> From: Jim Pazarena
>
> I am trying to strengthen my spam filtering.
>
> As such, I make sure that I don't get too heavy handed with google
> or hotmail.
>
> But I see a heck of a lot of junk from *.yahoo.com
>
> Has yahoo become or has it always been a giant spam pit?
yahoo consists of different parts. If a spam came via a yahooGroup
(mailing list), complain to the moderator or unsub. If you are a moderator,
you'll be forwarded spam sent to the -owner@ address, nothing to do here
except content-filtering fraught with false positives.
Spam via mail.yahoo.com (free mailboxes) and domains outsourced to yahoo
(btinternet.com, btopenworld.com, att.net, sbcglobal.net, rogers.com
and possibly some others) is entirely another matter. After blacklisting
$sender_address_domain yahoo.cn, yahoo.com.cn, yahoo.com.hk
and $sender_host_name ^smtp\d+\.biz\.mail\.(re\d+|mud)\.yahoo\.com$ ,
I'm sent mostly Nigerian spam via mail.yahoo.com. I block it with a local
injection IP blacklist
http://lena.kiev.ua/blacklist_webmail.txt
used in acl_check_data:
warn condition = ${if match{$sender_host_name}\
{\N\.(blu|col|bay|snt)\d+\.hotmail\.com$\N}}
set acl_m_web = ${if match{$rheader_Received:}{\Nfrom [^\(]+\
\(\[(\d+\.\d+\.\d+\.\d+)\]\) by \
[^\w-]+\.((blu|col|bay|snt)\d+\.hotmail\.com|phx\.gbl) \
(over TLS secured channel )?with Microsoft SMTPSVC\N}{$1}}
warn condition = ${if match{$sender_host_name}\
{\N\.mail\....?\.yahoo\.com$\N}}
condition = ${if or{\
{match{$rheader_X-Yahoo-Newman-Property:}{ymail}}\
{def:header_X-RocketYMMF:}\
{match{$bheader_X-Mailer:}{^YahooMail}}\
}}
set acl_m_web = ${if match{$rheader_Received:}{\Nfrom \
\[(\d+\.\d+\.\d+\.\d+)\] by \
web\d+(\.biz)?\.mail\....?\.yahoo\.com via HTTP; \N}{$1}}
condition = ${if !def:acl_m_web}
set acl_m_web = ${if match{$bheader_Received:}{\Nfrom [^(\n]+ \
\([^)\n]+@(\d+\.\d+\.\d+\.\d+) with login\)[\r\n]+\s+by \
smtp\d+(\.plus|\.sbc)?\.mail\....?\.yahoo\.com with SMTP; \N}{$1}}
warn condition = ${if match{$sender_host_name}\
{\N^[oi]mr-\w+\.mx\.aol\.com$\N}}
set acl_m_web = ${if match{$rheader_Received:}{\Nfrom \
(\d+\.\d+\.\d+\.\d+) by webmail-\w+\.sysops\.aol\.com \
\(\d+\.\d+\.\d+\.\d+\) with HTTP \(WebMailUI\); \N}{$1}}
set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
\S+ \(\S+ \[(\d+\.\d+\.\d+\.\d+)\]\)[\s\n]+by \
mtaout-\w+\.\w+\.mx\.aol\.com \(MUA/Third Party Client \
Interface\) with ESMTPA id \w+;\N}{$1}{$acl_m_web}}
warn condition = ${if match{$sender_host_name}\
{\N^outbound\d+\.messaging\.lotuslive\.com$\N}}
set acl_m_web = ${if match{$rheader_Received:}\
{\N^@[\w.-]+@(\d+\.\d+\.\d+\.\d+)\)\N}{$1}}
warn set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
[\d.]+ (?:\(\[[\d.]+\]\) )?\(proxying[\s\n]+for[\s\n]+\
(\d+\.\d+\.\d+\.\d+)(, [\w.-]+)?\)\n\
\s+\(SquirrelMail authenticated user [^)\n\r]+\)\n\
\s+by [^\s\n]+ with HTTP;\n\N}{$1}{$acl_m_web}}
set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
(?:\S+ \(\[)?(\d+\.\d+\.\d+\.\d+)(?:\]\))?\n?\
\s+\(SquirrelMail authenticated user [^)\n\r]+\)\n\
\s+by [^\s\n]+ with HTTP;\n\N}{$1}{$acl_m_web}}
set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
