>> header BOGUS_MIME_VERSION
So the secret is out. We are blocking as many as 40,000 a day. I
tested it for a few days, at a million messages a day, and nothing
else matches that error. It's a killer rule here.
The spam itself is very low scoring otherwise. Score for /shark.tank/i
matches a lot of this spam but not all. The domain names used are
domains of small companies that have nothing to do with the spam. The
spammer has been evading spamhaus honeypots remarkably well.
The source is not a botnet of end user hosts. I don't know what to
call this method. The spammer gets use of about two dozen servers from
a hosting company and blasts from them for a few days, and then jumps
to another hosting company. Blocking by IP is not effective for long
although the IP blocks that have been used are probably a nice
collection of easily abused providers. Since January 23 we have seen
hosts in these blocks, below. Yesterday was 23.95.197 and 104.234.218.
Columbia University I T