Am 2017-10-02 19:43, schrieb David Jones:
On 09/27/2017 09:52 AM, Kevin A. McGrail wrote:I recently stumbled onto a mail with a Spam link where the FROM header field looked like this:From: "Firstname Lastname@" <recipient-domain.com sendern...@real-senders-domain.com>Jakob, just wanted to let you know I identified this issue as well and just opened a ticket about it yesterday to try and figure out a rule against it. Can you send me spamples via pastebin, please?Regards, KAMI am seeing this more and more on my SA filters and being reported by my customers: https://pastebin.com/f07Gq1kZ https://pastebin.com/FMsJNGba
These are typical examples for the emails send by a botnet since at least May this year. You can catch these mostly with a simple rule:
header __LRZ_BND_MS Content-Type =~ /boundary="-{4}=_NextPart_000_[0-9A-F]{4}_[0-9A-F]{8}\.[0-9A-F]{8}"/
header __LRZ_MSGID_SPAM_99 MESSAGEID =~ /<\d{8,13}\.2017\d{6,11}\@/
meta LRZ_HEADER_SPAM_99 (__LRZ_MSGID_SPAM_99 && __LRZ_BND_MS)
Regards,
Michael
