typo3bloke.net

Finally, I created SpamAssassin rules to filter out spam from Google mailservers. Itappears that all messages are sent by the same software. Possibly it uses Google vulnerability discovered some time ago (and not fixed till now as it seems). All messages have several identifying characteristics. I will not tell all that I found because it will be easy for spammers to "fix" their software. However one thing can be made public.

All these messages has a link to a web site hosted at network block owned by "instanbultelecom.net". This company is most likely fake and operated by spammers. Most sites are registered at ".info" top level domain because this domain has very relaxed policy on spam. But hosting such sites at one network block makes it easy to filter them out. This network is already listed in the several URLBLs, so just enable network tests in SpamAssasin. If you run your own DNSBL, you can create a rule to get rid of this spam completely. Here is my own rule:

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
uridnsbl        DD_URIBL     dnsbl.local.      A
body            DD_URIBL     eval:check_uridnsbl('DD_URIBL')
describe        DD_URIBL     URI in my dnsbl
tflags          DD_URIBL     net
score            DD_URIBL     1000.0
endif

The following block is added to my private DNSBL: 79.135.167.0/24. "1000" as score makes sure that this message will be silently deleted while being checked for spam. Easy!