> > I see quite a few of these from hotmail orginating from China.
> X-Originating-IP: [123.161.74.4]
>
> is listed in Spamhaus (SPL) and I deep parse headers so I got a hit on this.
Unlike PBL and XBL, Spamhaus SBL is safe for deep-parsing. Which SA does
for this part (only) of ZEN.
> Unfortunately you can't simply write a rule to combine From Hotmail and
> has any URI as all mail from Hotmail has a URI in the footer.
A meta rule from Hotmail and originating from China might be possible,
though. If that really is a common pattern. *And* acceptable for your
user-base.
Also, these Hotmail injected footers always use long-ish URIs with a
path, no? In that case, a meta with __URI_NO_PATH could help. Something
like this.
uri __URI_NO_PATH m~^https?://[^/]+/?$~
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
