On Thu, 2010-03-11 at 07:55 -0600, Dennis B. Hopp wrote: > > 1) Spammers rotate sender addresses and hijacked account info more > > often than most of us change our underwear. An account *may* get > > reused; chances are it'll be months before it does, and the spammers > > will have rotated through hundreds or thousands of others - both > > phish-cracked and those set up just to send their junk. Blacklisting a > > sender is reduced to blocking the persistent friend-of-a-friend who > > refuses to remove you from the endless stream of chain-forwards, and > > legitimate-but-totally-clueless mailing list operators who can't figure > > out how to unsubscribe you from their list. :( > > > > 2) You noted originally that these appear to be fully legitimate > > freemail accounts, legitimately used in the past to correspond with your > > customers/clients, that have been compromised and then used to send > > spam. How do you propose to still allow the legitimate account holders > > to email your clients if you blacklist the sender? > > > > I don't want to blacklist the address, hence the reason why in my > original e-mail I said "other then blacklisting". I know blacklisting > would block these bogus e-mails as well as legit e-mails as soon as the > clients get access back (they currently don't have access to their > accounts because their passwords have been changed). > > > > > > Martin's suggestion followup should point you in the right direction. > > Sets of phrase rules (how similar are these messages? do you have ten > > or fifteen you can compare sentence-by-sentence?) with low scores will > > likely help some too. Meta rules that bump the score up depending on > > how many phrases hit, or phrase+mismatched-sender/reply also work > > tolerably well on this class of spam... if you can get enough samples to > > build a complete enough set of phrase rules. > > I'm going to look at what Martin suggested and compare it to what > samples I have. > > Thanks, > > --Dennis > Don't miss the major key in the body - that is 'Western Union'. I don't know how much legitimate business you do with WU (or Moneygram for that matter) but it may well be worthy of a half decent score.
>
