Mailing List Archive: SpamAssassin: users

HOTMAIL SPAM =Rule to bite on X-Originating-IP or length of FROM list?

Index | Next | Previous | View Threaded

richard at buzzhost

Oct 31, 2009, 12:59 AM

Post #1 of 15 (1176 views)
Permalink

HOTMAIL SPAM =Rule to bite on X-Originating-IP or length of FROM list?

I don't see a great deal of spam from Hotmail, but often get it with
headers looking like this:

X-Originating-IP: [123.160.198.207]
From: joannie nolin <crevette91 [at] msn>
To: <clopez [at] skipbarber>, <kantana33 [at] gmail>,
<preiswunderland-08 [at] web>, <help [at] interpoint24>,
<ebay [at] 1-2-3-shopping>, <mobilestore09 [at] aol>,
<shop [at] wifi-all>, <ebay [at] shopmedvet>,
<info[at]chuizo.dde>, <mail[at]btec24.dde>,
<info[at]anubisdistribuzione.itd>, <eurocomp24[at]gmx.ded>,
<jmiller[at]cmsinter.net>, <auctions[at]maelstromgames.null.duk>,
<contact[at]stockburgershop.ded>, <paymambate[at]gmail.nullcom>,
<verkauf[at]express24-online.ded>, <wilai-im-auftrag[at]wilai.dde>,
<info[at]fensteragentur.ded>, <hoppegennadi[at]freenet.ded>,
<darren[at]fixmyengine.null.uk>, <mystyle-hamburg[at]web.ded>,
<buecher[at]a-plummer.ded>, <bhester[at]knology.pet>,
<technomarty[at]btinternet.nullcom>,
<islandproducts2000[at]gmail.nullcom>, <carine.espuela[at]hotmail.frg>,
<krafts2u[at]aol.nullcom>, <uk[at]holyclothing.nullcom>,
<dmitrilaikhtman[at]gmail.nullcom>, <bruno.ozcan[at]yahoo.frg>,
<support[at]rrelectronics.nullcom>, <mimipuce1176275[at]aol.nullcom>,
<ncth[at]free.fr>, <happy.nullcomity[at]gmail.nullcom>,
<dingdingtrading[at]gmail.nullcom>, <hatailuk_offy1[at]hotmail.nullcom>,
<roaldibruno[at]voila.fr>, <sanpointelectronics[at]gmail.nullcom>,
<iamtheprimadonna[at]aol.nullcom>, <njbookman1[at]aol.nullcom>,
<glass[at]lesleypyke.nullcom>, <benny-yvonne[at]alice-dsl.netg>,
<cs.wilson[at]hotmail.null.ukg>, <yasmineee094[at]hotmail.frg>,
<xuancailinlin66[at]163.nullcom>

A couple of observations;
123.160.198.207 - is on the PBL {deep in the heart of China} so is
possible to extend the network tests to look for fairly constant custom
headers with the originating IP?

It's early and I've not really thought about it too hard, but is there a
test that can be done to check the number of recipients or lines in a
'to' list. Something along the lines of if there are more than Y * @ ?

The message concerned scored 2.3. I've looked back at others like it
from the last six months and they always have a constant long list of
'to' and X-Originating-IP: with PBL listed entries.

cpollock at embarqmail

Oct 31, 2009, 5:35 AM

Post #2 of 15 (1124 views)
Permalink

Re: HOTMAIL SPAM =Rule to bite on X-Originating-IP or length of FROM list? [In reply to]

