How can I configure spamassassin to kill these emails?

[mphilben]

Lately I've been getting lots of spam from newsletter@somename.co.cc - where the somename changes continually. I've tried a number of blacklist entries with no success... Any help would be appreciated.

Here's what the typical headers look like:

Return-Path: <bounce-359-24325333-mikep=ware.com@hazelscript.co.cc>
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on b.spam.sonic.net
X-Spam-Level: *
X-Spam-Status: No, score=1.5 required=5.0 tests=DATE_IN_PAST_03_06,
DCC_REPUT_00_12,DKIM_SIGNED,HS_INDEX_PARAM,HTML_IMAGE_RATIO_08,HTML_MESSAGE,
MIME_HTML_ONLY,T_DKIM_INVALID,T_REMOTE_IMAGE autolearn=disabled version=3.3.2
Received: from h.mx.sonic.net (h.mx.sonic.net [69.12.208.76])
by b.lds.sonic.net (8.13.8.Beta0-Sonic/8.13.7) with ESMTP id q6KIdgSC012215
for <mp@lds.sonic.net>; Fri, 20 Jul 2012 11:39:42 -0700
Received: from smtp.hazelscript.co.cc (ip-76-37.powernet.bg [78.128.76.37] (may be forged))
by h.mx.sonic.net (8.13.8.Beta0-Sonic/8.13.7) with ESMTP id q6KIde0c008418
for <mikep@ware.com>; Fri, 20 Jul 2012 11:39:42 -0700
Message-Id: <201207201839.q6KIde0c008418@h.mx.sonic.net>
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=hazelscript.co.cc;
h=Mime-Version:Content-Type:Date:From:Reply-To:Subject:To; i=newsletter@hazelscript.co.cc;
bh=Sx7Effjdq32bmn3qwZ9I4QeIt3k=;
b=dtdfbCSOiqR+/RGRc2b21piUkBWiyq0VIG/uAC7c1o1evY/uaGpkvIRN0Q+82PTt9W3xOaJ/ajzW
9AmJgT0cQ6H5DmQi3K98Hz6Kzx01ZSFnllqIkgnOgJjulAFNMaMshLTfYquzcjUozG6ezKw+OwUg
fsGPDdog48BW3eXP6HA=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=hazelscript.co.cc;
b=qEWuPj5om9igNStAvqnmnmURhJTUYvfgec5hoeuzdzca/1HN9lwcqSLUZjrxGCKGqvN9dbe2HMfB
7l6RU/r1Vo5qB+CTaf7ngz08vkyE7SO+Q3yygcaDtQCvAxBXDuBIR8amMiE6Ei0PPQ3Ohy9o1a6Q
aKi0TgIa+7CeAE9cFLo=;
Mime-Version: 1.0
Content-Type: text/html
Date: Fri, 20 Jul 2012 10:40:09 -0400
From: "Save 70% on Electricity" <newsletter@hazelscript.co.cc>
Reply-To: "Newsletter" <newsletter@hazelscript.co.cc>
Subject: Go solar & save up to 70% on electricity
To: <mikep@ware.com>
X-Sonic-SB-IP-RBLs: IP RBLs .

[thulsa_doom]

Considering how low-scoring this message was in SpamAssassin, you may want to consider using wildcards to block anything from newsletter@*.*

That's assuming you don't expect legitimate mail from anybody using "newsletters" as the first part of their address, of course.

Alternately you could try blocking newsletter@*.co.cc if you expect no legitimate mail from .co.cc addresses.

[mphilben]

Thanks John - We'll see how the last version works ...

[hexapuma]

If you're willing to block all mail from .co.cc, add *@*.co.cc to Blacklist From. If you're getting a lot of spam, lower your Required Hits from the default 5. I usually use 1.

If you really want to get rid of all .co.cc mail, here's a procmail recipe that I use that puts it all in the Trash folder.

Code: Select all

#Dump *.co.cc spam
:0
* 1^0 ^From: .*@.*\.co\.cc[\>| ]
* 1^0 ^Reply-To: .*@.*\.co\.cc[\>| ]
* 1^0 ^Return-Path: .*@.*\.co\.cc[\>| ]
* 1^0 ^Message-Id: .*@.*\.co\.cc[\>| ]
* 1^0 ^Received: .*@.*\.co\.cc[\>| ]
$DEFAULT.Trash/