HOTMAIL SPAM =Rule to bite on X-Originating-IP or length of FROM list?

Here's a couple of rule I use, can't remember who originally posted

> On Sat, 2009-10-31 at 07:59 +0000, richard@... wrote:
> > I don't see a great deal of spam from Hotmail, but often get it with
> > headers looking like this:
> >
> > X-Originating-IP: [123.160.198.207]
> > From: joannie nolin <crevette91@...>
> > To: <clopez@...>, <kantana33@...>,
> > <preiswunderland-08@...>, <help@...>,
> > <ebay@...>, <mobilestore09@...>,
> > <shop@...>, <ebay@...>,
> > <info[at]chuizo.dde>, <mail[at]btec24.dde>,
> > <info[at]anubisdistribuzione.itd>, <eurocomp24[at]gmx.ded>,
> > <jmiller[at]cmsinter.net>, <auctions[at]maelstromgames.null.duk>,
> > <contact[at]stockburgershop.ded>, <paymambate[at]gmail.nullcom>,
> > <verkauf[at]express24-online.ded>, <wilai-im-auftrag[at]wilai.dde>,
> > <info[at]fensteragentur.ded>, <hoppegennadi[at]freenet.ded>,
> > <darren[at]fixmyengine.null.uk>, <mystyle-hamburg[at]web.ded>,
> > <buecher[at]a-plummer.ded>, <bhester[at]knology.pet>,
> > <technomarty[at]btinternet.nullcom>,
> > <islandproducts2000[at]gmail.nullcom>, <carine.espuela[at]hotmail.frg>,
> > <krafts2u[at]aol.nullcom>, <uk[at]holyclothing.nullcom>,
> > <dmitrilaikhtman[at]gmail.nullcom>, <bruno.ozcan[at]yahoo.frg>,
> > <support[at]rrelectronics.nullcom>, <mimipuce1176275[at]aol.nullcom>,
> > <ncth[at]free.fr>, <happy.nullcomity[at]gmail.nullcom>,
> > <dingdingtrading[at]gmail.nullcom>, <hatailuk_offy1[at]hotmail.nullcom>,
> > <roaldibruno[at]voila.fr>, <sanpointelectronics[at]gmail.nullcom>,
> > <iamtheprimadonna[at]aol.nullcom>, <njbookman1[at]aol.nullcom>,
> > <glass[at]lesleypyke.nullcom>, <benny-yvonne[at]alice-dsl.netg>,
> > <cs.wilson[at]hotmail.null.ukg>, <yasmineee094[at]hotmail.frg>,
> > <xuancailinlin66[at]163.nullcom>
> >
> > A couple of observations;
> > 123.160.198.207 - is on the PBL {deep in the heart of China} so is
> > possible to extend the network tests to look for fairly constant custom
> > headers with the originating IP?
> >
> > It's early and I've not really thought about it too hard, but is there a
> > test that can be done to check the number of recipients or lines in a
> > 'to' list. Something along the lines of if there are more than Y * @ ?
> >
> > The message concerned scored 2.3. I've looked back at others like it
> > from the last six months and they always have a constant long list of
> > 'to' and X-Originating-IP: with PBL listed entries.
> >
> Here's a couple of rule I use, can't remember who originally posted
> them:
>
> describe TO_TOO_MANY To: too many recipients
> header   TO_TOO_MANY To =~ /(?:,[^,]{1,80}){20}/
> score    TO_TOO_MANY 0.3
>
> describe TO_WAY_TOO_MANY To: way too many recipients
> header   TO_WAY_TOO_MANY To =~ /(?:,[^,]{1,80}){30}/
> score    TO_WAY_TOO_MANY 0.3
>
> describe CC_TOO_MANY CC: too many recipients
> header   CC_TOO_MANY CC =~ /(?:,[^,]{1,80}){15}/
> score    CC_TOO_MANY 0.3
>
> You can vary the number in {} to whatever suits you.
>

> On Sat, 2009-10-31 at 13:58 +0000, RW wrote:
> > On Sat, 31 Oct 2009 07:59:24 +0000
> > "richard@..." <richard@...> wrote:
> > > A couple of observations;
> > > 123.160.198.207 - is on the PBL {deep in the heart of China} so is
> > > possible to extend the network tests to look for fairly constant
> > > custom headers with the originating IP?
> >
> >
> > Why would that be a sign of spam?
> It's not, necessarily - when I think about it. All clients that hook up
> to Hotmail are most likely going to be in the PBL being probably
> dynamic. So the plan is flawed!
>
> That said, if I could press the 'I would like' button, it would be nice
> to geo-lookup this IP and be able to score it higher if it's from China,
> Brazil, Argentina, Columbia etc... That, of course, is in an ideal
> world.

