spamassassin-users October 2010 archive
Main Archive Page > Month Archives  > spamassassin-users archives
spamassassin-users: Re: Constant .info domain spam

Re: Constant .info domain spam

From: Jason Bertoch <jason_at_nospam>
Date: Fri Oct 15 2010 - 00:59:29 GMT
To: users@spamassassin.apache.org

  On 10/14/2010 8:26 PM, Julian Yap wrote:
> On Thu, Oct 14, 2010 at 4:24 AM, Jason Bertoch<jason@i6ix.com> wrote:
>> On 2:59 PM, Julian Yap wrote:
>>> NOTE: I changed the domains below to 'dot info' as the mailing list
>>> rejected my initial submission.
>>>
>>> I'm pretty sure it's not just me but there is some constant spamming
>>> from dot info domains. Perhaps for the past 2 months or so.
>>>
>>> Often they send hundreds per day and consistently from the same IP's.
>>>
>> dot info domains hadn't crossed my radar, but I decided to look anyway and
>> found that my logs agree with your notion that 99% (100%?) of dot info From:
>> addresses are spam. Roughly 75% of mine are caught at the door by RBL's at
>> the MTA level. Of the ones that get through, another 75% score above my
>> reject threshold. A simple rule to bump the points of any dot info From:
>> address has now pushed everything to the tag level, and even many of the
>> tags to rejects.
>>
>> For what it's worth, the ones making it past the RBL's in the MTA do not
>> match any stock RCVD_IN_* rules.
> I think I'm going to write my own logic and block things at the MTA
> level. Implement my own local RBL based on some algorithms.
>
>

For what it's worth, the rule I'm using is:

# .info domains 99% spam (100%?)
header JB_FROM_INFO_TLD From:addr =~ /\@*\.info$/i
describe JB_FROM_INFO_TLD From: address in .info TLD
score JB_FROM_INFO_TLD .01

Although broad rules such as this are generally discouraged, a score of
3 has proven effective based on my mail flow.

/Jason