On 4/10/2013 7:42 PM, Alex wrote: > Hi, > > > Would someone put some samples of Yahoo single link spam on > PasteBin. > > > I am trying to test my rules and I seem to be missing some > of the variations. > > > Here's an example: it is the message I developed the following > rule > against: http://pastebin.com/VRvtDfER > > I've obfuscated all e-mail addresses in it and verified that > my rule > catches the obfuscated version. The rule is this: > > describe MG_YAHOO_FS Yahoo message-ID but not From: yahoo > header __MG_YAHFS1 Message-id =~ /yahoo\.com>$/ > header __MG_YAHFS2 From =~ /yahoo\.(com|co\.uk)/ > meta MG_YAHOO_FS (__MG_YAHFS1 && ! __MG_YAHFS2) > score MG_YAHOO_FS 50 > > > Some time ago Martin posted his rules for blocking yahoo link > spam, and it's been working relatively well for my system. > However, I'm now noticing a number of FPs that are "From" > bellsouth.net <http://bellsouth.net> addresses but pass through > yahoo servers. They have DKIM and DomainKey signatures from > bellsouth, yet otherwise appear to have no association with > bellsouth.net <http://bellsouth.net>. > > Is it just possible that bellsouth is using yahoo's servers? If > so, could there be other "affiliates" that use yahoo that could > also cause FPs?
I can confirm that bellsouth uses yahoo mail services for at least some of their customer mail. Legit @bellsouth.net mail may arrive via a yahoo server. > > What would you suggest fixing the FPs in terms of this rule? Just > add bellsouth.net <http://bellsouth.net> to the "From" header check? Looks like that should fix it. I suppose I'm fortunate that these haven't been much problem here, so I don't use this. -- Noel Jones