On 2/23/2012 2:26 PM, richard wrote: > this was an easy one to deal with, created a filter to delete "yahoo.fr" That won't stop it all, and may cause FPs. Much better is a header regex such as: /Received: from .*213.251.189.205/ The spam in this campaign is all originating from a [likely compromised] OVH server at IP address 213.251.189.205: Received: from gw5.ovh.net (HELO 240plan.ovh.net) (213.251.189.205) $ grep -c 213.251.189.205 1-Debian-Users 49 -- Stan