In a recent message Harriet Bazley <lists@xxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > On 10 Nov 2006 as I do recall, > Harriet Bazley wrote: > >> We have been under massive Debora[h] attack for several days - somebody >> is generating messages from a vast number of names all claiming to be [....] > I don't know if this helps: > from http://permalink.gmane.org/gmane.mail.virus.mailscanner/46471 > > "I've found that a lot of the "debora" spam, as well as a fair amount > of other spam, matches /6c822ecf/ in one or more of Message-ID and > Content-ID headers. I have yet to see a false positive." > These may also shed a little light on the probable source (from /.): www.eweek.com/article2/0,1895,2060235,00.asp www.eweek.com/slideshow_viewer/0,1205,l=&s=25954&a=194164&po=4,00.asp www.eweek.com/slideshow_viewer/0,1205,l=&s=25954&a=194164&po=7,00.asp It will come as no surprise that 72% of the infected OSs are XP and that, by far, the biggest location of the bots is the US of A. I don't know if this info can help in writing rules to block the current spam epidemic. Identifying the mailer/Mime versions may be a start. Time zone or country blocking (in combination with other criteria) could help. -- Dave Keep GMT all year