---------- Original Message ---------------------------------- From: Evan Pearce <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Wed, 11 Jun 2003 11:11:41 +0930
> >On 11/06/2003 at 11:02:59, Len Conrad wrote: > >> Apparently, this is causing some big volumes of spam: >> http://www.unicom.com/chrome/a/000262.html >> in header checks: >> /Received: .*hotmail\.com with dav/ REJECT Submitted to Hotmail via DAV > >You need to be careful with that - legitimate users who send mail >through their Hotmail accounts with Outlook Express generate the same >headers. If your users get mail sent to them like that you can >generate loads of false positives. Agreed. I implemented the above header check and out of the eleven it rejected, only one was spam. The other were actually legit users who use Outlook Express to send mail with their Hotmail account. That header check could likely be narrowed down since from most reports, there are only a few hotmail servers that send using DAV that are being abused. >From a SPAM-L post: --- > The complete list: > > 65.54.169.52 - 65.54.169.188 > 65.54.171.52 - 65.54.171.188 > 65.54.173.52 - 65.54.173.188 > > rDNS (not regex compliant): > > bay3-dav[22-158].bay3.hotmail.com > bay4-dav[22-158].bay4.hotmail.com > bay5-dav[22-158].bay5.hotmail.com Perhaps not entirely complete. Here are some more I found in my logs and confirmed by lookups (also not regex compliant): 65.54.168.105 - 65.54.168.125 bay3-dav[1-21].bay3.hotmail.com 65.54.170.105 - 65.54.170.125 bay4-dav[1-21].bay4.hotmail.com 65.54.172.105 - 65.54.172.125 bay5-dav[1-21].bay5.hotmail.com --- >From what I saw yesterday, none of the legit mail using DAV came from any of the >bay[x].hotmail.com servers, they all came from law[x].hotmail.com servers. Maybe the following header check would work better (assuming I haven't had too many beers and \d+ would match one or more digits): /^Received: from .* by bay\d+\.hotmail\.com with DAV;/ REJECT Chris Scott
