On Wed, 10 Mar 2010, Dennis B. Hopp wrote:
> We seem to be having a problem where clients that we interact with
> regularly are having their hotmail/gmail/yahoo accounts hijacked. We
> are receiving e-mails from their accounts that legitimately go through
> the correct servers (hotmail,yahoo, etc.) and so they get passed through
> our spam filters. The messages have different bodies but basically say
> the same thing that they were on vacation and had all their money stolen
> so they need to have money wire transferred to them.
>
> Obviously we just have to tell the clients that they need to deal with
> the various e-mail providers, but is there an effective way that I can
> filter these messages out before my users see them without blacklisting
> the address? In one case I had probably 15 users that received the same
> message and naturally they freaked out.
>
> I have put a sample at:
>
> http://pastebin.com/9BDXrxmm
>
> Note I did change the real e-mail address in this message but the
> hotmail address used is valid just masked.
Look at that "X-Originating-IP: [41.155.87.236]" header, its a dial-up
pool in Lagos Nigeria.
It may seem stereotyped, but it's amazing the percentage of this kind
of spam that -does- come out of that part of the world.
Does anybody have an SA plugin that will grab those X-Originating-IP
headers and throw the address at an RBL? Points for hits by CBL
or a ip-geolocation table for Central Africa.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
