On 5 Mar 2018, at 15:14, David Jones wrote:
FYI This could be something for KAM.cf potentially...
I have seen a few of these this morning that would be scoring just
under the default SA threshold of 5.0 and are just under my
MailScanner 6.0 threshold.
https://pastebin.com/r2eZJaef
I am reporting these to Spamcop but new waves of compromised accounts
keep sending them.
They all seem to have a From address with two periods on the left side
so something like this:
header __ODD_FROM_SPAM From:addr =~ /.{1,20}\..{1,20}\..{1,20}@/
could be combined with something else in a meta to help detect these
and push them over the edge.
This looks intrinsically shady and could be useful:
<td style="opacity: 0; line-height: 1px; font-size: 1px;">