In addition to other replies...
On 23/11/11 14:13, Simon Loewenthal wrote:
I have spam that hits on these rules.
X-Spam-Report:
* 1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist
* [URIs: europjobs.eu]
* 1.2 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
* [URIs: europjobs.eu]
* 0.0 UNPARSEABLE_RELAY Informational: message has unparseable
relay lines
* 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
* [score: 0.5000]
* 1.1 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
* 1.4 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
* 0.3 DIGEST_MULTIPLE Message hits more than one network digest check
* 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
What I fail to understand is why it did not hit on this local.cf rule:
describe RBODY_JOB_DOMAINS1 English language job opportunity1
rawbody RBODY_JOB_DOMAINS1
/\@(?:axeabout|career-lists|careers-consult|eur-exlusive|europe-career|europ-exlusive|it-jobsearch\.com|uk-exlusive|tech-newposition|new-joboffers|joblists|web-newcarer|world-jobsearch|gb-totaljob|simple-jobneed|sprytex-it|europjobs.eu|businesinsiders.com)\./
score RBODY_JOB_DOMAINS1 4.5
You can do that with a URI rule which will also hit on email addresses
in the body of the email - it doesn't *need* to be a rawbody rule. A
very simple truncated example based on your rule above:
URI L_JOB_DOMAINS
/\b(?:axeabout|career-lists|careers-consult|eur-exlusive)\b/i
describe L_JOB_DOMAINS Unwanted Job Domains
score L_JOB_DOMAINS 4.5
Feel free to make it stricter by adding TLDs at the end.
Personally I would just increase the scores of URIBL_BLACK,
URIBL_JP_SURBL et al., as I've found them to be pretty safe lists and
excellent spam indicators. Then your custom rule only needs to cover
those domains that are not yet listed.
