> > I see quite a few of these from hotmail orginating from China. > X-Originating-IP: [123.161.74.4] > > is listed in Spamhaus (SPL) and I deep parse headers so I got a hit on this.
Unlike PBL and XBL, Spamhaus SBL is safe for deep-parsing. Which SA does for this part (only) of ZEN. > Unfortunately you can't simply write a rule to combine From Hotmail and > has any URI as all mail from Hotmail has a URI in the footer. A meta rule from Hotmail and originating from China might be possible, though. If that really is a common pattern. *And* acceptable for your user-base. Also, these Hotmail injected footers always use long-ish URIs with a path, no? In that case, a meta with __URI_NO_PATH could help. Something like this. uri __URI_NO_PATH m~^https?://[^/]+/?$~ -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}