Hi, I'm hoping someone can help me with a rule to catch URI spam variation from freemail domains:
http://pastebin.com/SkrKykYj This one is another urlshortener. How is this class of redirection spam being stopped by everyone these days? I've tried to adapt the ones I have, but this is very generic. I guess it's so generic that it has a lot of similarities with valid hotmail email, thus causing BAYES_50? How are these messages being sent? Through compromised legitimate hotmail accounts? Someone from a remote network connects to hotmail via SMTP directly, authorizes themselves as a user of a compromised account (SMTP auth?), then pipes their spam through their server as that user? Thanks, Alex
