Dear list,
Here is the context.
The French-speaking countries receive tons of e-mails, mostly fraud
attempts, fake lotteries, originating from West-Africa and sent by Yahoomail
users.
Often those messages contain big attachments. The payload (text of the
message) is embedded in a 1MB jpeg with fake certificates of a lawyer, a
logo, or whatever.
Spamassassin misses 100% of them because:
- the sender IP (Yahoo) is genuine and has a good reputation
- the analysis of the message text shows nothing bad, as the mill!ions of
euros are in the picture attachment
- due to the message size, the analysis is skipped anyway.
If no customer of the mail server in question expect any mail from any Yahoo
user in Africa, a simple 'header_checks' Postfix directive like this will
match such messages if their sender IP starts with 41.
/^Received: from .41\..*web.*mail.*yahoo\.com via HTTP/i
I admit this is rough albeit effective. On one side, not all Africa is 41.
On the other side, I do not want to block all 41.
I would have loved to do it with SA.
This means that the line
"Received: from [ip.add.res.ss].*web.*mail.*yahoo\.com via HTTP" should be
detected and analysed.
The ip address should be extracted.
The whois of the address should be queried.
The country code of the IP address would return certain number of SA points
from a list of "Yahoousers bad countries" I would manage.
Have I dreamed ?
Frédéric
Brussels