On Sat, 2009-10-31 at 07:59 +0000, richard [at] buzzhost wrote:
> I don't see a great deal of spam from Hotmail, but often get it with
> headers looking like this:
>
> X-Originating-IP: [123.160.198.207]
> From: joannie nolin <crevette91 [at] msn>
> To: <clopez [at] skipbarber>, <kantana33 [at] gmail>,
> <preiswunderland-08 [at] web>, <help [at] interpoint24>,
> <ebay [at] 1-2-3-shopping>, <mobilestore09 [at] aol>,
> <shop [at] wifi-all>, <ebay [at] shopmedvet>,
> <info[at]chuizo.dde>, <mail[at]btec24.dde>,
> <info[at]anubisdistribuzione.itd>, <eurocomp24[at]gmx.ded>,
> <jmiller[at]cmsinter.net>, <auctions[at]maelstromgames.null.duk>,
> <contact[at]stockburgershop.ded>, <paymambate[at]gmail.nullcom>,
> <verkauf[at]express24-online.ded>, <wilai-im-auftrag[at]wilai.dde>,
> <info[at]fensteragentur.ded>, <hoppegennadi[at]freenet.ded>,
> <darren[at]fixmyengine.null.uk>, <mystyle-hamburg[at]web.ded>,
> <buecher[at]a-plummer.ded>, <bhester[at]knology.pet>,
> <technomarty[at]btinternet.nullcom>,
> <islandproducts2000[at]gmail.nullcom>, <carine.espuela[at]hotmail.frg>,
> <krafts2u[at]aol.nullcom>, <uk[at]holyclothing.nullcom>,
> <dmitrilaikhtman[at]gmail.nullcom>, <bruno.ozcan[at]yahoo.frg>,
> <support[at]rrelectronics.nullcom>, <mimipuce1176275[at]aol.nullcom>,
> <ncth[at]free.fr>, <happy.nullcomity[at]gmail.nullcom>,
> <dingdingtrading[at]gmail.nullcom>, <hatailuk_offy1[at]hotmail.nullcom>,
> <roaldibruno[at]voila.fr>, <sanpointelectronics[at]gmail.nullcom>,
> <iamtheprimadonna[at]aol.nullcom>, <njbookman1[at]aol.nullcom>,
> <glass[at]lesleypyke.nullcom>, <benny-yvonne[at]alice-dsl.netg>,
> <cs.wilson[at]hotmail.null.ukg>, <yasmineee094[at]hotmail.frg>,
> <xuancailinlin66[at]163.nullcom>
>
> A couple of observations;
> 123.160.198.207 - is on the PBL {deep in the heart of China} so is
> possible to extend the network tests to look for fairly constant custom
> headers with the originating IP?
>
> It's early and I've not really thought about it too hard, but is there a
> test that can be done to check the number of recipients or lines in a
> 'to' list. Something along the lines of if there are more than Y * @ ?
>
> The message concerned scored 2.3. I've looked back at others like it
> from the last six months and they always have a constant long list of
> 'to' and X-Originating-IP: with PBL listed entries.
>
Here's a couple of rule I use, can't remember who originally posted
them:

describe TO_TOO_MANY To: too many recipients
header TO_TOO_MANY To =~ /(?:,[^,]{1,80}){20}/
score TO_TOO_MANY 0.3

describe TO_WAY_TOO_MANY To: way too many recipients
header TO_WAY_TOO_MANY To =~ /(?:,[^,]{1,80}){30}/
score TO_WAY_TOO_MANY 0.3

describe CC_TOO_MANY CC: too many recipients
header CC_TOO_MANY CC =~ /(?:,[^,]{1,80}){15}/
score CC_TOO_MANY 0.3

You can vary the number in {} to whatever suits you.

--
KeyID 0xE372A7DA98E6705C

Attachments:

signature.asc (0.19 KB)

richard at buzzhost

Oct 31, 2009, 5:55 AM

Post #3 of 15 (1133 views)
Permalink

Re: HOTMAIL SPAM =Rule to bite on X-Originating-IP or length of FROM list? [In reply to]

