Hi, > Would someone put some samples of Yahoo single link spam on PasteBin.
> > I am trying to test my rules and I seem to be missing some of the > variations. > > > Here's an example: it is the message I developed the following rule > against: http://pastebin.com/VRvtDfER > > I've obfuscated all e-mail addresses in it and verified that my rule > catches the obfuscated version. The rule is this: > > describe MG_YAHOO_FS Yahoo message-ID but not From: yahoo > header __MG_YAHFS1 Message-id =~ /yahoo\.com>$/ > header __MG_YAHFS2 From =~ /yahoo\.(com|co\.uk)/ > meta MG_YAHOO_FS (__MG_YAHFS1 && ! __MG_YAHFS2) > score MG_YAHOO_FS 50 > Some time ago Martin posted his rules for blocking yahoo link spam, and it's been working relatively well for my system. However, I'm now noticing a number of FPs that are "From" bellsouth.net addresses but pass through yahoo servers. They have DKIM and DomainKey signatures from bellsouth, yet otherwise appear to have no association with bellsouth.net. Is it just possible that bellsouth is using yahoo's servers? If so, could there be other "affiliates" that use yahoo that could also cause FPs? What would you suggest fixing the FPs in terms of this rule? Just add bellsouth.net to the "From" header check? Are people still seeing yahoo link spam, and are you using this rule to block them? I'm still seeing a bit of spam with only a link in the body with v3.3.2 that I can't block. I'd appreciate any input someone might have to help with this until I can upgrade to a 3.4 snapshot. Thanks, Alex
