This shows a real spam collected in a user quarantine. This shows the headers of the messages with the X-MailCleaner anti spam tags and filtering process

Received: by mailcleaner.example.net stage2 with id 1WjQDt-0001vn-1T
for <john.doe@example.net>; Sun, 11 May 2014 11:39:09 +0200
Received: from hermes.apache.org ([140.211.11.3] helo=mail.apache.org)
by mailcleaner.example.net stage1 with smtp
(Exim MailCleaner)
id 1WjQDs-0001uZ-HO
for <john.doe@example.net>
from <users-return-103185-john.doe=example.net@spamassassin.apache.org>; Sun, 11 May 2014 11:39:08 +0200
Received: (qmail 38343 invoked by uid 500); 11 May 2014 09:12:20 -0000
X-MailCleaner-SPF: pass
Mailing-List: contact users-help@spamassassin.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:users-help@spamassassin.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@spamassassin.apache.org>
List-Post: <mailto:users@spamassassin.apache.org>
List-Id: <users.spamassassin.apache.org>
Delivered-To: mailing list users@spamassassin.apache.org
Received: (qmail 38336 invoked by uid 99); 11 May 2014 09:12:20 -0000
Received: from Unknown (HELO nike.apache.org) (192.87.106.230)
by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 11 May 2014 09:12:20 +0000
X-ASF-Spam-Status: No, hits=3.5 required=10.0
tests=SPF_PASS,URIBL_BLACK
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of lucabert@lucabert.de designates 84.200.210.163 as permitted sender)
Received: from [84.200.210.163] (HELO mail.lucabert.de) (84.200.210.163)
by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 11 May 2014 09:12:17 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lucabert.de; s=2014;
h=Content-Transfer-Encoding:Content-Type:Mime-Version:Message-ID:Subject:To:From:Date; bh=r4sgbOFrY5rPOrUysUZxo3b88Hub7swg5aRgtKGCJHs=;
b=tUxeE4g1fLjHv3HvvQ8ZY8/VBqk3GNy/efT4qxaLy79GcfsnAcpFeJHA1TjgXs70fnmIrh46E9R4WB/Vczqqtqxu8U9AslsCxHGIJVlQq2IBKtGkC3Ztfcbg8m4f+F1V;
Received: from [2a02:2918:1007:2000:1::1] (helo=frodo.lucabert.intra)
by mail.lucabert.de with esmtpsa (TLSv1:AES128-SHA:128)
(Exim 4.75)
(envelope-from <lucabert@lucabert.de>)
id 1WjPnW-0003uT-U6
for users@spamassassin.apache.org; Sun, 11 May 2014 11:11:55 +0200
Date: Sun, 11 May 2014 11:11:53 +0200
From: Luca Bertoncello <lucabert@lucabert.de>
To: users@spamassassin.apache.org
Subject: Problem with Spam E-Mails with just an URL
Message-ID: <20140511111153.5675a39c@frodo.lucabert.intra>
X-Mailer: Claws Mail 3.7.7 (GTK+ 2.12.9; i486-pc-linux-gnu)
X-Face: +57T0W+LWMNv/PHgdY=;2WS/Ca8h!KUOPo4I_6NDU]dS7z|+^1Ag$wg)\HgYzvN(l3R)@d\
"J7G-$6![0>;6D+tmJw'<z$MeIh`;P$siWy~XnvoP2(_!7PTh(WUX[mse)~s/^[R:qpJipVn8=R'n]
9uHv>MHhh<;qmrF
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org
X-Commtouch-ctIPd-RefID: tid=0001.0A0C0303.536F453D.009B
X-Commtouch-ctasd-RefID: str=0001.0A0C0201.536F453D.010B:SCGSTAT1067355,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=1024
X-Commtouch: is not spam (Spam: Unknown, VOD: Medium)
X-NiceBayes: is not spam (0.2%)
X-UriRBLs: is spam (nichost.ru:MCURIBL)
X-MailCleaner-Information: Please contact support@example.net for more information
X-MailCleaner-ID: 1WjQDt-0001vn-1T
X-MailCleaner: Found to be clean
X-MailCleaner-SpamCheck: spam, UriRBLs (nichost.ru:MCURIBL)
X-Auto-Response-Suppress: DR, NDR, RN, NRN, OOF, AutoReply

Hi!

Since some days I receive a huge amount of E-Mail like this:

Hey!
http://taxi-gruz.nichost.ru/search_bing.html?iwjvyluwo=2277344&opjrep=9504

Of course, it's not enough for a baysian test.
The report is just:

* 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider *
(XXXX[at]gmx.net)
* -0.0 SPF_PASS SPF: Senderechner entspricht SPF-Datensatz
* 1.2 RDNS_NONE Delivered to internal network by a host with no rDNS

Could someone help me to write a rule to block these E-Mails?

Thanks a lot
Luca Bertoncello
(lucabert@lucabert.de)