spamassassin-users October 2010 archive
Main Archive Page > Month Archives  > spamassassin-users archives
spamassassin-users: Re: Constant .info domain spam

Re: Constant .info domain spam

From: Julian Yap <julianokyap_at_nospam>
Date: Wed Oct 13 2010 - 00:03:14 GMT
To: Karsten Bräckelmann <guenther@rudersport.de>

2010/10/12 Karsten Bräckelmann <guenther@rudersport.de>:
> On Tue, 2010-10-12 at 10:32 -1000, Julian Yap wrote:
>> NOTE: I changed the domains below to 'dot info' as the mailing list
>> rejected my initial submission.
>>
>> I'm pretty sure it's not just me but there is some constant spamming
>> from  dot info domains.  Perhaps for the past 2 months or so.
>>
>> Often they send hundreds per day and consistently from the same IP's.
>>
>> Are people using automated IP blacklists or something like that?
>
> Yes. SA even uses them by default.
>
> What do your SA rules triggered look like? Check your identified spam.
> Do you see RCVD_IN_* rules?
>
> If not, you are having DNS problems, or deliberately disabled those
> network checks.

Many of the don't trigger the RCVD_IN_* rules. Does anyone implement
their own private DNS black list?

Here's a latest one:
From: "Juice Up My Income" <Art@parkrasive dot info>
Subject: Sometimes timing is everything
Date Received: Oct 12, 2010 13:43 PM

Rules triggers:
7.9 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.0000]
1.2 HOST_EQ_STATIC HOST_EQ_STATIC
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 HTML_MESSAGE BODY: HTML included in message
1.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.5 MY_OBFUX RAW: X with unusual chars
0.3 MY_OBFU_MISC RAW: Misc unusual chars together
0.3 HOST_MISMATCH_COM HOST_MISMATCH_COM
0.3 MIME_8BIT_HEADER Message header contains 8-bit character
1.4 HELO_MISMATCH_INFO HELO_MISMATCH_INFO
0.0 SUBJECT_NEEDS_ENCODING SUBJECT_NEEDS_ENCODING
0.0 T_REMOTE_IMAGE Message contains an external image