On Fri, 2013-02-22 at 12:20 -0800, Marc Perkel wrote: > We need a rule to catch this. It looks like more data than it is but > it's really little more than a single link. Like to see a rule that > identifies it. > > ---262101065-1882747875-1361559395=:62570 > Content-Type: text/plain; charset=us-ascii > > http://www.eisingen.de/kb/m6ods3ohyayq.r34xx5y7k8rn1ycnemh > > Lisa Tostado, ND > > > ---262101065-1882747875-1361559395=:62570 > Content-Type: text/html; charset=us-ascii > > <html><body><div style="color:#000; background-color:#fff; font-family:times > new roman, new york, times, serif;font-size:14pt"><span style="font-family: > bookman old style,new york,times,serif;"><span style="font-size: > 16px;"> </span></span><a > href="http://www.eisingen.de/kb/m6ods3ohyayq.r34xx5y7k8rn1ycnemh";>http://www.eisingen.de/kb/m6ods3ohyayq.r34xx5y7k8rn1ycnemh</a><br><br>Lisa > Tostado, ND<br><div><br></div></div></body></html> > ---262101065-1882747875-1361559395=:62570-- > > Unless I've had a run of anomalous Yahoo spam, I think I've spotted a rule that can catch a lot of it. Here's a my version:
# # Yahoo message-ID but sender not Yahoo. # describe MG_YAHOO_FS Yahoo message-ID but not From: yahoo header __MG_YAHFS1 Message-id =~ /yahoo\.com>$/ header __MG_YAHFS2 From =~ /yahoo\.(com|co\.uk)/ meta MG_YAHOO_FS (__MG_YAHFS1 && ! __MG_YAHFS2) score MG_YAHOO_FS 50 I've noticed that very much spam coming from Yahoo does not have a Yahoo sender address. A significant proportion of my spam stream comes with forged senders that pretend membership of mailing lists I'm subscribed to and that are automatically whitelisted by my system: the high score is there to counter this whitelisting. Martin
