Hi,

Has anyone ever seen a legitimate email with an X-Mailer: header of 
OutLook Express 3.14159? I've just got 9 spam messages in the last two 
days using this header line 6 of which were not even caugh as spam by SA 
(treshold of 7.0). So I added a local rule for that header (and other 
checks for the body as they were all advertizing sex sites on the same 
domain) to make sure they were caught high enough to trigger a perm reject 
rule during smtp. Now, I wouldn't want that X-Mailer rule to trigger on 
non spam as I gave it a score of 5.0. I can't find this header in any 
legitimate mail here. It already helped me reject 5 more spam messages 
today right after I restarted spamd.. :) It looked like they were all the 
same message and the spammer software didn't like the 550 return value to 
the DATA segment and just tried again and again (5 times in 2 minutes 
using 5 different open socks servers)

header   LOCAL_PI_OE        X-Mailer =~ /OutLook Express 3\.14159/
describe LOCAL_PI_OE        X-Mailer contains 'OutLook Express 3.14159'
score    LOCAL_PI_OE        5.0

Wasn't there a rule that looked for fake versions of popular mua? Maybe I 
missed it, but I didn't find it when I looked for it (and no rule 
triggered with that header line before I set mine up)

Thanks,

-- 
Patrice Fournier
[EMAIL PROTECTED]

_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to