On Sat, 2009-10-31 at 07:35 -0500, Chris wrote:
> On Sat, 2009-10-31 at 07:59 +0000, rich...@buzzhost.co.uk wrote:
> > I don't see a great deal of spam from Hotmail, but often get it with
> > headers looking like this:
> >
> > X-Originating-IP: [123.160.198.207]
> > From: joannie nolin <crevett...@msn.nullcom>
> > To: <clo...@skipbarber.nullcom>, <kantan...@gmail.nullcom>,
> > <preiswunderland...@web.dde>, <h...@interpoint24.dde>,
> > <e...@1-2-3-shopping.dinfo>, <mobilestor...@aol.dde>,
> > <s...@wifi-all.nullcom>, <e...@shopmedvet.nullcom>,
> > <info[at]chuizo.dde>, <mail[at]btec24.dde>,
> > <info[at]anubisdistribuzione.itd>, <eurocomp24[at]gmx.ded>,
> > <jmiller[at]cmsinter.net>, <auctions[at]maelstromgames.null.duk>,
> > <contact[at]stockburgershop.ded>, <paymambate[at]gmail.nullcom>,
> > <verkauf[at]express24-online.ded>, <wilai-im-auftrag[at]wilai.dde>,
> > <info[at]fensteragentur.ded>, <hoppegennadi[at]freenet.ded>,
> > <darren[at]fixmyengine.null.uk>, <mystyle-hamburg[at]web.ded>,
> > <buecher[at]a-plummer.ded>, <bhester[at]knology.pet>,
> > <technomarty[at]btinternet.nullcom>,
> > <islandproducts2000[at]gmail.nullcom>, <carine.espuela[at]hotmail.frg>,
> > <krafts2u[at]aol.nullcom>, <uk[at]holyclothing.nullcom>,
> > <dmitrilaikhtman[at]gmail.nullcom>, <bruno.ozcan[at]yahoo.frg>,
> > <support[at]rrelectronics.nullcom>, <mimipuce1176275[at]aol.nullcom>,
> > <ncth[at]free.fr>, <happy.nullcomity[at]gmail.nullcom>,
> > <dingdingtrading[at]gmail.nullcom>, <hatailuk_offy1[at]hotmail.nullcom>,
> > <roaldibruno[at]voila.fr>, <sanpointelectronics[at]gmail.nullcom>,
> > <iamtheprimadonna[at]aol.nullcom>, <njbookman1[at]aol.nullcom>,
> > <glass[at]lesleypyke.nullcom>, <benny-yvonne[at]alice-dsl.netg>,
> > <cs.wilson[at]hotmail.null.ukg>, <yasmineee094[at]hotmail.frg>,
> > <xuancailinlin66[at]163.nullcom>
> >
> > A couple of observations;
> > 123.160.198.207 - is on the PBL {deep in the heart of China} so is
> > possible to extend the network tests to look for fairly constant custom
> > headers with the originating IP?
> >
> > It's early and I've not really thought about it too hard, but is there a
> > test that can be done to check the number of recipients or lines in a
> > 'to' list. Something along the lines of if there are more than Y * @ ?
> >
> > The message concerned scored 2.3. I've looked back at others like it
> > from the last six months and they always have a constant long list of
> > 'to' and X-Originating-IP: with PBL listed entries.
> >
> Here's a couple of rule I use, can't remember who originally posted
> them:
>
> describe TO_TOO_MANY To: too many recipients
> header TO_TOO_MANY To =~ /(?:,[^,]{1,80}){20}/
> score TO_TOO_MANY 0.3
>
> describe TO_WAY_TOO_MANY To: way too many recipients
> header TO_WAY_TOO_MANY To =~ /(?:,[^,]{1,80}){30}/
> score TO_WAY_TOO_MANY 0.3
>
> describe CC_TOO_MANY CC: too many recipients
> header CC_TOO_MANY CC =~ /(?:,[^,]{1,80}){15}/
> score CC_TOO_MANY 0.3
>
> You can vary the number in {} to whatever suits you.
>
Thanks Chris. Duly added to my custom rules - thanks for you kindness. t
would be good if the network tests could pick up on the originating IP
in the headers, but I'm sure there is a reason this is not done.
