I have a unique spam issue that is giving me grey hair. Several of my users keep getting similar spam from many different addresses that the zimbra server just cant seem to train to block.
The only consistent thing about the spam is the alias of the email address. for example:

"Facebook Surveys" facebooksurvey@shopsnomi.com
"Facebook Surveys" facebooksurvey@xc-vi.com
"Facebook Surveys" facebook@dvragents.com
...
there are hundreds of combinations like this. And not only Facebook, this is just an example. we have "email fax", "discount airfare", "credit score check" and a laundry list of others.

I have tried:
Going to individuals mailboxes and marking 100s of messages as spam and then running zmtrainsa manually (which by the way doesn't work on any users mailbox, only on the system spam box). i am met with the following result 99% of the time

[test: spam ] /tmp/spam.PDR6214/12fc062862f-21 result: PASS

Configuring additional RBLs hoping that some of these spammers are tagged already and would be on one of these lists. I am using 7 RBLs

Creating blacklists for email domains, but it seems the more i add to the list the more creative they get with their domain names!

Creating spamassasin rules to block by subject, but the subject lines are almost never the same, and change fast enough to make this an excercise in futility.

So now id like to find a way to block by email address alias since this seems to be the most consistent thing about these spam messages. Anyone that has some pointers please help.

PS i am also open to any other general pointers for blocking spam. Its at the point now that my boss is concerned and hes been campaigning to move back to exchange for several months now! i cant let that happen


Release 7.0.1_GA_3105.RHEL5_20110304210448 RHEL5 FOSS edition.