spamassassin-users September 2011 archive
Main Archive Page > Month Archives  > spamassassin-users archives
spamassassin-users: Curious phenomenon with 9-repetitions of eac

Curious phenomenon with 9-repetitions of each spam...

From: Steve <spamassassin_steve_at_nospam>
Date: Fri Sep 02 2011 - 14:13:32 GMT
To: users@spamassassin.apache.org

There is something curious I've noticed... I'm wondering if I'm unique,
and if there's an obvious way to improve my setup.

I was thumbing through my spam folder, and noticed that the bulk of my
spam conformed to a very obvious pattern... On a time period from
minutes to hours, I receive nine identical copies of a spam email from
the same originating IP address all to an identical (often never
published/used) recipient email address. The emails get a high
spamassassin score (between 20 and 40) so I don't see them... but they
do make up a substantial proportion of the volume of spam I'm processing.

I'm interpreting this as a single prolific spamming operation under some
sort of centralised control... based upon the extremely recognisable
pattern...

The high score often includes a handful of DNS block lists - but this
isn't consistent... and I'm reluctant to completely block email on
account of a DNS block list - since a single false positive would be a
far worse consequence than processing and storing a few thousand spams
each week.

I wonder, would it be possible to reject an email identical (same
originating IP; same addressee; same subject) to an email received in
the last minute, say, that had a spamassassin score of over 30? If I
could find a way to do that, I could reduce the volume of spam I have to
process/store by a factor of about 8. Rejecting only emails with
credentials identical to known recent highly scoring spam would make the
risk of false positives minimal.

Does anyone do this already?