David Jones wrote:
First, if anyone from Microsoft is on this list, please setup proper
outbound spam filtering, rate limiting, and compromised account
detection with locking to prevent junk like this.
I have seen a recent increase in the number of outbound junk and
phishing emails that I keep reporting to SpamCop who reports it to
Microsoft.
https://pastebin.com/c2c2ETYi
Any ideas other than maintaining a complex regex on body matches? I
have tried this with good success but it's creating a few FPs. I could
limit it to O365 servers but that is a lot these days.
For that particular "class" of spam I add the domain to my local DNSBL
(if one is available; about 25% of the ones I see use
Hotmail/Yahoo/GMail accounts and don't include a domain in the body),
file the message in a content-specific folder, and feed it through the
rest of the IP/URI extraction processing and Bayes feeding. That
particular domain has already made my local list, and I see it's on
uribl.com as well. I've also added rules checking the From: domain
against DNSBLs; it seems to have helped some generally.
I've been generating a number of sets of more content-specific rules
using the SOUGHT code in the SA source tree, but that set doesn't seem
to be consistent enough to generate anything. I intermittently check
and (re)write a couple of rules but I don't see enough volume to do more
than say "Oh, another one of those" by eye. :/
I've had somewhat better success with hand-maintained rules focusing on
their "unsubscribe" phrases, since those have tended to be more
consistent, and the same phrases are found in other types of spam.
-kgd
