HOTMAIL SPAM =Rule to bite on X-Originating-IP or length of FROM list?

Sat, 31 Oct 2009 01:00:00 -0700 

I don't see a great deal of spam from Hotmail, but often get it with
headers looking like this:

X-Originating-IP: [123.160.198.207]
From: joannie nolin <crevett...@msn.nullcom>
To: <clo...@skipbarber.nullcom>, <kantan...@gmail.nullcom>,
<preiswunderland...@web.dde>, <h...@interpoint24.dde>,
<e...@1-2-3-shopping.dinfo>, <mobilestor...@aol.dde>,
<s...@wifi-all.nullcom>, <e...@shopmedvet.nullcom>,
<info[at]chuizo.dde>, <mail[at]btec24.dde>,
<info[at]anubisdistribuzione.itd>, <eurocomp24[at]gmx.ded>,
<jmiller[at]cmsinter.net>, <auctions[at]maelstromgames.null.duk>,
<contact[at]stockburgershop.ded>, <paymambate[at]gmail.nullcom>,
<verkauf[at]express24-online.ded>, <wilai-im-auftrag[at]wilai.dde>,
<info[at]fensteragentur.ded>, <hoppegennadi[at]freenet.ded>,
<darren[at]fixmyengine.null.uk>, <mystyle-hamburg[at]web.ded>,
<buecher[at]a-plummer.ded>, <bhester[at]knology.pet>,
<technomarty[at]btinternet.nullcom>,
<islandproducts2000[at]gmail.nullcom>, <carine.espuela[at]hotmail.frg>,
<krafts2u[at]aol.nullcom>, <uk[at]holyclothing.nullcom>,
<dmitrilaikhtman[at]gmail.nullcom>, <bruno.ozcan[at]yahoo.frg>,
<support[at]rrelectronics.nullcom>, <mimipuce1176275[at]aol.nullcom>,
<ncth[at]free.fr>, <happy.nullcomity[at]gmail.nullcom>,
<dingdingtrading[at]gmail.nullcom>, <hatailuk_offy1[at]hotmail.nullcom>,
<roaldibruno[at]voila.fr>, <sanpointelectronics[at]gmail.nullcom>,
<iamtheprimadonna[at]aol.nullcom>, <njbookman1[at]aol.nullcom>,
<glass[at]lesleypyke.nullcom>, <benny-yvonne[at]alice-dsl.netg>,
<cs.wilson[at]hotmail.null.ukg>, <yasmineee094[at]hotmail.frg>,
<xuancailinlin66[at]163.nullcom>

A couple of observations;
123.160.198.207 - is on the PBL {deep in the heart of China} so is
possible to extend the network tests to look for fairly constant custom
headers with the originating IP?

It's early and I've not really thought about it too hard, but is there a
test that can be done to check the number of recipients or lines in a
'to' list. Something along the lines of if there are more than Y * @ ?

The message concerned scored 2.3. I've looked back at others like it
from the last six months and they always have a constant long list of
'to' and X-Originating-IP: with PBL listed entries.

Reply via email to