MisterX Tech

I saw these yet again today on a spam that found its way into a spam trap I have.

X-Priority: 3
X-Mailer: ZuckMail [version 1.00]
X-Facebook-Notify: password_reset; mailid=
Errors-To: terrace45@rotortug.com
X-FACEBOOK-PRIORITY: 1
MIME-Version: 1.0

The offending sender is (91.90.12.239) which , surprise surprise, isn’t a Facebook IP. I am working on a Spamassassin rule for this if anyone wants a “beta” copy of the meta rule let me know.

Ok I tested it and it appears to be working. The last 24 hours have seen over 100 hits all obvious spam (total volume during that time was 564K). The meta rule I am using is:

header CS_881                   X-Mailer =~ /\bZuckMail\b/i
header CS_882                   Received !~ /\bfacebook.com\b/i
meta FAKEFACEBOOK_01            (CS_881 && CS_882)
score FAKEFACEBOOK_01           3.9

Change the header names,meta names, and score to reflect what you feel is best for your system.