On 09/11/10 21:31, Philip Prindeville wrote:
Has anyone else noticed that if they get a message with:
Received: from [41.184.9.153] by web80007.mail.sp1.yahoo.com via HTTP;
Sat, 06 Nov 2010 09:52:53 PDT
i.e. from the 41.0.0.0/8 CIDR block from Africa, and the transport was
HTTP, to anything ending with yahoo.com that 100% of the time it's SPAM?
The existing meta rule __FROM_41_FREEMAIL might also provide a
reasonable match against these - it combines mail from 41.0.0.0/8 and
FREEMAIL_FROM or FREEMAIL_REPLYTO.
meta __FROM_41_FREEMAIL (__NSL_ORIG_FROM_41 ||
__NSL_RCVD_FROM_41) && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
describe __FROM_41_FREEMAIL Sent from Africa + freemail provider
