If you know the header contains an exact string on a single line:
HEADERS 1 PCRE (?m:^Message-ID:blahblahblah) Set the score weight as you like. If you want to do a case-insensitive search, change "?m:" to "?im:" If the text inside the blahblahblah would match regexp reserved strings, you should/must escape them with backslashes. In this case: HEADERS 1 PCRE (?m:^Message-ID: <1341147286\.19774\.androidMobile@web140302\.mail\.bf1\.yahoo\.com>) Keep in mind that if Terry Zink reported this correctly, then these are legitimate email clients that are being abused by a trojan on those handhelds, so you might be throwing out the baby with the bathwater and blocking some legitimate mail as spam just because they came from a certain platform. On the other hand, if these are legitimate clients, the numeric part of that Message-ID must be unique per message, which makes it likely that Terry Zink is wrong, and that this is a fake header and footer and therefore a) safe to block because only spam is using it, and b) the spammer will soon change this signature and scanning for it it will be a waste of your CPU time. Andrew. ________________________________ From: John Dobbin [mailto:jo...@penpublishing.com] Sent: Thursday, July 05, 2012 1:28 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Android Yahoo Mail app spam http://www.networkworld.com/community/blog/android-botnet-army-spouting- spam-yahoo-mail-app?source=NWWNLE_nlt_daily_pm_2012-07-05 The spam messages share two similarities, Zink, who discovered the botnet, explained in a blog post <http://blogs.msdn.com/b/tzink/archive/2012/07/03/spam-from-an-android-b otnet.aspx> . First, each message closes with the signature "Sent from Yahoo! Mail on Android." Secondly, they all share a message ID that reads: Message-ID: <1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com> Is there a preferred way to look for the message header? This way, these can be scored high enough to delete. We're seeing large amounts of these the last week. Thanks John Dobbin Pen Publishing Interactive - http://www.penpublishing.com <http://www.penpublishing.com> --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. This message (and any associated files) may contain confidential, proprietary and/or privileged material and access to these materials by anyone other than the intended recipient is unauthorized. Unauthorized recipients are required to maintain confidentiality. Any review, retransmission, dissemination or other use of these materials by persons or entities other than the intended recipient is prohibited and may be unlawful. If you have received this message in error, please notify us immediately and destroy the original. Ce message et tout document qui y est eventuellement joint peuvent contenir de l'information confidentielle ou exclusive. L'acces a cette information par quiconque autre que le destinataire designe en est donc interdit. Les personnes ou les entites non autorisees doivent respecter la confidentialite de cette information. La lecture, la retransmission, la communication ou toute autre utilisation de cette information par une personne ou une entite non autorisee est strictement interdite. Si vous avez recu ce message par erreur, veuillez nous en aviser immediatement et le detruire. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
