Am 2017-07-26 15:08, schrieb Dianne Skoll:
On Tue, 25 Jul 2017 08:36:22 -0400
Dianne Skoll <d...@roaringpenguin.com> wrote:
All of the URLs match this pattern:
/\/[A-Z]{4}\d{6}\/$/
We see a new variant with the subject "Your Virgin Media bill is ready"
and
URLs that match:
uri __RP_D_00108_03 /\/\d{12}\/[A-Z]{6}\/?$/
Regards,
Dianne.
Nearly all of these spammails can be blocked with
header __LRZ_BND_MS Content-Type =~
/boundary="-{4}=_NextPart_000_[0-9A-F]{4}_[0-9A-F]{8}\.[0-9A-F]{8}"/
header __LRZ_MSGID_SPAM_99 MESSAGEID =~
/<\d{8,13}\.2017\d{6,11}\@/
meta LRZ_HEADER_SPAM_99 (__LRZ_MSGID_SPAM_99 &&
__LRZ_BND_MS)
The version before had a different boundary
header __LRZ_BND_HU32 Content-Type =~
/boundary="[0-9A-F]{32}"/
Regards,
Michael