On Sat, 2009-10-31 at 07:35 -0500, Chris wrote:
> On Sat, 2009-10-31 at 07:59 +0000, richard [at] buzzhost wrote:
> > I don't see a great deal of spam from Hotmail, but often get it with
> > headers looking like this:
> >
> > X-Originating-IP: [123.160.198.207]
> > From: joannie nolin <crevette91 [at] msn>
> > To: <clopez [at] skipbarber>, <kantana33 [at] gmail>,
> > <preiswunderland-08 [at] web>, <help [at] interpoint24>,
> > <ebay [at] 1-2-3-shopping>, <mobilestore09 [at] aol>,
> > <shop [at] wifi-all>, <ebay [at] shopmedvet>,
> > <info[at]chuizo.dde>, <mail[at]btec24.dde>,
> > <info[at]anubisdistribuzione.itd>, <eurocomp24[at]gmx.ded>,
> > <jmiller[at]cmsinter.net>, <auctions[at]maelstromgames.null.duk>,
> > <contact[at]stockburgershop.ded>, <paymambate[at]gmail.nullcom>,
> > <verkauf[at]express24-online.ded>, <wilai-im-auftrag[at]wilai.dde>,
> > <info[at]fensteragentur.ded>, <hoppegennadi[at]freenet.ded>,
> > <darren[at]fixmyengine.null.uk>, <mystyle-hamburg[at]web.ded>,
> > <buecher[at]a-plummer.ded>, <bhester[at]knology.pet>,
> > <technomarty[at]btinternet.nullcom>,
> > <islandproducts2000[at]gmail.nullcom>, <carine.espuela[at]hotmail.frg>,
> > <krafts2u[at]aol.nullcom>, <uk[at]holyclothing.nullcom>,
> > <dmitrilaikhtman[at]gmail.nullcom>, <bruno.ozcan[at]yahoo.frg>,
> > <support[at]rrelectronics.nullcom>, <mimipuce1176275[at]aol.nullcom>,
> > <ncth[at]free.fr>, <happy.nullcomity[at]gmail.nullcom>,
> > <dingdingtrading[at]gmail.nullcom>, <hatailuk_offy1[at]hotmail.nullcom>,
> > <roaldibruno[at]voila.fr>, <sanpointelectronics[at]gmail.nullcom>,
> > <iamtheprimadonna[at]aol.nullcom>, <njbookman1[at]aol.nullcom>,
> > <glass[at]lesleypyke.nullcom>, <benny-yvonne[at]alice-dsl.netg>,
> > <cs.wilson[at]hotmail.null.ukg>, <yasmineee094[at]hotmail.frg>,
> > <xuancailinlin66[at]163.nullcom>
> >
> > A couple of observations;
> > 123.160.198.207 - is on the PBL {deep in the heart of China} so is
> > possible to extend the network tests to look for fairly constant custom
> > headers with the originating IP?
> >
> > It's early and I've not really thought about it too hard, but is there a
> > test that can be done to check the number of recipients or lines in a
> > 'to' list. Something along the lines of if there are more than Y * @ ?
> >
> > The message concerned scored 2.3. I've looked back at others like it
> > from the last six months and they always have a constant long list of
> > 'to' and X-Originating-IP: with PBL listed entries.
> >
> Here's a couple of rule I use, can't remember who originally posted
> them:
>
> describe TO_TOO_MANY To: too many recipients
> header TO_TOO_MANY To =~ /(?:,[^,]{1,80}){20}/
> score TO_TOO_MANY 0.3
>
> describe TO_WAY_TOO_MANY To: way too many recipients
> header TO_WAY_TOO_MANY To =~ /(?:,[^,]{1,80}){30}/
> score TO_WAY_TOO_MANY 0.3
>
> describe CC_TOO_MANY CC: too many recipients
> header CC_TOO_MANY CC =~ /(?:,[^,]{1,80}){15}/
> score CC_TOO_MANY 0.3
>
> You can vary the number in {} to whatever suits you.
>
Thanks Chris. Duly added to my custom rules - thanks for you kindness. t
would be good if the network tests could pick up on the originating IP
in the headers, but I'm sure there is a reason this is not done.

rwmaillists at googlemail

Oct 31, 2009, 6:58 AM

Post #4 of 15 (1126 views)
Permalink

Re: HOTMAIL SPAM =Rule to bite on X-Originating-IP or length of FROM list? [In reply to]

On Sat, 31 Oct 2009 07:59:24 +0000
"richard [at] buzzhost" <richard [at] buzzhost> wrote:
> A couple of observations;
> 123.160.198.207 - is on the PBL {deep in the heart of China} so is
> possible to extend the network tests to look for fairly constant
> custom headers with the originating IP?

