Jeremy Morton wrote: > OK, so I just got one of those www medsXX com spams, and even though it > hit my rule and got 2.0 added to it, it still didn't even get over 3 > points. Looks like it was sent from quite a legit host. What rules do > other people get matching for this e-mail? > > http://pastebin.com/m3b9629b6
The IP and hashes scores 21.8 for me. besides the standard DCC_CHECK, I'm getting hits on the following non-standard RBLs: 190.244.172.161 listed in hostkarma.junkemailfilter.com 190.244.172.161 listed in uceprotect-level2.dnsbl 190.244.172.161 listed in bb.barracudacentral.org 190.244.172.161 listed in ix.dnsbl.manitu.net iXhash found @ ix.dnsbl.manitu.net Maybe you had a DNS problem when it went through, or you were unlucky enough to be first on the spammer's list. Here's a (somewhat unreadable) rule I wrote that doesn't have a great spam ratio on its own, but can be useful in botnet meta rules: header NOMATCH_NICK_FROM From =~ /^"?(([A-Z])[a-z][a-z])\w*(?:\s(?:(([A-Z])[a-z][a-z])\w*\s|([A-Z])\.?\s)?(([A-Z])[a-z][a-z])\w*)?"?\s*<(?![a-zA-Z1-9\.\-]*(?:\1|\3|\6))(?!.?\2(?:\4|\5)?.?\7).*?\@(?!.?\2-?(?:\4)?\-?\7)(?![a-zA-Z1-9\.\-]*(?:\1|\3|\6))(?!postmaster\@)(?!mailer-daemon\@)/i describe NOMATCH_NICK_FROM From address with no part of name score NOMATCH_NICK_FROM 1.0 The idea is to catch random real names attached to random valid email addresses. HTH CK
