On Thu, 15 Oct 2009, Jason Haar wrote:
I just received what appeared to be a standard "certain north american
country" pharma spam that went straight by rules I have that normally
catch it. Within Thunderbird (and any other HTML-capable MUA) it's
blatantly shouting its wares. Clever usage of SPANs appear to enable it
to sneak straight by SA.
http://pastebin.com/m56d2db96
27. Received: from public30108.xdsl.centertel.pl (HELO marcin-8963fd6f)
(79.163.117.156)
28. by mailsrv1.trimble.co.nz with SMTP; 16 Oct 2009 04:09:42 +1300
You might want to consider instituting a HELO-no-dots reject at SMTP time
on your MTA. That rejects a _ton_ of garbage here.
The spans do look suspicious, I'm putting a rule into my sandbox...
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Users mistake widespread adoption of Microsoft Office for the
development of a document format standard.
-----------------------------------------------------------------------
14 days since a sunspot last seen - EPA blames CO2 emissions