Why would that be a sign of spam?

richard at buzzhost

Oct 31, 2009, 7:13 AM

Post #5 of 15 (1127 views)
Permalink

Re: HOTMAIL SPAM =Rule to bite on X-Originating-IP or length of FROM list? [In reply to]

On Sat, 2009-10-31 at 13:58 +0000, RW wrote:
> On Sat, 31 Oct 2009 07:59:24 +0000
> "richard [at] buzzhost" <richard [at] buzzhost> wrote:
> > A couple of observations;
> > 123.160.198.207 - is on the PBL {deep in the heart of China} so is
> > possible to extend the network tests to look for fairly constant
> > custom headers with the originating IP?
>
>
> Why would that be a sign of spam?
It's not, necessarily - when I think about it. All clients that hook up
to Hotmail are most likely going to be in the PBL being probably
dynamic. So the plan is flawed!

That said, if I could press the 'I would like' button, it would be nice
to geo-lookup this IP and be able to score it higher if it's from China,
Brazil, Argentina, Columbia etc... That, of course, is in an ideal
world.

hege at hege

Oct 31, 2009, 7:30 AM

Post #6 of 15 (1130 views)
Permalink

Re: HOTMAIL SPAM =Rule to bite on X-Originating-IP or length of FROM list? [In reply to]

On Sat, Oct 31, 2009 at 02:13:45PM +0000, richard [at] buzzhost wrote:
> On Sat, 2009-10-31 at 13:58 +0000, RW wrote:
> > On Sat, 31 Oct 2009 07:59:24 +0000
> > "richard [at] buzzhost" <richard [at] buzzhost> wrote:
> > > A couple of observations;
> > > 123.160.198.207 - is on the PBL {deep in the heart of China} so is
> > > possible to extend the network tests to look for fairly constant
> > > custom headers with the originating IP?
> >
> >
> > Why would that be a sign of spam?
> It's not, necessarily - when I think about it. All clients that hook up
> to Hotmail are most likely going to be in the PBL being probably
> dynamic. So the plan is flawed!
>
> That said, if I could press the 'I would like' button, it would be nice
> to geo-lookup this IP and be able to score it higher if it's from China,
> Brazil, Argentina, Columbia etc... That, of course, is in an ideal
> world.

Uh, SpamAssassin parses X-Originating-IP and friends just fine. Of course
PBL isn't going to hit it, since it's an lastexternal rule.

Likewise the RelayCountry plugin does what you want:
http://wiki.apache.org/spamassassin/RelayCountryPlugin

header FROM_XX_ATLEAST_2_HOPS_AWAY X-Relay-Countries =~ /.. .. (?:CN|BR)$/

scheidell at secnap

Oct 31, 2009, 7:59 AM

Post #7 of 15 (1122 views)
Permalink

Re: HOTMAIL SPAM =Rule to bite on X-Originating-IP or length of FROM list? [In reply to]

Henrik K wrote:
> Uh, SpamAssassin parses X-Originating-IP and friends just fine. Of course
> PBL isn't going to hit it, since it's an lastexternal rule.
>
> Likewise the RelayCountry plugin does what you want:
> http://wiki.apache.org/spamassassin/RelayCountryPlugin
>
> header FROM_XX_ATLEAST_2_HOPS_AWAY X-Relay-Countries =~ /.. .. (?:CN|BR)$/
>
>
and, of course bayes can keep track of those 'tokens', I think

