Sounds like a case of http://www.gossamer-threads.com/lists/spamassassin/users/187586
You might be able to find the rule mentioned here: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/ On 10 September 2014 07:38, Bob Proulx <b...@proulx.com> wrote: > I am helping a friend who is getting hit with a lot of spam. He is > running SpamAssassin. While looking at the spam that he is receiving > I am seeing a pattern in the headers. Along with the normal headers > the messages also contain a random set of "random" headers. Here are > just the pattern headers from the message. > > Spam 1: > Martian-Scurf: d4b0a3f064bc16518af081b52350787f9442861 > Gonad-Marfa: 9442861.d4b0a3f064bc16518af081b52350787f.9442861 > Diamant-Hop: > d4b0a3f064bc16518af081b52350787f22464616.9442861d4b0a3f064bc16518af > Mutiny-Tardo: 22464616-22464616 > Odinist-Gawsy: d4b0a3f064bc16518af081b52350787f-22464616 > Pennant-Agape: 9442861-22464616 > > Spam 2: > Mispage-Slav: 16035617 > Irra-Etna: 9493147 > Brigand-Parry: 1603561716035617 > Peatier-Fthm: d4b0a3f064bc16518af081b52350787f > > Spam 3: > Penang-Titan: d4b0a3f064bc16518af081b52350787f12517557 > Imbrue-Gaol: 12517557.12517557 > Tousle-Zany: d4b0a3f064bc16518af081b52350787f > Callie-Scale: 19474509.19474509 > > Spam 4: > Felda-Elayl: 1-15546426 > Bluma-Spoom: 15546426-14093545455-9801 > Prs-Cathy: 14093545-ag84js-dk3k32 > Quest-Argue: 0.a4-052.15546426 > > You get the idea. I have 187 spams from a recent burst like this. > > Here is a more complete header example. I am not showing my buddy's > address intentionally so redacted the To: line but all of the other > headers are there. > > http://pastebin.com/0jmiDBt1 > > And here is a full sample. Notice how the header data is repeated in > the message body. > > http://pastebin.com/0Ga7g0UX > > Looking at the headers by eye and flipping from message to message it > is pretty easy to visually see the pattern that is created. > > Is there a way to use this to create a SpamAssassin rule to try to > catch this type of spam? > > Thanks, > Bob > > P.S. Note that if I run these through my Bayes my database almost > always scores them quite high. But on his, not so much. Improving > his Bayes training will help. But the pattern seems ripe too. >
