On Sat, 2009-10-31 at 07:59 +0000, rich...@buzzhost.co.uk wrote:
> I don't see a great deal of spam from Hotmail, but often get it with
> headers looking like this:
>
> X-Originating-IP: [123.160.198.207]
> From: joannie nolin <crevett...@msn.nullcom>
> To: <clo...@skipbarber.nullcom>, <kantan...@gmail.nullcom>,
> <preiswunderland...@web.dde>, <h...@interpoint24.dde>,
> <e...@1-2-3-shopping.dinfo>, <mobilestor...@aol.dde>,
> <s...@wifi-all.nullcom>, <e...@shopmedvet.nullcom>,
> <info[at]chuizo.dde>, <mail[at]btec24.dde>,
> <info[at]anubisdistribuzione.itd>, <eurocomp24[at]gmx.ded>,
> <jmiller[at]cmsinter.net>, <auctions[at]maelstromgames.null.duk>,
> <contact[at]stockburgershop.ded>, <paymambate[at]gmail.nullcom>,
> <verkauf[at]express24-online.ded>, <wilai-im-auftrag[at]wilai.dde>,
> <info[at]fensteragentur.ded>, <hoppegennadi[at]freenet.ded>,
> <darren[at]fixmyengine.null.uk>, <mystyle-hamburg[at]web.ded>,
> <buecher[at]a-plummer.ded>, <bhester[at]knology.pet>,
> <technomarty[at]btinternet.nullcom>,
> <islandproducts2000[at]gmail.nullcom>, <carine.espuela[at]hotmail.frg>,
> <krafts2u[at]aol.nullcom>, <uk[at]holyclothing.nullcom>,
> <dmitrilaikhtman[at]gmail.nullcom>, <bruno.ozcan[at]yahoo.frg>,
> <support[at]rrelectronics.nullcom>, <mimipuce1176275[at]aol.nullcom>,
> <ncth[at]free.fr>, <happy.nullcomity[at]gmail.nullcom>,
> <dingdingtrading[at]gmail.nullcom>, <hatailuk_offy1[at]hotmail.nullcom>,
> <roaldibruno[at]voila.fr>, <sanpointelectronics[at]gmail.nullcom>,
> <iamtheprimadonna[at]aol.nullcom>, <njbookman1[at]aol.nullcom>,
> <glass[at]lesleypyke.nullcom>, <benny-yvonne[at]alice-dsl.netg>,
> <cs.wilson[at]hotmail.null.ukg>, <yasmineee094[at]hotmail.frg>,
> <xuancailinlin66[at]163.nullcom>
>
> A couple of observations;
> 123.160.198.207 - is on the PBL {deep in the heart of China} so is
> possible to extend the network tests to look for fairly constant custom
> headers with the originating IP?
>
> It's early and I've not really thought about it too hard, but is there a
> test that can be done to check the number of recipients or lines in a
> 'to' list. Something along the lines of if there are more than Y * @ ?
>
> The message concerned scored 2.3. I've looked back at others like it
> from the last six months and they always have a constant long list of
> 'to' and X-Originating-IP: with PBL listed entries.
>
Here's a couple of rule I use, can't remember who originally posted
them:
describe TO_TOO_MANY To: too many recipients
header TO_TOO_MANY To =~ /(?:,[^,]{1,80}){20}/
score TO_TOO_MANY 0.3
describe TO_WAY_TOO_MANY To: way too many recipients
header TO_WAY_TOO_MANY To =~ /(?:,[^,]{1,80}){30}/
score TO_WAY_TOO_MANY 0.3
describe CC_TOO_MANY CC: too many recipients
header CC_TOO_MANY CC =~ /(?:,[^,]{1,80}){15}/
score CC_TOO_MANY 0.3
You can vary the number in {} to whatever suits you.
--
KeyID 0xE372A7DA98E6705C
signature.asc
Description: This is a digitally signed message part