_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________

richard at buzzhost

Oct 31, 2009, 8:33 AM

Post #8 of 15 (1122 views)
Permalink

Re: HOTMAIL SPAM =Rule to bite on X-Originating-IP or length of FROM list? [In reply to]

On Sat, 2009-10-31 at 16:30 +0200, Henrik K wrote:
> On Sat, Oct 31, 2009 at 02:13:45PM +0000, richard [at] buzzhost wrote:
> > On Sat, 2009-10-31 at 13:58 +0000, RW wrote:
> > > On Sat, 31 Oct 2009 07:59:24 +0000
> > > "richard [at] buzzhost" <richard [at] buzzhost> wrote:
> > > > A couple of observations;
> > > > 123.160.198.207 - is on the PBL {deep in the heart of China} so is
> > > > possible to extend the network tests to look for fairly constant
> > > > custom headers with the originating IP?
> > >
> > >
> > > Why would that be a sign of spam?
> > It's not, necessarily - when I think about it. All clients that hook up
> > to Hotmail are most likely going to be in the PBL being probably
> > dynamic. So the plan is flawed!
> >
> > That said, if I could press the 'I would like' button, it would be nice
> > to geo-lookup this IP and be able to score it higher if it's from China,
> > Brazil, Argentina, Columbia etc... That, of course, is in an ideal
> > world.
>
> Uh, SpamAssassin parses X-Originating-IP and friends just fine. Of course
> PBL isn't going to hit it, since it's an lastexternal rule.

That has totally escaped me Henrik and I'm not sure I fully understand
it.

>
> Likewise the RelayCountry plugin does what you want:
> http://wiki.apache.org/spamassassin/RelayCountryPlugin
>
> header FROM_XX_ATLEAST_2_HOPS_AWAY X-Relay-Countries =~ /.. .. (?:CN|BR)$/
>
OK, I've added the dependencies IP::Country::Fast {which in turn wanted
-> Geography::Countries), applied the small header patch, enabled the
module and I'll sit back and wait in anticipation.

Thanks for the advice and help. Appreciated.

jhardin at impsec

Oct 31, 2009, 9:45 AM

Post #9 of 15 (1126 views)
Permalink

Re: HOTMAIL SPAM =Rule to bite on X-Originating-IP or length of FROM list? [In reply to]

On Sat, 31 Oct 2009, Chris wrote:

> Here's a couple of rule I use, can't remember who originally posted
> them:

/me raises hand

> describe TO_TOO_MANY To: too many recipients
> header TO_TOO_MANY To =~ /(?:,[^,]{1,80}){20}/
> score TO_TOO_MANY 0.3
>
> describe TO_WAY_TOO_MANY To: way too many recipients
> header TO_WAY_TOO_MANY To =~ /(?:,[^,]{1,80}){30}/
> score TO_WAY_TOO_MANY 0.3
>
> describe CC_TOO_MANY CC: too many recipients
> header CC_TOO_MANY CC =~ /(?:,[^,]{1,80}){15}/
> score CC_TOO_MANY 0.3
>
> You can vary the number in {} to whatever suits you.

...and the scores, of course.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
Today: Halloween

hege at hege

Oct 31, 2009, 9:49 AM

Post #10 of 15 (1124 views)
Permalink

Re: HOTMAIL SPAM =Rule to bite on X-Originating-IP or length of FROM list? [In reply to]

On Sat, Oct 31, 2009 at 03:33:59PM +0000, richard [at] buzzhost wrote:
> >
> > Uh, SpamAssassin parses X-Originating-IP and friends just fine. Of course
> > PBL isn't going to hit it, since it's an lastexternal rule.
>
> That has totally escaped me Henrik and I'm not sure I fully understand
> it.

There is lots of undocumented black magic in SA.

DNSEval.pm defines atleast these headers to be added into end of the
"Received chain".