(\d+\.\d+\.\d+\.\d+)(?: \(proxying for [^)]+\))?[\n\s]+\
\(RisuMail authenticated user \N}{$1}{$acl_m_web}}
set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
\S+ \(\](\d+\.\d+\.\d+\.\d+)\]\)[\s\n]+by[\s\n]+\S+[\s\n]+\
with[\s\n]+HTTP(?s).+\nUser-Agent: Roundcube Webmail\N}\
{$1}{$acl_m_web}}
set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
\S+[\n\s]+\((?:\S+[\n\s]+)?\[(\d+\.\d+\.\d+\.\d+)\]\)[\n\s]+by\
[\n\s]+\S+[\n\s]+\(Horde[\n\s]+(Framework|MIME[\n\s]+library)\)\
[\n\s]+with[\n\s]+HTTP\N}{$1}{$acl_m_web}}
set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
\[(\d+\.\d+\.\d+\.\d+)\] by \S+[\s\n\r]+ \(mshttpd\);\N}\
{$1}{$acl_m_web}}
set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
client (\d+\.\d+\.\d+\.\d+) for UebiMiau\d+\.\d+ \(webmail \
client\);\N}{$1}{$acl_m_web}}
set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
\S+ \(\[(\d+\.\d+\.\d+\.\d+)\]\)[\n\s+]by \S+ \
with HTTP \(UebiMiau\);\N}{$1}{$acl_m_web}}
set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
\[(\d+\.\d+\.\d+\.\d+)\] \(account \S+\)[\s\n\r]+by[\s\n\r]+\
\S+[\s\n\r]+\(CommuniGate Pro WEBUSER \S+\)[\s\n\r]+\
with[\s\n\r]+HTTP\N}{$1}{$acl_m_web}}
set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from\s+\
(?:\S+[\s\n]+)?\(\[(\d+\.\d+\.\d+\.\d+)\]\)[\s\n]+by[\s\n]+\S+\
[\s\n]+with[\s\n]+http[\s\n]\N}{$1}{$acl_m_web}}
set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
\S+ \(\[(\d+\.\d+\.\d+\.\d+)\]\)[\n\r]+\s+\
by mx.google.com with ESMTPS id \N}{$1}{$acl_m_web}}
condition = ${if match{$bheader_X-Mailer:}{^OpenWebMail }}
set acl_m_web = ${if match{$bheader_X-OriginatingIP:}\
{\N^\[?(\d+\.\d+\.\d+\.\d+)\]?( |$)\N}{$1}}
warn condition = ${if !def:acl_m_web}
set acl_m_web = ${if match{$bheader_X-Originating-IP:}\
{\N^\[?(?:::ffff:)?(\d+\.\d+\.\d+\.\d+)\]?$\N}{$1}}
warn condition = ${if !def:acl_m_web}
set acl_m_web = ${if match{$bheader_X-Client-IP:}\
{\N^(\d+\.\d+\.\d+\.\d+)$\N}{$1}}
warn condition = ${if !def:acl_m_web}
set acl_m_web = ${if match{$bheader_X-Origin:}\
{\N^(\d+\.\d+\.\d+\.\d+)$\N}{$1}}
warn condition = ${if !def:acl_m_web}
set acl_m_web = ${if match{$bheader_X-Originator:}\
{\N^(\d+\.\d+\.\d+\.\d+)$\N}{$1}}
warn condition = ${if !def:acl_m_web}
set acl_m_web = ${if match{$bheader_X-SenderIP:}\
{\N^(\d+\.\d+\.\d+\.\d+)$\N}{$1}}
warn condition = ${if !def:acl_m_web}
set acl_m_web = ${if match{$bheader_X-PHP-Script:}\
{\N^\S+ for (\d+\.\d+\.\d+\.\d+)$\N}{$1}}
deny message = webmail from $acl_m_web locally blacklisted
condition = ${if def:acl_m_web}
condition = ${if !eq{$sender_address_domain}{returns.groups.yahoo.com}}
condition = ${lookup{$acl_m_web}iplsearch\
{/usr/local/etc/exim/blacklist_webmail}{1}{0}}
Also in acl_check_data:
deny message = "mail to friend" on news.yahoo.com abused by spammers
condition = ${if match{$sender_host_name}\
{\N\.bullet\.(mail\.)?...?\.yahoo\.com$\N}}
condition = ${if eq{$bheader_X-Yahoo-Newman-Property:}{mail-to-friend}}
deny message = I consider a Chinese mailbox in Reply-To as a sign of spam.
condition = ${if match_domain{${domain:$header_reply-to:}}\
{yahoo.cn:yahoo.com.cn:yahoo.com.hk:w.cn}}
