Are you running a centralized Bayes with some honeypot addresses feeding it?
A search of your messages log should give you plenty of bogus email addresses that the botnet has been probing for on your system. Pick some of the obvious ones and set them up as feeders to Bays and that should take care of this.
Ted On 6/26/2015 9:33 AM, Alex Regan wrote:
Hi, I have one system with greylisting enabled and another that hasn't yet been enabled. On the system without it, I'm receiving a ton of random spam that hits bayes99 but pretty much nothing else. http://pastebin.com/FzUkEvRp It all seems to be related to the same botnet because it has these random URLs to .gov sites in them, trying to legitimize its contents. Any ideas for a rule or pattern that would block these more generally than for just this specific version? I'm sure it would now be on all the RBLs and be blocked, but I'd like to know if there's something in the header or something else that can be done to block all the random versions of this without having to write body rules for each version. I can supply other versions if needed... Thanks, Alex
