On 05/26/2010 09:33 PM, Lennart Johansson wrote:
My first post, please don't kill me for doing some things wrong.
I see quite a few of these from hotmail orginating from China.
http://pastebin.com/q308E7ZG
SA score:
Score Matching Rule Descriptioncached not
result=0.002
4 krav
spam autolearn=not
0.00 BAYES_50 Bayesian spam probability is 40 to 60%
0.00 HTML_MESSAGE HTML included in message
Perhaps this is simple to detect if you know how to write the right rule, but I
don't.
Right now it score very low, and I try to learn SA to detect.
Anybody got any suggestion how to catch them directly?
Best regards
/Lelle
I mostly catch these with Bayes training. Your example hit BAYES_95 here.
I also score all mail FROM hotmail.com (2-3 points) and then whitelist
legitimate hotmail senders. Hotmail are not to big to block here and I'm
sick of the crap they spew.
Finally,
X-Originating-IP: [123.161.74.4]
is listed in Spamhaus (SPL) and I deep parse headers so I got a hit on this.
Unfortunately you can't simply write a rule to combine From Hotmail and
has any URI as all mail from Hotmail has a URI in the footer.
