Help - Chinese spam

Mark Martinec Mark.Martinec+amavis at ijs.si
Wed Dec 14 17:55:26 CET 2011 

Klaus,

> For several years I’ve been running a postfix/amavis filter in front of
> our faculty Exchange server. We are an on a University so we do have
> contact all over the world involved in discussions about all parts of
> the human body
> [...]
> But lately one of my users have been hit by huge amount of Chinese spam (I
> guess), I have adjusted my filters and included Chinese_rules.cf. Futher I
> have feed her letters to baisian and that helped somewhat for a couple of
> months, but now things is slipping in to this user again. The Chinese
> rules seems quite old and might be outdated at this time.
> 
> I have temporary placed a sample selection at
> http://mirror.sc.ku.dk/ahroo1it/ I would be gratefull if anybody would
> take a look on these and see if I by accident have disabled some of my
> filters. Suggestions for improved filtering would be fantastic to.
> 
> Our servers is currently running:
> amavisd-new-2.7.0
> spamassassin-3.3.1

I fed your messages through our setup.
Here are the rules that were most effective:

RCVD_IN_BL_SPAMCOP_NET
DCC_CHECK
RELAY_CN
L_CHARSET

and these helped ever now and then:

DEAR_SOMETHING
REPLYTO_WITHOUT_TO_CC
RCVD_IN_NIXSPAM
PYZOR_CHECK
MISSING_HEADERS
SUBJ_ALL_CAPS

We are also using a (3rd party) CRM114 plugin to SpamAssassin,
which is similar to Bayes in concept, but helps too in its own way.

I think the above rules are all standard, except RELAY_CN
and L_CHARSET, which are:


header RELAY_CN X-Relay-Countries=~/\bCN\b/
describe RELAY_CN       Relayed through China
score RELAY_CN 0.7

header __L_CHARSET1  ALL =~ m{=\?(iso-8859-9|GB2312)\?}i
header __L_CHARSET2  ALL =~ m{\bwindows-1254}i
header __L_CHARSET3  Content-Type =~ m{\b(?:windows-1256|ISO-8859-6)\b}i
full   __L_CHARSET4  /^Content-Type:.*\bcharset=(?:windows-1256|ISO-8859-6)\b/mi
header __L_CHARSET5  Subject =~ m{\b(?:windows-1256|ISO-8859-6)\b}i
header __L_CHARSET6  From:raw =~ m{\b(?:windows-1256|ISO-8859-6)\b}i
meta   L_ARABIC   __L_CHARSET3 || __L_CHARSET4 || __L_CHARSET5 || __L_CHARSET6
score  L_ARABIC   3
meta   L_CHARSET  __L_CHARSET1 + __L_CHARSET2 + L_ARABIC >= 1
score  L_CHARSET  1.6


(the RelayCountry plugin needs to be enabled for the RELAY_CN rule
to work)

The SpamAssassin user list is probably a better place for the topic.

  Mark

More information about the amavis-users mailing list