On Sun, 2011-10-02 at 20:31 -0400, Alex wrote: > I have some hotmail spam that I can't figure out how to catch: > > http://pastebin.com/kkUUvYQp > > It's hitting BAYES_00 and no blacklists or other significant spam > rules and not sure how to tag it. The user has reported receiving this > spam several times before, each with a different URL in the body but > otherwise the same. > > It's still not listed in a URIBL. > ... and not likely to be either, since AFAICT all the domains in sender-related headers are legit.
However, if all mail sent from hotmail has an X-Originating-Email: header[1] you may get somewhere with a rule that requires all mail with 'hotmail.com' in this header to have the same in the 'From:' header, i.e. the From: address must not be forged. HTH Martin [1] It may or may not have this as standard. I don't get much mail or spam from there and so haven't looked.