On 2018-02-05 22:55, Philip wrote: > So lately I'm getting LOTS of emails coming directly though the filters so > most likely time to investigate how to create one. > > The subject is always 'hey' > > Subject: hey > > Date: Mon, 29 Jan 2018 09:07:40 +0300 > From: Darya Message-ID: <8f35b00fb4e07d18ce82448ec9747...@112it4u.ro> > X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer) > MIME-Version: 1.0 > Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit > > Hi josh, my name is Darya and i'm from Russia, but living in the USA. A week > ago, maybe more, I came across your profile on Facebook and now I wan to know > you more. I know it sounds a bit strange, but I believe you had something > like this in your life too :-) If its mutual, email me, this is my email > danielamar...@rambler.ru and I will send some of my photos also answer any of > your questions. Waiting for you, XXX Darya > > As far as I can see from the different emails: > > X-PHP-Originating-Script: 852:class-phpmailer.php > > The number is sequential. > > 112it4u.ro from the message ID has valid NS entries but the reverse PTR is > invalid. > > The email always starts, 'hi {mailbox name}, and the text is mostly the same > but the name changes now and then and so does the email address. > > Any suggestions on where to start? nOOb here!
Check out http://msbl.org/ This is e-mail addresses blacklist targeting this type of scam. I have very high score assigned to it and it works perfectly. Karol -- Karol Augustin ka...@augustin.pl http://karolaugustin.pl/ +353 85 775 5312