriday.info] >> >> Igor, you might also want to implement greylisting, to give the URIBLs >> a chance to list URIs that appear in these messages. >> > > Interesting concept - do you have any data to support the hypothesis?
OK, dumb question, how would I implement greylisting (I have Ubuntu) i > I tried looking at this a while back, but it's difficult to collect > qualitative data. I ran for a month with a short greylisting period (1 > min), and a month for 30 mins and 60 mins. I looked at hit rates against > popular DNSRBLs to see if I could observe any increase in effectiveness > from IPs being added during the increased greylisting periods. I didn't > see anything conclusive that would be worth the increased delay to > legitimate new mail. Of course the study isn't very scientific as the > spamflow is likely to change from month to month. Also, only reactive > lists are likely to benefit, and only those that react quickly. > > Getting back to the OP's question, I've found adding a couple of simple > body rules to check for a certain four letter 'A' word or 2-3 word > phrases works well in this instance, and I've not noticed any FPs. >