Spam from Free mail accounts
Steve Freegard
steve.freegard at fsl.com
Fri Aug 1 11:35:42 IST 2008
Hi Paul,
Paul Houselander (SME) wrote:
> Hi
>
>
> Just wondered if anyone else was experiencing a lot of spam getting
> through that has been sent from yahoo.com, hotmail.com accounts etc….
>
> Have seen a big increase in the last couple of weeks, they do actually
> come from hotmails and yahoo’s servers so the network based checks don’t
> flag anything.
I've been getting a lot of hits from these on our spam trap too.
You can get network tests to work on Yahoo and Hotmail as they supply
the injection IP address in the headers (either through a Received or
X-Originating-IP).
The CBL (e.g. Spamhaus XBL works pretty good on some of these injection
addresses) however SpamAssassin isn't configured to do these tests.
These rules will enable XBL tests on all the received headers for
messages from Yahoo and Hotmail and should not cause FPs:
# Freemailers
header __FSL_HOST_YAHOO Received =~ /\.yahoo\.com/
header __FSL_HOST_HOTMAIL Received =~ /\.hotmail\.com/
# Check for SBL/XBL listings for all received headers from Yahoo and Hotmail
header __FSL_DEEP_RCVD_IN_SBLXBL
eval:check_rbl_sub('zen','127.0.0.[2345678]')
tflags __FSL_DEEP_RCVD_IN_SBLXBL net
meta FSL_FREEMAIL_SBLXBL __FSL_DEEP_RCVD_IN_SBLXBL && (__FSL_HOST_YAHOO
|| __FSL_HOST_HOTMAIL)
score FSL_FREEMAIL_SBLXBL 4.0
I've also got another rule that nukes all the mail to the trap, but
isn't really tested well for FPs:
header __FSL_RCVD_YAHOO_BOT Received =~ /from unknown \(HELO
(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\) \(\S+@\1 with login\)/
meta FSL_YAHOO_BOT __FSL_HOST_YAHOO && __FSL_RCVD_YAHOO_BOT
score FSL_YAHOO_BOT 3.0
Feel free to score it low and see if it hits the junk you are getting
and then increase the score if it does.
> I added a plugin from http://sa.hege.li/FreeMail.pm which just checks if
> the message is from a freemail account, which is working but a lot of my
> users receive legitimate mail from hotmail etc… so I can’t score to
> highly (currently set to 1).
FreeMail.pm isn't really meant for scoring messages from freemail
providers (although you can do this like you are); but it's more for
catching 419 scams that typically come from one FreeMail address and ask
you to send details to another different freemail address (which it
works pretty well on).
>
> Just wondered if anyone else was seeing the same?
>
Yup - I'm scoring them just high enough to mark them as spam:
Jul 31 22:19:18 mail spamd[18417]: spamd: result: Y 6 -
BMX_GREY,FROM_FREEMAIL,FSL_YAHOO_BOT,RCVD_NUMERIC_HELO,FSL_FREEMAIL_SBLXBL
scantime=1.5,size=2311,user=(unknown),uid=99,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=35384,mid=<EMEW-k6UMJB75b3176a00335c50134e9307355ed6be-822954.14081.bm at omp203.mail.ukl.yahoo.com>,autolearn=disabled,shortcircuit=no
Kind regards,
Steve.
More information about the MailScanner
mailing list