Charles Gregory wrote:
>Do they all have message ID's that include the IP? You could score
>that 0.3 or so to help push it over the line. Also give a bit mroe
Shiny - I had not noticed this pattern. Thanks guys! :)
LuKreme wrote:
>and found it hit more mailinglist ham than spam, so I'd tread
>carefully.
Could you dump a list of those, and take a closer look?
In all (5) of the hams I found, the IP was in IANA Reserved space
(specifically 192.168.0.0/16).
If that's what others are finding, a rule tweak could eliminate
that issue.
I checked 2.5 months worth of logs for my most diverse domain, and
found only 5 (out of 21392) hams with Message-IDs containing square
brackets around an IP address (all were as above).
In the same dataset, I found 637 (out of 64517) spams with this
pattern. I didn't check them all (just dumped a list), but based
on a quick skim, they all looked like non-IANA-space IP addresses.
All of the ones I spot-checked matched the sending IP.
Being chronically/genetically curious, I took a look at
what TYPE(s) of spam had this characteristic, and found:
532 contained a URL with the China TLD
100 contained a URL with the Russia TLD
1 contained a BlogSpot subsite
4 were AdvanceFee scams
I also found 518 of those had forged the SMTP Sender as being the
same domain (and probably the exact same account) as the Recipient.
You might want to make some meta rules for those two cases (China
TLD in a URL, Sender == Recipient).
- "Chip"
