Since I've enabled a "reject" DMARC policy on my domains, I've been reviewing the various failure reports that come in to see what crazy spam those crazy spammers might try to send. Amazingly, they are willing to try to send some really bad stuff to see if it gets through.
This one email message I received a DMARC failure report about today came with a SpamAssassin score of 33.8. Most often, a SpamAssassin score of 5 or greater is considered spammy. And I don't think I've seen a SpamAssassin score above 12 in a long time. This bad guy is sending pill-selling spam while pretending to be from a domain he doesn't own (one that's locked down with DMARC), linking to blacklisted domains and sending from an IP address that's listed on a bunch of different blacklists. It surely doesn't seem like a recipe for success. Why even bother to keep spewing garbage when nobody is going to receive it?
Here's the different SpamAssassin rules that ONE SINGLE MESSAGE triggered:
1.9 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist
2.5 URIBL_DBL_SPAM Contains a spam URL listed in the Spamhaus DBL blocklist
1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
3.0 RCVD_IN_MSPIKE_L3 RBL: Low reputation (-3)
1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL, https://senderscore.org/blacklistlookup/
0.7 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
2.7 RCVD_IN_PSBL RBL: Received via a relay in PSBL
0.1 URIBL_SBL_A Contains URL's A record listed in the Spamhaus SBL blocklist
0.6 URIBL_SBL Contains an URL's NS IP listed in the Spamhaus SBL blocklist
0.0 TVD_RCVD_IP4 Message was received from an IPv4 address
0.0 TVD_RCVD_IP Message was received from an IP address
2.3 SUBJECT_DRUG_GAP_L Subject contains a gappy version of 'levitra'
0.6 HK_RANDOM_ENVFROM Envelope sender username looks random
1.2 RCVD_HELO_IP_MISMATCH Received: HELO and IP do not match, but should
0.9 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO
0.9 SPF_FAIL SPF: sender does not match SPF record (fail)
0.0 HTML_IMAGE_RATIO_08 BODY: HTML has a low ratio of text to image area
0.0 T_KAM_HTML_FONT_INVALID BODY: Test for Invalidly Named or Formatted Colors in HTML
0.0 HTML_MESSAGE BODY: HTML included in message
1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
2.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.0 RCVD_IN_MSPIKE_BL Mailspike blacklisted
2.2 DRUGS_ERECTILE Refers to an erectile drug
1.4 FSL_HELO_BARE_IP_1 No description available.
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
Since I've enabled a "reject" DMARC policy on my domains, I've been reviewing the various failure reports that come in to see what crazy spam those crazy spammers might try to send. Amazingly, they are willing to try to send some really bad stuff to see if it gets through.
Here's the different SpamAssassin rules that ONE SINGLE MESSAGE triggered:
1.9 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist
2.5 URIBL_DBL_SPAM Contains a spam URL listed in the Spamhaus DBL blocklist
1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
3.0 RCVD_IN_MSPIKE_L3 RBL: Low reputation (-3)
1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL, https://senderscore.org/blacklistlookup/
0.7 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
2.7 RCVD_IN_PSBL RBL: Received via a relay in PSBL
0.1 URIBL_SBL_A Contains URL's A record listed in the Spamhaus SBL blocklist
0.6 URIBL_SBL Contains an URL's NS IP listed in the Spamhaus SBL blocklist
0.0 TVD_RCVD_IP4 Message was received from an IPv4 address
0.0 TVD_RCVD_IP Message was received from an IP address
2.3 SUBJECT_DRUG_GAP_L Subject contains a gappy version of 'levitra'
0.6 HK_RANDOM_ENVFROM Envelope sender username looks random
1.2 RCVD_HELO_IP_MISMATCH Received: HELO and IP do not match, but should
0.9 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO
0.9 SPF_FAIL SPF: sender does not match SPF record (fail)
0.0 HTML_IMAGE_RATIO_08 BODY: HTML has a low ratio of text to image area
0.0 T_KAM_HTML_FONT_INVALID BODY: Test for Invalidly Named or Formatted Colors in HTML
0.0 HTML_MESSAGE BODY: HTML included in message
1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
2.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.0 RCVD_IN_MSPIKE_BL Mailspike blacklisted
2.2 DRUGS_ERECTILE Refers to an erectile drug
1.4 FSL_HELO_BARE_IP_1 No description available.
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
Comments
Post a Comment
Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.