Hi, >> http://pastebin.com/raw.php?i=1Y5QCkfh >> http://pastebin.com/raw.php?i=KdmZXM0d > > give dkim invalid positive score if it was not pass on recieved ? > > add sbcglobal.net to freemail_domains > > add sanjit.in to local.cf url rule
Thanks for your help. I should have been more clear about what I've already done to prevent these. I've already created some simple rules, including a local URIBL, that blocks these once they have been identified. They used to contain a unique pattern in the HTML component of the email, but they're only including a text content type now. What I haven't been able to figure out is a more generalized pattern from these, such as something in the header that is inconsistent with non-spam or contains some type of invalid header data, such as the mismatch between having originated at yahoo but being sent as sbcglobal? Shouldn't have bayes picked this up after learning a dozen or more of these? Is it safe to assume this is part of a botnet? Perhaps someone else has discovered these on their network, and has identified a class of IPs that can be determined to be the source? Thanks again, Alex
