I have this one email account receiving, for more than a year, a very
specific type of spam which I find very difficult to block:
1. The messages are all kept very short, generally below 20 words - I
assume so that Bayes is less efficient at classifying them?
2. Although they are all invitations to sex, or making money - they are
phrased differently every time and use different words - so Bayes scores
are consistently low.
3. They come from servers all around the world - possibly compromised,
or maybe quickly setup and taken down - so they are usually not flagged
by blacklists
4. Pyzor tends to flag most of them up though.
5. In most cases, DKIM is correct, SPF is fine, and the headers are all
correct - so they don't hit any other rules.
6. The links they include in the body of the email are almost never
flagged up either by Clam or Spamassassin - and they point to a
different domain in every single message.
The bizarre thing is that I only see them coming to this one particular
email account, at a single domain of all the ones I administer. Based on
the above whoever sends them really know what they are doing, and must
have significant resources at their disposal - but I still have no idea
why they only hit this particular email address. I can only assume that
greylisting wouldn't help much, as they seem to arrive from properly
configured smpt servers, which would retry like any other regular smtp
server and bypass greylisting. Has anybody else seen these, and is there
anything else that I could try to block them?