spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex <mysqlstud...@gmail.com>
Subject Re: Random word spams and wiki spams
Date Fri, 07 Jul 2017 17:04:19 GMT
Hi,

On Fri, Jul 7, 2017 at 12:14 PM, David Jones <djones@ena.com> wrote:
> On 07/07/2017 11:04 AM, Charles Amstutz wrote:
>>
>> Thank you everyone for the suggestions, I will look into it. One thing
>> I've noticed is that sometimes it takes a day for any *BL's to pick up some
>> of the spam, and by that time, the run could be done. Greylisting isn't an
>> option. It sometimes feels like always reactive vs pro-active in filtering.
>> For example, I try to block the old runs of "Ford Warranties", write a few
>> rules, then never receive them again :)
>>
>> This is a slight over exaggeration, but close.
>>
>
> No. I completely understand.  A couple of years ago I was doing the same
> thing always reacting to new spam campaigns.  It took a lot of my time and I
> never felt like I was winning those one-day battles.
>
> Now I have tuned my MTA (Postfix with postscreen) to reject the majority of
> junk before it ever reaches SA.  See the archives for these Postscreen
> weighted RBLs if you are running Postfix.  With about 24 RBLs including
> invaluement, I am able to be aggressive with many RBLs adding up to a block
> threshold of 8 in postscreen.

I also have postfix, invaluement, of course Kevin's KAM rules, and
many (all?) of the other RBLs you use, including senderscore at the
postfix and spamassassin level.

I'm interested in how your system would have (or currently does)
handle this email I received some days ago:
https://pastebin.com/innRFvZt

Its IP (106.186.119.240) is still not listed with spamhaus, sorbs or
hostkarma, and has an 83 rating with senderscore.

It's just a short body with a URI which downloads malware. We got hit
by this pretty hard. This is where the real threats are. Receive one
of these to an Exchange distribution list and your reputation with the
customer suffers badly.

I'm also interested in other solutions - are those of you with
MIMEDefang or other systems blocking these?

Mime
View raw message