X-Yahoo-Post-IP
X-Originating-IP
X-Apparently-From
X-SenderIP

So they will be looked in RBLs as necessary. If you don't get the
lastexternal part:

http://wiki.apache.org/spamassassin/TrustedRelays

Also:

http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html

Selecting just the last external IP
By using '-lastexternal' at the end of the set name, you can select only the
external host that connected to your internal network, or at least the last
external host with a public IP.

richard at buzzhost

Oct 31, 2009, 10:18 AM

Post #11 of 15 (1128 views)
Permalink

Re: HOTMAIL SPAM =Rule to bite on X-Originating-IP or length of FROM list? [In reply to]

On Sat, 2009-10-31 at 18:49 +0200, Henrik K wrote:
> On Sat, Oct 31, 2009 at 03:33:59PM +0000, richard [at] buzzhost wrote:
> > >
> > > Uh, SpamAssassin parses X-Originating-IP and friends just fine. Of course
> > > PBL isn't going to hit it, since it's an lastexternal rule.
> >
> > That has totally escaped me Henrik and I'm not sure I fully understand
> > it.
>
> There is lots of undocumented black magic in SA.
>
> DNSEval.pm defines atleast these headers to be added into end of the
> "Received chain".
>
> X-Yahoo-Post-IP
> X-Originating-IP
> X-Apparently-From
> X-SenderIP
>
> So they will be looked in RBLs as necessary. If you don't get the
> lastexternal part:
>
> http://wiki.apache.org/spamassassin/TrustedRelays
>
> Also:
>
> http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html
>
> Selecting just the last external IP
> By using '-lastexternal' at the end of the set name, you can select only the
> external host that connected to your internal network, or at least the last
> external host with a public IP.
>

Ah, yes. I understand. Thanks. My understanding would be that it's not a
good idea to use the PBL further up the list of hops from the last
external source, for the very reason you may well pick up the initial
client to sending relay connection - which would most likely be in the
PBL {dynamic DSL customer connecting into to his/her ISP mail server}.

Thank you for taking the time to give me the pointers Henrik.
Appreciated. And John, thanks too. Scores adjusted to suit my instance.

cpollock at embarqmail

Oct 31, 2009, 1:55 PM

Post #12 of 15 (1119 views)
Permalink

Re: HOTMAIL SPAM =Rule to bite on X-Originating-IP or length of FROM list? [In reply to]

On Sat, 2009-10-31 at 09:45 -0700, John Hardin wrote:
> On Sat, 31 Oct 2009, Chris wrote:
>
> > Here's a couple of rule I use, can't remember who originally posted
> > them:
>
> /me raises hand
>
> > describe TO_TOO_MANY To: too many recipients
> > header TO_TOO_MANY To =~ /(?:,[^,]{1,80}){20}/
> > score TO_TOO_MANY 0.3
> >
> > describe TO_WAY_TOO_MANY To: way too many recipients
> > header TO_WAY_TOO_MANY To =~ /(?:,[^,]{1,80}){30}/
> > score TO_WAY_TOO_MANY 0.3
> >
> > describe CC_TOO_MANY CC: too many recipients
> > header CC_TOO_MANY CC =~ /(?:,[^,]{1,80}){15}/
> > score CC_TOO_MANY 0.3
> >
> > You can vary the number in {} to whatever suits you.
>
> ...and the scores, of course.
>
Thanks John for refreshing my memory.

