Re: Yahoo webmail spam from Africa

From: Ned Slider <ned_at_nospam>
Date: Tue Nov 09 2010 - 23:02:33 GMT
To: users@spamassassin.apache.org

On 09/11/10 21:31, Philip Prindeville wrote:
> Has anyone else noticed that if they get a message with:
>
> Received: from [41.184.9.153] by web80007.mail.sp1.yahoo.com via HTTP;
> Sat, 06 Nov 2010 09:52:53 PDT
>
>
>
> i.e. from the 41.0.0.0/8 CIDR block from Africa, and the transport was
> HTTP, to anything ending with yahoo.com that 100% of the time it's SPAM?
>

The existing meta rule __FROM_41_FREEMAIL might also provide a
reasonable match against these - it combines mail from 41.0.0.0/8 and
FREEMAIL_FROM or FREEMAIL_REPLYTO.

meta __FROM_41_FREEMAIL (__NSL_ORIG_FROM_41 ||
__NSL_RCVD_FROM_41) && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
describe __FROM_41_FREEMAIL Sent from Africa + freemail provider

This message: [ Message body ]
Next message: Karl Meyer: "Re: sa-learn problems and comprehension question"
Previous message: Alexandre Chapellon: "Re: Yahoo webmail spam from Africa"
In reply to: Philip Prindeville: "Yahoo webmail spam from Africa"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]