I trigger on the X-Originating-IP header. You'll probably want to do 64.72.123 and 64.72.124 also.
Sample rule: header TBI_HOTMAIL_IP9 X-Originating-IP =~ /\[(83\.37\.86\.|189\.156\.198\.|190\.78\.95\.|189\.111\.56\.|125\.163\.120\.|115\.118\.23\.|123\.201\.175\.|64\.72\.122\.|83\.9\.207\.|117\.198\.200\.|117\.193\.161\.|91\.176\.200\.|78\.178\.176\.|221\.120\.225\.|210\.57\.233\.|88\.222\.52\.|122\.50\.232\.|58\.120\.230\.|89\.143\.101\.|111\.118\.142\.|189\.166\.125\.|61\.12\.10\.|124\.124\.216\.|84\.2\.146\.|118\.45\.166\.|189\.51\.230\.|83\.24\.177\.|116\.72\.0\.|86\.213\.66\.|116\.217\.115\.|88\.44\.244\.|85\.101\.216\.|86\.174\.60\.|203\.198\.107\.|119\.155\.65\.|89\.143\.101\.|138\.130\.65\.|59\.182\.174\.|187\.36\.214\.|113\.8\.108\.|83\.28\.168\.|77\.722\.30\.|75\.440\.94\.|86\.61\.98\.|122\.45\.250\.|89\.29\.165\.|187\.89\.201\.|115\.147\.25\.|64\.72\.123\.|64\.72\.124\.)/ score TBI_HOTMAIL_IP9 4.0 I find that these "re:" messages will change /24 space every week or so. Alternatively, as another poster suggested, can hotmail.com messages entirely and let only the few known good ones in. Footer taglines from some of today's batch - with their translations! "Hotmail: Trusted email with powerful SPAM protection." - So powerful, a script-kiddie can use it. "Hotmail: Powerful Free email with security by Microsoft." - Used by hackers everywhere. "Hotmail: Trusted email with Microsofts powerful SPAM protection." - Powered by Windows Update. You can trust us. Really. "Hotmail: Free, trusted and rich email service." - Spammers can become rich using Hotmail. "Not got a Hotmail account?" - Good for you. "We want to hear all your funny, exciting and crazy Hotmail stories." - I enjoy my Hotmail experience. Thanks Canadian Pharmacy! "Your E-mail and More On-the-Go. Get Windows Live Hotmail Free." - Spam follows you wherever you go (go.go.php). "Take your contacts everywhere." - Send your spam from China and Brazil. "Hotmail ¬O±Ä¥Î Micorsoft ¦w¥þ©Ê§Þ³Nªº§K¶O¹q¤l¶l½c" - Gibberish. You'll need these World Of Warcraft Account Instructions. "Get news, entertainment and everything you care about at Live.com." - Even get a lot of crap you don't care about. Regards, Jared Hall General Telecom, LLC. Alex wrote: > Hi all, > > I'm having trouble with an elusive spam for the past few days with > just "re" in the subject. It looks to be routed through hotmail.com, > but doesn't have an SPF signature, so I don't really understand. > Here's an example: > > http://pastebin.com/Lg63Xek4 > > I've trained probably 50 of these, yet they still have BAYES_50. > > How is this routed through hotmail like this? > > Ideas for better training and other rules? > > Thanks, > Alex > >
