Alex kirjoitti 17.2.2016 18:49:
Hi all,
I recall some rules that were written years ago to address these, but
it appears they're back. We've been hit with a few, including users
actually following the link. I was hoping someone had some
recommendations on how to stop them.
http://pastebin.com/zKWUUQ0Q
Obviously they're coming in advance of being on an RBL or DNSBL.
I was thinking to correlate the body text somehow with something that
checks to see if it actually passed through Google (SPF, etc?), but
that won't work for messages that were forwarded to another user...
Thanks,
Alex
Rejected here, easily.
Content analysis details: (14.4 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
1.5 BOTNET Relay might be a spambot or virusbot
[botnet0.8,ip=23.111.183.206,rdns=23-111-183-206.static.hvvc.us,maildomain=hollowayaffiliates.com,client,ipinhostname,clientwords]
-0.0 BAYES_40 BODY: Bayes spam probability is 20 to 40%
[score: 0.3871]
1.0 HTML_MESSAGE BODY: HTML included in message
2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of
words
8.0 CLAMAV Clam AntiVirus detected a virus
[winnow.spam.ts.google.994118.UNOFFICIAL(59724bd0d31d1f2fccdbb50fed23e7cb:3924)]
0.8 RDNS_NONE Delivered to internal network by a host with
no rDNS
1.0 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any
anti-forgery methods
0.0 HTML_SHORT_LINK_IMG_1 HTML is very short with a linked image
0.0 T_REMOTE_IMAGE Message contains an external image
--
jarif.bit
