On Thu, 2014-08-07 at 17:14 +0100, emailitis.com wrote: > I have had a fair number of VERY similar Spam emails that are all > about comparing prices. I have put a number in a pastebin below.
We need full, raw samples. Those are mostly just headers with the raw body missing (multipart/alternative, thus most likely HTML and plain text versions). The blobs including a body-ish part appear to be copied from your MUA's rendered display. > They all seem to be originating from Fasthosts in UK which I cannot > really blacklist in entirety. > > Can anyone suggest how to block it with a Spamassassin rule? First impression thought was to match on that List-Unsubscribe header's domain. On second thought, bad idea, since cloudapp.net is MS Azure, not the spammer's domain. Still, that might make for an easy rule. That unsub link includes some campaign, recipient, etc identifying numbers. And one that most likely identifies the sender, identical in all 7 samples. header AZURE_BAD_CUSTOMER List-Unsubscribe =~ /email-delivery.cloudapp.net\/sender\/box.php?.*s=bfa2e2429e7a4f0b0993c32a75aebc0e/ Note: This is only assuming the s value identifies the campaign's sender and misbehaving Azure customer. The body most certainly contains links with very similar structure. > http://pastebin.com/B9YqTsvZ > > I had tried to create something from a meta rule, but that has not > worked so far: > > body __CGK_CLOUDAPP_1 /cloudapp/i > body __CGK_CLOUDAPP_2 /\bCompare\b/i > meta CGK_CLOUDAPP (( __CGK_CLOUDAPP_1 + __CGK_CLOUDAPP_2) > 1) No surprise. There is no "cloudapp" string in the body at all, according to your two formatted samples. -- char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