--
KeyID 0xE372A7DA98E6705C

Attachments:

signature.asc (0.19 KB)

antispam at khopis

Oct 31, 2009, 2:26 PM

Post #13 of 15 (1122 views)
Permalink

Re: HOTMAIL SPAM =Rule to bite on X-Originating-IP or length of FROM list? [In reply to]

>> describe TO_TOO_MANY To: too many recipients
>> header TO_TOO_MANY To =~ /(?:,[^,]{1,80}){20}/
>> score TO_TOO_MANY 0.3
>>
>> describe TO_WAY_TOO_MANY To: way too many recipients
>> header TO_WAY_TOO_MANY To =~ /(?:,[^,]{1,80}){30}/
>> score TO_WAY_TOO_MANY 0.3
>>
>> describe CC_TOO_MANY CC: too many recipients
>> header CC_TOO_MANY CC =~ /(?:,[^,]{1,80}){15}/
>> score CC_TOO_MANY 0.3
>>
>> You can vary the number in {} to whatever suits you.
>
> ...and the scores, of course.

Brilliant minds think alike ;-) I have very similar rules in my
khop-general channel:

header KHOP_BIG_TO_CC ToCc =~ /(?:[^,\@]{1,60}\@[^,]{4,30},){10,19}/
describe KHOP_BIG_TO_CC Sent to 10+ recipients instaed of Bcc or a list
score KHOP_BIG_TO_CC 0.3 # 20090527

header KHOP_GIANT_TO_CC ToCc =~ /(?:[^,\@]{1,60}\@[^,]{4,30},){20}/
describe KHOP_GIANT_TO_CC Sent to 20+ recipients instead of Bcc or a list
score KHOP_GIANT_TO_CC 0.7 # 20090527

antispam at khopis

Oct 31, 2009, 5:14 PM

Post #14 of 15 (1123 views)
Permalink

Re: HOTMAIL SPAM =Rule to bite on X-Originating-IP or length of FROM list? [In reply to]

Jari Fredriksson wrote:
> 31.10.2009 23:26, Adam Katz kirjoitti:
>> Brilliant minds think alike ;-) I have very similar rules in my
>> khop-general channel:
>>
>> header KHOP_BIG_TO_CC ToCc =~ /(?:[^,\@]{1,60}\@[^,]{4,30},){10,19}/
>> describe KHOP_BIG_TO_CC Sent to 10+ recipients instaed of Bcc or a list
>> score KHOP_BIG_TO_CC 0.3 # 20090527
>>
>> header KHOP_GIANT_TO_CC ToCc =~ /(?:[^,\@]{1,60}\@[^,]{4,30},){20}/
>> describe KHOP_GIANT_TO_CC Sent to 20+ recipients instead of Bcc or a list
>> score KHOP_GIANT_TO_CC 0.7 # 20090527
>
> What is ToCc header? Is it some kind of a virtual header by SA?

Yes, as documented in Mail::SpamAssassin::Conf, replicated in perldoc,
man page, and web documentation,
http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html

If you use vim, my syntax file specially colors pseudo-headers like
ToCC, http://www.vim.org/scripts/script.php?script_id=2617 (this was
added earlier this week).

jarif at iki

Oct 31, 2009, 5:30 PM

Post #15 of 15 (1118 views)
Permalink

Re: HOTMAIL SPAM =Rule to bite on X-Originating-IP or length of FROM list? [In reply to]

31.10.2009 23:26, Adam Katz kirjoitti:
> Brilliant minds think alike ;-) I have very similar rules in my
> khop-general channel:
>
> header KHOP_BIG_TO_CC ToCc =~ /(?:[^,\@]{1,60}\@[^,]{4,30},){10,19}/
> describe KHOP_BIG_TO_CC Sent to 10+ recipients instaed of Bcc or a list
> score KHOP_BIG_TO_CC 0.3 # 20090527
>
> header KHOP_GIANT_TO_CC ToCc =~ /(?:[^,\@]{1,60}\@[^,]{4,30},){20}/
> describe KHOP_GIANT_TO_CC Sent to 20+ recipients instead of Bcc or a list
> score KHOP_GIANT_TO_CC 0.7 # 20090527
>

What is ToCc header? Is it some kind of a virtual header by SA?

--
http://www.iki.fi/jarif/

You look like a million dollars. All green and wrinkled.

Attachments:

signature.asc (0.25 KB)

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads