From: "Robert Nicholson" <[EMAIL PROTECTED]>
It seems the latest version of these isn't spam?
Are there any rules to mark MS attachments as SPAM?
From: [EMAIL PROTECTED]
Subject: Latest Network Upgrade
Date: August 5, 2006 9:55:10 PM CDT
To: [EMAIL PROTECTED]
X-Spam-Dcc: : grub.camros.com 1113; Body=1 Fuz1=1 Fuz2=1
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on
grub.camros.com
X-Spam-Level:
X-Spam-Status: No, score=0.2 required=0.6
tests=BAYES_50,HTML_MESSAGE, MIME_BASE64_NO_NAME autolearn=ham
version=3.1.1
Received: (qmail 6256 invoked from network); 7 Aug 2006 13:14:38 -0000
Received: from surfgate.starhub.net.sg (203.116.254.187) by
64.34.193.12 with DES-CBC3-SHA encrypted SMTP; 7 Aug 2006 13:14:38 -0000
Received: from imx2.starhub.net.sg (imx2.starhub.net.sg
[203.116.254.42]) by surfgate.starhub.net.sg (8.13.6+Sun/8.13.6) with
ESMTP id k763FTJC000782 for <[EMAIL PROTECTED]>; Sun, 6 Aug 2006
11:29:11 +0800 (SGT)
Received: from kbsmtao2.starhub.net.sg (kbsmtao181.starhub.net.sg
[203.116.2.181]) by imx2.starhub.net.sg (8.12.10/8.12.10) with ESMTP
id k762oex0025517 for <[EMAIL PROTECTED]>; Sun, 6 Aug 2006 10:50:43
+0800
Received: from kslqb ([203.116.121.101]) by kbsmtao2.starhub.net.sg
(Sun Java System Messaging Server 6.2-4.03 (built Sep 22 2005)) with
ESMTPP id <[EMAIL PROTECTED]> for
[EMAIL PROTECTED]; Sun, 06 Aug 2006 10:55:40 +0800 (SGT)
Date-Warning: Date header was inserted by kbsmtao2.starhub.net.sg
Message-Id: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="Boundary_
(ID_fld50HgNZSb4ucD84dSJhA)"
X-Accept-Flag: Sender is Unknown
Lines: 2665
Without some of the body I've no idea what would block these other
than DNS rules. And if you are one of the first to be attacked they
are often ineffective.
The originating address is from another .sg computer.
d121101.ppp121.cyberway.com.sg
So network rules might not even work.
One thing I notice that might be trapped upon is that these two headers
and the "To:" do not agree. But that is not a particularly strong
spam sign.
===8<---
Received: from kbsmtao2.starhub.net.sg (kbsmtao181.starhub.net.sg
[203.116.2.181]) by imx2.starhub.net.sg (8.12.10/8.12.10) with ESMTP
id k762oex0025517 for <[EMAIL PROTECTED]>; Sun, 6 Aug 2006 10:50:43
+0800
Received: from kslqb ([203.116.121.101]) by kbsmtao2.starhub.net.sg
(Sun Java System Messaging Server 6.2-4.03 (built Sep 22 2005)) with
ESMTPP id <[EMAIL PROTECTED]> for
===8<---
To: [EMAIL PROTECTED]
===8<---
If you are not a member of advisor.com's mailing lists you could
simply black list them. If you are you might want to generate a
specific rule trio that detects advisor.com for the purported
source and requires that it be ONLY from their address. That'd
be two rules and a meta rule to put them together. (I don't know
what would happen with a "blacklist_from" and a more specific
"whitelist_from_rcvd". Ideally that would do the trick. But I am
not sure it would.)
{^_^}
