[Mimedefang] Catching the porn spams
Martin Blapp
mb at imp.ch
Sun Sep 12 04:05:32 EDT 2004
Hi,
> Maybe we need to think a little outside the box. Porn spam's objective
> is to get you to go to their website, subscribe etc.
> Now maybe we need to search the body for web links then match them
> against a blacklist.
There are many ways to fight this porn spam.
1. Install Spamikaze http://spamikaze.nl.linux.org, make a RBL and use it.
The delay for the bulding the rbl should be < 1 minute.
2. You can record the URL's from mails from spamikaze too, make your own URI-BL.
3. Use Razor, Pyzor and DCC.
4. Use Spamcop, Sorbs and other Blacklists.
Now to the interesting part. Combine these tests with your own tests. You'll
see, you really get better matches then !
Martin
#
# Combine some blacklists and RBL's. Very effective
#
meta __RELAY_RBL_1 (RCVD_IN_NJABL_RELAY +
RCVD_IN_NJABL_CGI +
RCVD_IN_NJABL_PROXY +
RCVD_IN_SORBS_HTTP +
RCVD_IN_SORBS_MISC +
RCVD_IN_SORBS_SMTP +
RCVD_IN_SORBS_SOCKS +
RCVD_IN_SORBS_WEB +
RCVD_IN_SORBS_ZOMBIE +
RCVD_IN_XBL + RCVD_IN_SBL +
RCVD_IN_DSBL +
RCVD_IN_BL_SPAMCOP_NET +
RCVD_IN_NJABL_SPAM +
RCVD_IN_SWINOG == 1)
meta __RELAY_RBL_2 (RCVD_IN_NJABL_RELAY +
RCVD_IN_NJABL_CGI +
RCVD_IN_NJABL_PROXY +
RCVD_IN_SORBS_HTTP +
RCVD_IN_SORBS_MISC +
RCVD_IN_SORBS_SMTP +
RCVD_IN_SORBS_SOCKS +
RCVD_IN_SORBS_WEB +
RCVD_IN_SORBS_ZOMBIE +
RCVD_IN_XBL + RCVD_IN_SBL +
RCVD_IN_DSBL +
RCVD_IN_BL_SPAMCOP_NET +
RCVD_IN_NJABL_SPAM +
RCVD_IN_SWINOG == 2)
meta __RELAY_RBL_3 (RCVD_IN_NJABL_RELAY +
RCVD_IN_NJABL_CGI +
RCVD_IN_NJABL_PROXY +
RCVD_IN_SORBS_HTTP +
RCVD_IN_SORBS_MISC +
RCVD_IN_SORBS_SMTP +
RCVD_IN_SORBS_SOCKS +
RCVD_IN_SORBS_WEB +
RCVD_IN_SORBS_ZOMBIE +
RCVD_IN_XBL + RCVD_IN_SBL +
RCVD_IN_DSBL +
RCVD_IN_BL_SPAMCOP_NET +
RCVD_IN_NJABL_SPAM +
RCVD_IN_SWINOG >= 3)
meta __SPAMHAUS_ALLRBL (URIBL_SBL + RCVD_IN_XBL + RCVD_IN_SBL >= 1)
meta __SPAMHAUS_RBL (RCVD_IN_XBL + RCVD_IN_SBL >= 1)
meta __SURBL_RBL (URIBL_AB_SURBL + URIBL_OB_SURBL + URIBL_WS_SURBL >= 1)
meta __URI_RBL_SINGLE (URIBL_SBL + URIBL_AB_SURBL + URIBL_OB_SURBL +
URIBL_WS_SURBL + URIBL_SC_SWINOG == 1)
meta __URI_RBL_MULTI (URIBL_SBL + URIBL_AB_SURBL + URIBL_OB_SURBL +
URIBL_WS_SURBL + URIBL_SC_SWINOG >= 2)
meta __ONE_DIGEST_TRUE (DCC_CHECK + RAZOR2_CHECK + PYZOR_CHECK == 1)
meta __DIGEST_TRUE (DCC_CHECK + RAZOR2_CHECK + PYZOR_CHECK >= 1)
