After review of my samples, the message ID is not consistent so it would be a poor criteria. I’ve added a body filter to add weight for the yahoo via android text at the end of each message, but not enough to block by itself and let the rest of the rules add weight to quarantine. This seems to be working well enough at the moment. Andrew’s assessment questioning the author of the article appears to be dead on.
Thanks John Dobbin Pen Publishing Interactive - http://www.penpublishing.com From: David Barker [mailto:dbar...@declude.com] Sent: Friday, July 06, 2012 11:51 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Android Yahoo Mail app spam To clarify the message ID is always exactly the same or is similar too ? Message-ID: <1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com> From: John Dobbin [mailto:jo...@penpublishing.com] Sent: Thursday, July 05, 2012 4:28 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Android Yahoo Mail app spam http://www.networkworld.com/community/blog/android-botnet-army-spouting-spam-yahoo-mail-app?source=NWWNLE_nlt_daily_pm_2012-07-05 The spam messages share two similarities, Zink, who discovered the botnet, explained in a blog post <http://blogs.msdn.com/b/tzink/archive/2012/07/03/spam-from-an-android-botnet.aspx> . First, each message closes with the signature "Sent from Yahoo! Mail on Android." Secondly, they all share a message ID that reads: Message-ID: <1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com> Is there a preferred way to look for the message header? This way, these can be scored high enough to delete. We’re seeing large amounts of these the last week. Thanks John Dobbin Pen Publishing Interactive - http://www.penpublishing.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
