MSN Featured Offer Spam – Spamassasin rule to stop it

Started seeing some MSN Featured Offer Spam on one of my mailservers. The annoying part is that has a forged ‘from’ value to match the recipient. On top of that, it’s being sent from a secondary MX server which is allowing relaying to my domains. So I can’t block that server from sending it, and we prevented spam filtering on that since users would not be able to retrieve messages if they are quarantined on that box.

The messages look like this:

About this mailing: You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the "Unsubscribe" link below. This will not unsubscribe you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers' content nor any of the goods or service advertised. Prices and item availability subject to change without notice.


?2008 Microsoft | Unsubscribe | More Newsletters | Privacy

Microsoft Corporation, One Microsoft Way, Redmond, WA 98052

What I ended up doing was adding a custom rule to quarantine this message. I added this to /etc/spamassassin/local.cf. I found the following SANE rules to handle this. And it worked great. Remember to –lint to ensure everything is running properly.

#{ SANE_7429530a7398f43f1f1b795f9420714e body SANE_7429530a7398f43f1f1b795f9420714e /MSN Featured Offers/ score SANE_7429530a7398f43f1f1b795f9420714e 18.01 describe SANE_7429530a7398f43f1f1b795f9420714e Email.Malware.Sanesecurity.08072229 body SANE_7429530a7398f43f1f1b795f9420714e /MSN Featured Offers/ describe SANE_7429530a7398f43f1f1b795f9420714e Email.Spam.Gen2507.Sanesecurity.08021303 score SANE_7429530a7398f43f1f1b795f9420714e 18.01 #} SANE_7429530a7398f43f1f1b795f9420714e