On Wed, 10 Mar 2010, Dennis B. Hopp wrote: > We seem to be having a problem where clients that we interact with > regularly are having their hotmail/gmail/yahoo accounts hijacked. We > are receiving e-mails from their accounts that legitimately go through > the correct servers (hotmail,yahoo, etc.) and so they get passed through > our spam filters. The messages have different bodies but basically say > the same thing that they were on vacation and had all their money stolen > so they need to have money wire transferred to them. > > Obviously we just have to tell the clients that they need to deal with > the various e-mail providers, but is there an effective way that I can > filter these messages out before my users see them without blacklisting > the address? In one case I had probably 15 users that received the same > message and naturally they freaked out. > > I have put a sample at: > > http://pastebin.com/9BDXrxmm > > Note I did change the real e-mail address in this message but the > hotmail address used is valid just masked.
Look at that "X-Originating-IP: [41.155.87.236]" header, its a dial-up pool in Lagos Nigeria. It may seem stereotyped, but it's amazing the percentage of this kind of spam that -does- come out of that part of the world. Does anybody have an SA plugin that will grab those X-Originating-IP headers and throw the address at an RBL? Points for hits by CBL or a ip-geolocation table for Central Africa. -- Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{