> On Sat, Oct 31, 2009 at 02:13:45PM +0000, richard@... wrote:
> > On Sat, 2009-10-31 at 13:58 +0000, RW wrote:
> > > On Sat, 31 Oct 2009 07:59:24 +0000
> > > "richard@..." <richard@...> wrote:
> > > > A couple of observations;
> > > > 123.160.198.207 - is on the PBL {deep in the heart of China} so is
> > > > possible to extend the network tests to look for fairly constant
> > > > custom headers with the originating IP?
> > >
> > >
> > > Why would that be a sign of spam?
> > It's not, necessarily - when I think about it. All clients that hook up
> > to Hotmail are most likely going to be in the PBL being probably
> > dynamic. So the plan is flawed!
> >
> > That said, if I could press the 'I would like' button, it would be nice
> > to geo-lookup this IP and be able to score it higher if it's from China,
> > Brazil, Argentina, Columbia etc... That, of course, is in an ideal
> > world.
>
> Uh, SpamAssassin parses X-Originating-IP and friends just fine. Of course
> PBL isn't going to hit it, since it's an lastexternal rule.

> describe TO_TOO_MANY To: too many recipients
> header   TO_TOO_MANY To =~ /(?:,[^,]{1,80}){20}/
> score    TO_TOO_MANY 0.3
>
> describe TO_WAY_TOO_MANY To: way too many recipients
> header   TO_WAY_TOO_MANY To =~ /(?:,[^,]{1,80}){30}/
> score    TO_WAY_TOO_MANY 0.3
>
> describe CC_TOO_MANY CC: too many recipients
> header   CC_TOO_MANY CC =~ /(?:,[^,]{1,80}){15}/
> score    CC_TOO_MANY 0.3
>
> You can vary the number in {} to whatever suits you.

> On Sat, Oct 31, 2009 at 03:33:59PM +0000, richard@... wrote:
> > >
> > > Uh, SpamAssassin parses X-Originating-IP and friends just fine. Of course
> > > PBL isn't going to hit it, since it's an lastexternal rule.
> >
> > That has totally escaped me Henrik and I'm not sure I fully understand
> > it.
>
> There is lots of undocumented black magic in SA.
>
> DNSEval.pm defines atleast these headers to be added into end of the
> "Received chain".
>
> X-Yahoo-Post-IP
> X-Originating-IP
> X-Apparently-From
> X-SenderIP
>
> So they will be looked in RBLs as necessary. If you don't get the
> lastexternal part:
>
> http://wiki.apache.org/spamassassin/TrustedRelays
>
> Also:
>
> http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html
>
> Selecting just the last external IP
> By using '-lastexternal' at the end of the set name, you can select only the
> external host that connected to your internal network, or at least the last
> external host with a public IP.
>

Thanks John for refreshing my memory.

>> describe TO_TOO_MANY To: too many recipients
>> header   TO_TOO_MANY To =~ /(?:,[^,]{1,80}){20}/
>> score    TO_TOO_MANY 0.3
>>
>> describe TO_WAY_TOO_MANY To: way too many recipients
>> header   TO_WAY_TOO_MANY To =~ /(?:,[^,]{1,80}){30}/
>> score    TO_WAY_TOO_MANY 0.3
>>
>> describe CC_TOO_MANY CC: too many recipients
>> header   CC_TOO_MANY CC =~ /(?:,[^,]{1,80}){15}/
>> score    CC_TOO_MANY 0.3
>>
>> You can vary the number in {} to whatever suits you.
>
> ...and the scores, of course.

> 31.10.2009 23:26, Adam Katz kirjoitti:
>> Brilliant minds think alike ;-)  I have very similar rules in my
>> khop-general channel:
>>
>> header   KHOP_BIG_TO_CC ToCc =~ /(?:[^,\@]{1,60}\@[^,]{4,30},){10,19}/
>> describe KHOP_BIG_TO_CC Sent to 10+ recipients instaed of Bcc or a list
>> score    KHOP_BIG_TO_CC 0.3 # 20090527
>>
>> header   KHOP_GIANT_TO_CC ToCc =~ /(?:[^,\@]{1,60}\@[^,]{4,30},){20}/
>> describe KHOP_GIANT_TO_CC Sent to 20+ recipients instead of Bcc or a list
>> score    KHOP_GIANT_TO_CC 0.7 # 20090527
>
> What is ToCc header? Is it some kind of a virtual header by SA?