Hosting Provided By

Re: debbie-dealz / frosty-saver / got-hyrda / aero-dog spam

From: Brian Wilson <wilson-ml(at)bubba.org>
Date: Wed Sep 12 2007 - 13:20:53 EDT

On Wed, 12 Sep 2007, Brian Wilson wrote:

>
> I've somehow made it onto spam list that isn't being picked up by RBLs or by
> bayes. All messages have a url that looks like this (where X's are all
> digits):
>
> http://aero-dog.com/1-23-28276-45381XXXXXXX.html
>
> All messages are originating from 206.131.x.x and I have been submitting them
> to spamcop. A sample message is here: http://bubba.org/spam/newspam1.txt
>
> Any suggestions for detecting this? My bayes has been pretty much spot on
> for months, so this has me puzzled.
>

The sample was older so that is probably why it is being picked up, but the newer samples from here are not getting scored from RBL's. I added this URI rule to pick these up:

uri FROSTY_SAVER_URI /^http\:\/\/[\S\-]+\/[\d\-]+.html/ score FROSTY_SAVER_URI 10 I'm sure someone will complain that they have a better regex, but it's working for me.

Brian Received on Wed Sep 12 13:27:55 2007

This message: [ Message body ]
Next message: Jason Bertoch: "FW: FW: List of 700,000 IP addresses of virus infected computers"
Previous message: Jari Fredriksson: "Re: debbie-dealz / frosty-saver / got-hyrda / aero-dog spam"
In reply to: Brian Wilson: "debbie-dealz / frosty-saver / got-hyrda / aero-dog spam"
Next in thread: John D. Hardin: "Re: debbie-dealz / frosty-saver / got-hyrda / aero-dog spam"
Reply: John D. Hardin: "Re: debbie-dealz / frosty-saver / got-hyrda / aero-dog spam"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Sat Oct 27 2007 - 02:29:15 EDT