Am 2017-10-02 19:43, schrieb David Jones:
On 09/27/2017 09:52 AM, Kevin A. McGrail wrote:
I recently stumbled onto a mail with a Spam link where the FROM
header field looked like this:
From: "Firstname Lastname@" <recipient-domain.com
sendern...@real-senders-domain.com>
Jakob, just wanted to let you know I identified this issue as well and
just opened a ticket about it yesterday to try and figure out a rule
against it. Can you send me spamples via pastebin, please?
Regards,
KAM
I am seeing this more and more on my SA filters and being reported by
my customers:
https://pastebin.com/f07Gq1kZ
https://pastebin.com/FMsJNGba
These are typical examples for the emails send by a botnet since at
least May this year. You can catch these mostly with a simple rule:
header __LRZ_BND_MS Content-Type =~
/boundary="-{4}=_NextPart_000_[0-9A-F]{4}_[0-9A-F]{8}\.[0-9A-F]{8}"/
header __LRZ_MSGID_SPAM_99 MESSAGEID =~ /<\d{8,13}\.2017\d{6,11}\@/
meta LRZ_HEADER_SPAM_99 (__LRZ_MSGID_SPAM_99 && __LRZ_BND_MS)
Regards,
Michael