On Mon, 3 Jun 2013, David B Funk wrote:
On Mon, 3 Jun 2013, David F. Skoll wrote:
There were no Received: headers in my samples. They were directly
injected by compromised Windows boxes.
Maybe the lack of Received: headers could be used as the basis for an SA
rule. How many legit MTAs are there that don't add Received: headers?
Hopefully none.
There are already "direct-to-MX" subrules, and rules that use them in
combination with other signs:
http://ruleqa.spamassassin.org/?daterev=20130603-r1488897-n&rule=%2FDIRECT
Suggestions for likely combinations are welcome, but at this time the
masscheck corpora only show less than 5% direct-to-MX spam vs. >20% ham.
Whether that's an indication that spambots are in a lull or the corpora
doesn't represent actual spam reality well is unclear.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Rights can only ever be individual, which means that you cannot
gain a right by joining a mob, no matter how shiny the issued
badges are, or how many of your neighbors are part of it. -- Marko
-----------------------------------------------------------------------
3 days until the 69th anniversary of D-Day
