Hi, > Would someone put some samples of Yahoo single link spam on PasteBin.
> > I am trying to test my rules and I seem to be missing some of the >> variations. >> > >> Here's an example: it is the message I developed the following rule >> against: http://pastebin.com/VRvtDfER >> >> I've obfuscated all e-mail addresses in it and verified that my rule >> catches the obfuscated version. The rule is this: >> >> describe MG_YAHOO_FS Yahoo message-ID but not From: yahoo >> header __MG_YAHFS1 Message-id =~ /yahoo\.com>$/ >> header __MG_YAHFS2 From =~ /yahoo\.(com|co\.uk)/ >> meta MG_YAHOO_FS (__MG_YAHFS1 && ! __MG_YAHFS2) >> score MG_YAHOO_FS 50 >> > > Some time ago Martin posted his rules for blocking yahoo link spam, and > it's been working relatively well for my system. However, I'm now noticing > a number of FPs that are "From" bellsouth.net addresses but pass through > yahoo servers. They have DKIM and DomainKey signatures from bellsouth, yet > otherwise appear to have no association with bellsouth.net. > > Is it just possible that bellsouth is using yahoo's servers? If so, could > there be other "affiliates" that use yahoo that could also cause FPs? > > > I can confirm that bellsouth uses yahoo mail services for at least some of > their customer mail. Legit @bellsouth.net mail may arrive via a yahoo > server. > I looked at a handful of others that are in the quarantine, and there's also quite a bit of actual junk there as expected, not just FPs. So, I've lowered the score to something that should require at least a few other rules to trigger before it's considered spam. I think this is actually a better option than adding bellsouth.net to the "From" header rule to categorically allow all bellsouth mail through. Even found one message with 67 points, yikes! There are also a few with DKIM signature failures, yet DKIM_VALID is triggered: Authentication-Results: mail01.example.com (amavisd-new); dkim=pass header.i=@bellsouth.net Authentication-Results: mail01.example.com (amavisd-new); domainkeys=softfail (fail, message has been altered) header.from=joepatfan...@bellsouth.net Is this because it's only a softfail? Out of the 85 or so in the quarantine that contain MG_YAHOO_FS, only about 8 have "From" as bellsouth, and about half of them have the DKIM softfail. Thanks, Alex
