spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Karsten Br├Ąckelmann <guent...@rudersport.de>
Subject Re: Hundreds of spam from same email
Date Wed, 20 Jul 2011 03:04:07 GMT
On Tue, 2011-07-19 at 20:15 -0500, Taylor, Jonn wrote:
> I seeing hundreds of emails from mail.com but it's not coming from them.
> Every few hours it jumps to a new sever. Is anyone else getting them?

None of the three samples you pasted are "from mail.com" as you said.
Neither the cosmetic From header, nor the Envelop From.) BTW, please do
NOT forward spam to the list. Put it up somewhere instead, maybe a
pastebin, and send the link.

Catching those (or at least scoring them severely higher) should be
easy. All your samples have a lot in common. Among that is

* Their Return-Path :addr (the envelope from) is /^asterisk\@/ in all
  cases.
* The X-Mailer header always matches a spurious / \[version \]/.
* The first Received header (making it strictly the first in the SA rule
  is left to the reader and rather irrelevant to catch the spam) matches
  in all cases / \(Postfix, from userid 100\)/.

* A Reply-To header exists, but is entirely empty. Probably not that
  easy to make a SA rule, though, depending on your SA version. If you
  can, score it higher on sight.

Not even to mention the opportunities for scoring on the very short, max
3 chars Subject or body.

Score each of the above moderately, like say 1.0, and score a meta rule
matching all three additionally. Almost certain to generate no FPs.


And to answer the other part of the question: Nope, I have not seen
anything like that myself, on none of my systems.


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0;
}}}


Mime
View raw message