Stopping hotmail relayers

Randal, Phil prandal at herefordshire.gov.uk
Mon Oct 8 10:37:02 IST 2007 

Many of the spams originating from hotmail addresses here have a
Reply-To: address in a yahoo domain.

The following rule hits only spam here:

header    __HC_FROM_HOTMAIL	From =~ /\@hotmail\./
describe  __HC_FROM_HOTMAIL	email From hotmail user

header    __HC_REPLY_YAHOO	Reply-To =~ /\@yahoo\./
describe  __HC_REPLY_YAHOO	Reply-To yahoo user

meta	    HC_HOTMAIL_YAHOO	( __HC_FROM_HOTMAIL && __HC_REPLY_YAHOO
)
describe  HC_HOTMAIL_YAHOO	From hotmail, reply to Yahoo
score	    HC_HOTMAIL_YAHOO	20

I suspect the rule can be tweaked to score Reply-To's to yahoo
positively by themselves, but that will hit both ham and spam.  If
you're adventurous try this and then tweak the scores:

header    __HC_FROM_HOTMAIL	From =~ /\@hotmail\./
describe  __HC_FROM_HOTMAIL	email From hotmail user

header    HC_REPLY_YAHOO	Reply-To =~ /\@yahoo\./
describe  HC_REPLY_YAHOO	Reply-To yahoo user
score	    HC_REPLY_YAHOO	0.5

meta	    HC_HOTMAIL_YAHOO	( __HC_FROM_HOTMAIL && HC_REPLY_YAHOO )
describe  HC_HOTMAIL_YAHOO	From hotmail, reply to Yahoo
score	    HC_HOTMAIL_YAHOO	20

Cheers,

Phil
--
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK  

> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info 
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf 
> Of Cornelius Koelbel
> Sent: 07 October 2007 19:14
> To: MailScanner discussion
> Subject: Re: Stopping hotmail relayers
> 
> Hi,
> 
> i think this is a very interesting idea. It is kind of "regular
> expression" blacklisting.
> 
> - If the sender's domain is within a list AND
> - His IP belongs to... AND
> - if some more headers match some conditions
> 
> 
> ...I do not want to see the mail.
> 
> I am also courios if postfix was this flexible.
> 
> ( I personally would not care if it was during the smtp 
> connection or if
> it could be handled by mailscanner after having accepted the mail )
> 
> Kind regards
> Cornelius
> 
> hvdkooij at vanderkooij.org schrieb:
> > Gareth wrote:
> >> I use rbldnsd I configure Postfix to use it. I then create 
> by own private
> >> rbl file.
> >>
> >> You could also use my autoblock script to block IPs which 
> are sending only
> >> spam.
> >> http://www.gbnetwork.co.uk/mailscanner/mailwatch2rbl/
> > 
> > I think you miss the point from my question. All messages come from
> > hotmail. People are seriously misusing hotmail to relay. It 
> is peanuts
> > just to give hotmail the finger but that would start a bit 
> of a riot in
> > the family.
> > 
> > So I want to cut off the SMTP connection when I hit this 
> header showing
> > me the PERP is living in some country I do not have any 
> relatives in.
> > 
> > I have however not found a way to match a section of the 
> header against
> > a RBL in postfix. (It might very well be impossible.)
> > 
> > Hugo.
> > 
>

More information about the MailScanner mailing list