[Mimedefang] Using MD to defeat spam with embedded far-east URI's

Mitch at 0Bits.COM Mitch at 0Bits.COM
Sun Jul 20 14:12:01 EDT 2003


Hi,

I've been looking at my spam recently in the Quarantined directory
and apart from the Nigerian guy who wants desparately to send me
a million dollars, a pattern is appearing that appears not to be
being caught which would give a higher hit rate of spam detection.

Most if not all spam have URI's in them that resolve to Korean/Chinese/Taiwan
DNS blocks. Although spamassassin has the 20_uri_tests.cf, this only
checks agains a static set of known words. New SPAM's are now using
words like "\/iagra", "Teen/\ge" and the such to defeat SA. Clearly
using a static defeat list in SA is not ideal.

Although it's trivial to block the far-eastern domains relays sending
emails to us, we don't seem to score URI's by DNS reolution against a
fixed list or RBL for example.

So my question is can this be done in MD easily ? What it esentially
entails would be a filter to shove into an array any URI's appearing
in the body and then reverse resolve and check against a static block
list (i.e. all far-eastern classes) or against RBL ?

Comments ?
Mitch



More information about the MIMEDefang mailing list