On Sun, 2013-07-21 at 16:33 +0200, Andrea wrote: > > On 7/20/13 9:20 AM, "Christian Recktenwald" <satalk-d...@citecs.de> wrote: > > >On Sat, Jul 20, 2013 at 07:35:23AM +0200, Andrea wrote: > >> Hi all. > >> > >> Since a few days ago I'm being buried under spam messages that slip > >>through > >> my amavis/SA setup. > >> The messages all look alike: plaintext with random junk + URL in the > >>body. > >> Pastebin with a few examples here: http://g2z.me/ed64d > > > > Thank you for the tips. > I have a few further questions: > > >- TZ in Date: -0700 > This is pretty common: you'd expect that since it is a rather irregular slice through North America that includes Edmonton and Denver.
> >- short message (up to 110 chars) > Common enough, typically "Get a load of this: http://some.url.or/other. > >- containing a url > or possibly just a URL and nothing else. > How much would you score these three? > Not very highly either, separately or in combination. However, if there's a known issue with the the URL content, e.g. its TLD is .pw, the sender or recipient addressed you may score it more highly, e.g. if the recipient address is one that you never publish or use directly. > (btw I noticed several messages have a date in the future between 6 and 12 > hours so I've increased that) > Might be reasonable: any date that could result from a misconfigured timezone and/or an incorrectly set clock is not necessarily suspicious. > >- url with uri 17..27 chars > Why would that be suspicious? My normal URL is 22 characters without the "http://"; prefix. If you're trying to catch URLs generated by some spambot it would be better to look for patterns in the names it generates rather than deciding that some arbitrary length range is suspicious. > >- url results in some meta REFRESH > >- the refresh refers to some domain .*-sites.com > They claim to have been in the web hosting business since 1996. What have you got against them? > >- the domain names resolve to 213.183.59.30 > >- the refresh redirects to another meta REFRESH, which is unique > Resolves to an IP belonging Anders Telecom in Moscow and seems to have an unconfigured copy of Apache on it. No reverse DNS configured, though. What do you think it is - a bot herder? > How can I implement these? > Write a set of subrules, one for each of those clauses and combine them into one or more very specific scoring rules by using meta-rules. > Especially how can SA know that the URL > refreshes to a different page.. > It can't because it just recognises the URL without ever attempting to access it. Martin
