> 1) Spammers rotate sender addresses and hijacked account info more > often than most of us change our underwear. An account *may* get > reused; chances are it'll be months before it does, and the spammers > will have rotated through hundreds or thousands of others - both > phish-cracked and those set up just to send their junk. Blacklisting a > sender is reduced to blocking the persistent friend-of-a-friend who > refuses to remove you from the endless stream of chain-forwards, and > legitimate-but-totally-clueless mailing list operators who can't figure > out how to unsubscribe you from their list. :( > > 2) You noted originally that these appear to be fully legitimate > freemail accounts, legitimately used in the past to correspond with your > customers/clients, that have been compromised and then used to send > spam. How do you propose to still allow the legitimate account holders > to email your clients if you blacklist the sender? >
I don't want to blacklist the address, hence the reason why in my original e-mail I said "other then blacklisting". I know blacklisting would block these bogus e-mails as well as legit e-mails as soon as the clients get access back (they currently don't have access to their accounts because their passwords have been changed). > > Martin's suggestion followup should point you in the right direction. > Sets of phrase rules (how similar are these messages? do you have ten > or fifteen you can compare sentence-by-sentence?) with low scores will > likely help some too. Meta rules that bump the score up depending on > how many phrases hit, or phrase+mismatched-sender/reply also work > tolerably well on this class of spam... if you can get enough samples to > build a complete enough set of phrase rules. I'm going to look at what Martin suggested and compare it to what samples I have. Thanks, --Dennis