meta __RBL_COMBO_MATCH ((RBL_COMBO_A_3 || RBL_COMBO_A_4 || RBL_COMBO_A_5 ||
RBL_COMBO_B_2 || RBL_COMBO_B_3 || RBL_COMBO_C_1 ||
RBL_COMBO_C_2 || RBL_COMBO_C_3 || RBL_COMBO_D_1 ||
RBL_COMBO_D_2a || RBL_COMBO_D_2b || RBL_COMBO_D_3 ||
__RELAY_RBL_2 || __RELAY_RBL_3) == 1)
#
# Combine at least two positive network tests.
#
meta RBL_COMBO_A_2 (__SURBL_RBL + DIGEST_MULTIPLE + URIBL_SC_SWINOG +
SPF_FAIL + __RELAY_RBL_1 + __RELAY_RBL_2 + __RELAY_RBL_3 == 2)
meta RBL_COMBO_A_3 (__SURBL_RBL + DIGEST_MULTIPLE + URIBL_SC_SWINOG +
SPF_FAIL + __RELAY_RBL_1 + __RELAY_RBL_2 + __RELAY_RBL_3 == 3)
meta RBL_COMBO_A_4 (__SURBL_RBL + DIGEST_MULTIPLE + URIBL_SC_SWINOG +
SPF_FAIL + __RELAY_RBL_1 + __RELAY_RBL_2 + __RELAY_RBL_3 == 4)
meta RBL_COMBO_A_5 (__SURBL_RBL + DIGEST_MULTIPLE + URIBL_SC_SWINOG +
SPF_FAIL + __RELAY_RBL_1 + __RELAY_RBL_2 + __RELAY_RBL_3 >= 5)
describe RBL_COMBO_A_2 Blacklist Combo A (2)
describe RBL_COMBO_A_3 Blacklist Combo A (3)
describe RBL_COMBO_A_4 Blacklist Combo A (4)
describe RBL_COMBO_A_5 Blacklist Combo A (5+)
score RBL_COMBO_A_2 2.000
score RBL_COMBO_A_3 5.000
score RBL_COMBO_A_4 7.000
score RBL_COMBO_A_5 9.000
#
# Honour multi-tests (and spamhaus entries)
#
meta RBL_COMBO_B_2 (__URI_RBL_MULTI + __DIGEST_TRUE +
__SPAMHAUS_RBL == 2)
meta RBL_COMBO_B_3 (__URI_RBL_MULTI + __DIGEST_TRUE +
__SPAMHAUS_RBL == 3)
describe RBL_COMBO_B_2 Blacklist Combo B (2)
describe RBL_COMBO_B_3 Blacklist Combo B (3)
score RBL_COMBO_B_2 6.000
score RBL_COMBO_B_3 8.000
#
# Cause we use a lower positive bayes, we honour it if we have a DIGEST or RBL
match.
# To avoid false positives, the score for RBL_COMBO_C_1 is low.
#
meta RBL_COMBO_C_1 ((BAYES_99 || BAYES_95 || BAYES_90 ||
RCVD_IN_NJABL_DUL || RCVD_IN_SORBS_DUL) +
__ONE_DIGEST_TRUE == 2)
meta RBL_COMBO_C_2 ((BAYES_99 || BAYES_95 || BAYES_90 ||
RCVD_IN_NJABL_DUL || RCVD_IN_SORBS_DUL) +
(__SPAMHAUS_ALLRBL || __SURBL_RBL || URIBL_SC_SWINOG) == 2)
meta RBL_COMBO_C_3 ((BAYES_99 || BAYES_95 || BAYES_90 ||
RCVD_IN_NJABL_DUL || RCVD_IN_SORBS_DUL) +
DIGEST_MULTIPLE + (__SPAMHAUS_ALLRBL ||
__SURBL_RBL || URIBL_SC_SWINOG) == 3)
describe RBL_COMBO_C_1 Blacklist Combo C (1)
describe RBL_COMBO_C_2 Blacklist Combo C (2)
describe RBL_COMBO_C_3 Blacklist Combo C (3)
score RBL_COMBO_C_1 2.000
score RBL_COMBO_C_2 2.000
score RBL_COMBO_C_3 6.000
#
# Honour combined URI and URIBL-Network tests
#
meta RBL_COMBO_D_1 (__URI_RBL_SINGLE + __ONE_DIGEST_TRUE == 2)
meta RBL_COMBO_D_2a (__URI_RBL_SINGLE + DIGEST_MULTIPLE == 2)
meta RBL_COMBO_D_2b (__URI_RBL_MULTI + __ONE_DIGEST_TRUE == 2)
meta RBL_COMBO_D_3 (__URI_RBL_MULTI + DIGEST_MULTIPLE == 2)
describe RBL_COMBO_D_1 Blacklist Combo D (2)
describe RBL_COMBO_D_2a Blacklist Combo D (3)
describe RBL_COMBO_D_2b Blacklist Combo D (3)
describe RBL_COMBO_D_3 Blacklist Combo D (4)
score RBL_COMBO_D_1 2.000
score RBL_COMBO_D_2a 3.000
score RBL_COMBO_D_2b 3.000
score RBL_COMBO_D_3 6.000
score DIGEST_MULTIPLE 2.000
#
# Combine Network-tests with URIBL-Network tests
#
meta RBL_COMBO_E_1 (RBL_COMBO_D_1 + __RELAY_RBL_1 +
__RELAY_RBL_2 + __RELAY_RBL_3 == 2)
meta RBL_COMBO_E_2a (RBL_COMBO_D_2a + __RELAY_RBL_1 +
__RELAY_RBL_2 + __RELAY_RBL_3 == 2)
meta RBL_COMBO_E_2b (RBL_COMBO_D_2b + __RELAY_RBL_1 +
__RELAY_RBL_2 + __RELAY_RBL_3 == 2)
meta RBL_COMBO_E_3 (RBL_COMBO_D_3 + __RELAY_RBL_1 +
__RELAY_RBL_2 + __RELAY_RBL_3 == 2)
describe RBL_COMBO_E_1 Blacklist Combo E (2)
describe RBL_COMBO_E_2a Blacklist Combo E (3)
describe RBL_COMBO_E_2b Blacklist Combo E (3)
describe RBL_COMBO_E_3 Blacklist Combo E (4)
score RBL_COMBO_E_1 4.000
score RBL_COMBO_E_2a 6.000
score RBL_COMBO_E_2b 6.000
score RBL_COMBO_E_3 9.000
#
# Combine the combo texts with spammer signs
#
meta RBL_COMBO_SEX ((PORN_URL_SEX || PORN_URL_MISC) + __RBL_COMBO_MATCH == 2)
describe RBL_COMBO_SEX Blacklist Combo + Sexmail (3+)
score RBL_COMBO_SEX 3.000
More information about the MIMEDefang
mailing list