David B Funk wrote:
On Wed, 10 Mar 2010, Dennis B. Hopp wrote:
I have put a sample at:
http://pastebin.com/9BDXrxmm
Note I did change the real e-mail address in this message but the
hotmail address used is valid just masked.
Look at that "X-Originating-IP: [41.155.87.236]" header, its a dial-up
pool in Lagos Nigeria.
It may seem stereotyped, but it's amazing the percentage of this kind
of spam that -does- come out of that part of the world.
How about:
# Catch spam originating from 41.0.0.0/8 (Africa, incl S.Africa)
describe LOCAL_ORIG_FROM_41 Originates from 41.0.0.0/8
header LOCAL_ORIG_FROM_41 X-Originating-IP =~ /\[41\./
Unless you're expecting mail originating from Africa, you can go further
and detect all mail injected from 41/8 with few FPs.
# Catch spam injected from 41.0.0.0/8 (Africa, incl S.Africa)
describe LOCAL_RCVD_FROM_41 Received from 41.0.0.0/8
header LOCAL_RCVD_FROM_41 Received =~ /\[41\./
I've found these safe to score quite highly, but YMMV so score as suits
your mail flow.