I have also noticed a lot of emails coming from valid domain services. I have also noticed many of the stolen accounts are used to authenticate with my blog posting engine to post spam to my blogs. It never reaches the blog because I approve each entry, but it's been happening with increased frequency.
The truth is, this is not a new trick, its comes and goes. Your real protection is in the bayes rules and making sure you do not whitelist a service like these. If it helps....to assist with users who have accounts on gmail(or any domain) who are sending email to internal customers, I apply an outbound hidden line of text in every email that amounts to code. If the code is seen in a reply, the email is given a -100 score, thus reducing false positives for replied messages. It also ensures the conversation will most likely not be interrupted. Its not 100% all the time since some users clients delete replied sections of the email, but it does help. body BK_RespondedTo /\bxXYyzb262011qa\b/i score BK_RespondedTo -100.0 I think adding a rule as you suggest will only end up causing more false positives. -Brent -----Original Message----- From: David [mailto:wiki.apache....@spam.lublink.net] Sent: Monday, April 04, 2011 11:36 AM To: users@spamassassin.apache.org Subject: Hijacked email accounts Hello, I have noticed that recently almost all spam that makes it pass my spam filters come from hijacked email accounts. Usually on services like hotmail and yahoo ( sometimes from .com sometimes from country specific domains ). I wonder if perhaps a rule in spamassassin should add between 0.5 and 1.5 to the spam rating when it comes from a free webmail service like hotmail and yahoo. David
