FYI, I got another receive line here that occurs only in spam, with always the same ip-segment (not the ip-address that actually delivers the mail). First I tagged it with SA but now I block the mail in postfix, 15% less spam!. Maybe somebody recognizes these lines. It's the second receive line, and the envelope-sender ends at @punkass.com, @sexmagnet.com, @thoughguy.com etcetera.
Regards Menno van Bennekom Received: from bonbon.net (mx2.bonbon.net [38.113.3.55]) Received: from bonbon.net (mx3.bonbon.net [38.113.3.75]) Received: from gamebox.net (mx1.gamebox.net [38.113.3.68]) Received: from gamebox.net (mx2.gamebox.net [38.113.3.58]) Received: from gamebox.net (mx3.gamebox.net [38.113.3.78]) Received: from hotpop.com (mx1.hotpop.com [38.113.3.72]) Received: from hotpop.com (mx2.hotpop.com [38.113.3.72]) Received: from hotpop.com (mx4.hotpop.com [38.113.3.72]) Received: from phreaker.net (mx1.phreaker.net [38.113.3.57]) Received: from phreaker.net (mx2.phreaker.net [38.113.3.57]) Received: from phreaker.net (mx3.phreaker.net [38.113.3.77]) Received: from punkass.com (mx1.punkass.com [38.113.3.63]) Received: from punkass.com (mx2.punkass.com [38.113.3.63]) Received: from punkass.com (mx3.punkass.com [38.113.3.53]) Received: from sexmagnet.com (mx1.sexmagnet.com [38.113.3.64]) Received: from toughguy.net (mx1.toughguy.net [38.113.3.56]) Received: from toughguy.net (mx2.toughguy.net [38.113.3.56]) > FYI, > Made a small rule for this and it gets hit every day sofar without any > FP's. > So if anyone is interested: > header PORT_HELO Received =~ /from \[[0-9\.]*\] > \(port\=[0-9][0-9][0-9][0-9] helo\=\[[a-zA-Z]*\]\)/ > describe PORT_HELO Header contains special port and helo > score PORT_HELO 10.00 > > Menno > >> I get a lot of med-spams lately that look the same, short, 2 lines with >> one url, below that some text (from a book?). >> Often it gets marked as spam because of the url, but not always because >> bayes has no real grip on this mail. >> Maybe there is a way to recognise them in the second receive-line >> because >> of the special helo and port text. >> I want to block it with this at the MTA level because I couldn't find >> HAM >> with this text (port-number and special helo syntax). >> But I'm not so sure yet so my question is do you know of any HAM that >> uses >> receive lines like this? >> >> Thanks >> Menno van Bennekom >> >> Received: from [66.98.106.84] (port=4465 helo=[Batista]) >> Received: from [180.111.168.219] (port=4464 helo=[discharge]) >> Received: from [221.54.120.107] (port=4548 helo=[benchmark]) >> Received: from [240.232.66.156] (port=4015 helo=[infrared]) >> Received: from [123.120.113.68] (port=4426 helo=[chronograph]) >> Received: from [130.98.112.26] (port=4102 helo=[lash]) >> Received: from [50.188.174.87] (port=4590 helo=[simplifications])