Spam from Free mail accounts

Steve Freegard steve.freegard at
Fri Aug 1 11:35:42 IST 2008

Hi Paul,

Paul Houselander (SME) wrote:
> Hi
> Just wondered if anyone else was experiencing a lot of spam getting 
> through that has been sent from, accounts etc….
> Have seen a big increase in the last couple of weeks, they do actually 
> come from hotmails and yahoo’s servers so the network based checks don’t 
> flag anything.

I've been getting a lot of hits from these on our spam trap too.

You can get network tests to work on Yahoo and Hotmail as they supply 
the injection IP address in the headers (either through a Received or 

The CBL (e.g. Spamhaus XBL works pretty good on some of these injection 
addresses) however SpamAssassin isn't configured to do these tests.

These rules will enable XBL tests on all the received headers for 
messages from Yahoo and Hotmail and should not cause FPs:

# Freemailers
header __FSL_HOST_YAHOO Received =~ /\.yahoo\.com/
header __FSL_HOST_HOTMAIL Received =~ /\.hotmail\.com/

# Check for SBL/XBL listings for all received headers from Yahoo and Hotmail

I've also got another rule that nukes all the mail to the trap, but 
isn't really tested well for FPs:

header __FSL_RCVD_YAHOO_BOT Received =~ /from unknown \(HELO 
(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\) \(\S+@\1 with login\)/
score FSL_YAHOO_BOT 3.0

Feel free to score it low and see if it hits the junk you are getting 
and then increase the score if it does.

> I added a plugin from which just checks if 
> the message is from a freemail account, which is working but a lot of my 
> users receive legitimate mail from hotmail etc… so I can’t score to 
> highly (currently set to 1). isn't really meant for scoring messages from freemail 
providers (although you can do this like you are); but it's more for 
catching 419 scams that typically come from one FreeMail address and ask 
you to send details to another different freemail address (which it 
works pretty well on).

> Just wondered if anyone else was seeing the same?

Yup - I'm scoring them just high enough to mark them as spam:

Jul 31 22:19:18 mail spamd[18417]: spamd: result: Y 6 - 
scantime=1.5,size=2311,user=(unknown),uid=99,required_score=5.0,rhost=localhost.localdomain,raddr=,rport=35384,mid=< at>,autolearn=disabled,shortcircuit=no 

Kind regards,

More information about the MailScanner mailing list