[Mimedefang] greylisting and HABEAS_SWE
Nels Lindquist
nlindq at maei.ca
Fri Jan 16 14:49:24 EST 2004
On 16 Jan 2004 at 13:14, Kevin A. McGrail wrote:
> I am familiar with this Habeas test and have seen the exact spam and
> problems you are referring to on our network.
<snip>
> I am considering removing the negative score for their tag because we have
> seen an upswell of spam using this. The spammer either doesn't know,
> doesn't care, or will get shutdown pretty quickly.
There's been *lots* of discussion on the SA-Talk list about this.
It's only one spammer, and Habeas has definitely started the legal
wheels turning. They're adding entries to the violators RBL as
quickly as they can, but the spammer in question is using a large
number of compromised open proxies to relay the mail. Until the
spammer is shutdown via the legal system, I've found the following
local rules to work extremely well:
uri PHARMACOURT_BIZ /\b(?:pharmacourt|pharmawarehouse|valuepointmeds)\.biz\b/i
describe PHARMACOURT_BIZ Includes a link to spammer www.pharmacourt.biz
score PHARMACOURT_BIZ 3.0
meta HABEAS_VIOLATOR_LOCAL (!HABEAS_VIOLATOR && PHARMACOURT_BIZ && HABEAS_SWE)
describe HABEAS_VIOLATOR_LOCAL Spammer known to abuse Habeas mark
score HABEAS_VIOLATOR_LOCAL 16.0
----
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.
More information about the MIMEDefang
mailing list