On Thu, 2010-03-11 at 12:26 +0000, Ned Slider wrote:
> David B Funk wrote:
> > On Wed, 10 Mar 2010, Dennis B. Hopp wrote:
> >>
> >> I have put a sample at:
> >>
> >> http://pastebin.com/9BDXrxmm
> >>
> >> Note I did change the real e-mail address in this message but the
> >> hotmail address used is valid just masked.
> >
> > Look at that "X-Originating-IP: [41.155.87.236]" header, its a dial-up
> > pool in Lagos Nigeria.
> >
> > It may seem stereotyped, but it's amazing the percentage of this kind
> > of spam that -does- come out of that part of the world.
> >
>
> How about:
>
> # Catch spam originating from 41.0.0.0/8 (Africa, incl S.Africa)
> describe LOCAL_ORIG_FROM_41 Originates from 41.0.0.0/8
> header LOCAL_ORIG_FROM_41 X-Originating-IP =~ /\[41\./
>
> Unless you're expecting mail originating from Africa, you can go further
> and detect all mail injected from 41/8 with few FPs.
>
> # Catch spam injected from 41.0.0.0/8 (Africa, incl S.Africa)
> describe LOCAL_RCVD_FROM_41 Received from 41.0.0.0/8
> header LOCAL_RCVD_FROM_41 Received =~ /\[41\./
>
> I've found these safe to score quite highly, but YMMV so score as suits
> your mail flow.
>
>
Good quality advice from Ned (LOL). Just make sure none of your users
will be communicating with South Africa during the world cup..........