[EMAIL PROTECTED] said: > The following article explains how Hotmail now provides a WebDAV interface > which makes it easier to automate issuing spam from Hotmail: > http://www.unicom.com/chrome/a/000262.html > I would like to recommend adding a header check for: > Recieved: .*[.]hotmail[.]com with DAV; > and score it approbately.
Yeah, just checked that yesterday: header T_HAS_HOTMAIL_DAV Received =~ /\.(?:hotmail|msn)\.com with DAV\;/ describe T_HAS_HOTMAIL_DAV Came through Hotmail via DAV Not necessarily a good idea: 0.679 1.7297 0.0837 0.954 0.83 0.01 T_HAS_HOTMAIL_DAV 0.041 0.1323 0.0098 0.931 0.75 0.01 T_HAS_HOTMAIL_DAV:daf 0.012 0.0112 0.0118 0.487 0.11 0.01 T_HAS_HOTMAIL_DAV:jm 0.034 0.0636 0.0000 1.000 0.95 0.01 T_HAS_HOTMAIL_DAV:lan 0.000 0.0000 0.0000 0.500 0.12 0.01 T_HAS_HOTMAIL_DAV:quinlan 0.284 0.3868 0.2004 0.659 0.28 0.01 T_HAS_HOTMAIL_DAV:rODbegbie 2.357 3.7758 0.3339 0.919 0.70 0.01 T_HAS_HOTMAIL_DAV:theo that's a 95% accuracy, but varying a lot by corpus -- for me it's almost exactly 1 nonspam hit for every spam hit. But this may work (still in testing though): # Hotmail's DAV interface uses this. heavily exploited right now, looks like. # as far as I can tell, it requires an msn.com or hotmail.com X-Originating-Email, # but allows anything for From -- so use that as a spamsign header __HAS_MSN_RCVD_DAV Received =~ / by \S+\.(?:hotmail|msn)\.com with (?:HTTP|DAV)\;/ header __HAS_MSN_ORIG_EMAIL X-Originating-Email =~ /(?:hotmail|msn)\.com\b/ header __HAS_MSN_FROM From =~ /(?:hotmail|msn)\.com\b/ meta T_FAKED_HOTMAIL_DAV (__HAS_MSN_RCVD_DAV && __HAS_MSN_ORIG_EMAIL && !__HAS_MSN_FROM) describe T_FAKED_HOTMAIL_DAV 'X-Originating-Email' header does not match 'From' --j. ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
