>> header BOGUS_MIME_VERSION So the secret is out. We are blocking as many as 40,000 a day. I tested it for a few days, at a million messages a day, and nothing else matches that error. It's a killer rule here.
The spam itself is very low scoring otherwise. Score for /shark.tank/i matches a lot of this spam but not all. The domain names used are domains of small companies that have nothing to do with the spam. The spammer has been evading spamhaus honeypots remarkably well. The source is not a botnet of end user hosts. I don't know what to call this method. The spammer gets use of about two dozen servers from a hosting company and blasts from them for a few days, and then jumps to another hosting company. Blocking by IP is not effective for long although the IP blocks that have been used are probably a nice collection of easily abused providers. Since January 23 we have seen hosts in these blocks, below. Yesterday was 23.95.197 and 104.234.218. Joseph Brennan Columbia University I T 23.94.138 23.94.165 23.95.197 23.95.200 45.65.16 46.102.117 46.166.186 63.143.38 64.186.14 66.70.254 67.214.188 69.195.136 74.63.251 74.80.147 76.164.198 84.247.12 85.17.31 104.160.179 104.234.218 107.175 128.201.32 128.201.33 128.201.34 149.56.7 158.69.128 173.198.192 173.199.178 192.140.20 192.140.21 192.140.23 198.23.197 209.240.101 209.240.99 216.245.210