|Main Archive Page > Month Archives > spamassassin-users archives|
On 09/11/10 21:31, Philip Prindeville wrote:
> Has anyone else noticed that if they get a message with:
> Received: from [22.214.171.124] by web80007.mail.sp1.yahoo.com via HTTP;
> Sat, 06 Nov 2010 09:52:53 PDT
> i.e. from the 126.96.36.199/8 CIDR block from Africa, and the transport was
> HTTP, to anything ending with yahoo.com that 100% of the time it's SPAM?
The existing meta rule __FROM_41_FREEMAIL might also provide a
reasonable match against these - it combines mail from 188.8.131.52/8 and
FREEMAIL_FROM or FREEMAIL_REPLYTO.
meta __FROM_41_FREEMAIL (__NSL_ORIG_FROM_41 ||
__NSL_RCVD_FROM_41) && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
describe __FROM_41_FREEMAIL Sent from Africa + freemail provider