Alex wrote:
Hi all,
I'm having trouble with an elusive spam for the past few days with
just "re" in the subject. It looks to be routed through hotmail.com,
but doesn't have an SPF signature, so I don't really understand.
SPF doesn't sign anything (perhaps you are thinking of dkim), and
anyway, from your own SA headers it passes SPF.
Here's an example:
http://pastebin.com/Lg63Xek4
I've trained probably 50 of these, yet they still have BAYES_50.
How is this routed through hotmail like this?
Ideas for better training and other rules?
As Kai said, check your Bayes is actually working. I've been seeing
dozens of these daily for what seems like ages, and Bayes now has no
trouble nailing them although it understandably missed them when they
first started arriving.
The common factor I see with these is that they're from hotmail and
contain a common URI so I use a meta rule hitting on __FROM_HOTMAIL_COM
and any number of common URIs such as digg.com in your example (inc.
digg, youtube, google, blogspot, tripod, lycos etc).
These also started life (at least here) as erection/pill type spam so I
also initially used a meta rule for __FROM_HOTMAIL_COM and erection/pill
type subjects, but not many have hit on that lately.
I'm a small shop and I'm about ready to reverse my hotmail policy to a
default deny and manually whitelist the 100 or so hotmail users that
correspond with my clients... or at least score mail from hotmail at 4-5
points and manually whitelist any FPs that may cause. IMHO Hotmail has
lost the right to trust and a default accept policy on my server.
