Spam that puts extra Subject lines in to avoid being quarantined/caught.

Duncan, Brian M. brian.duncan at KMZR.COM
Thu Mar 17 15:05:53 GMT 2005 

Trying another time to mail the list about this type of Spamming.  We
are starting to get allot more of these and I could not find anything in
the archives dealing with this. (I looked again)

Far down below is the original message I sent the list.

Basically what I am seeing is Spammers that put two subject lines into
the message.  Mailscanner only tags one of them. (99% of these have been
ones that fail RBL check)  We have rules setup in exchange that, then
say if message subject has xxx in it, stick it in their Suspect folder.
(Exchange is only paying attention to the LAST subject line in the
headers)

Anyway to get sendmail/Mailscanner to either cut out multiple subject
lines, or to mark ALL of the subject lines in the headers?

This is with mailscanner-4.35.11-1

Another example:

Received: from everest by nuuk.nshoster.com with local (Exim 4.44)id
 1DBgQp-0003Ae-0D; Wed, 16 Mar 2005 16:51:59 -0500
To: info at udnepal.com,
 richard at rotary1900.org
From: fatima at beaconsfield.libdems.org.uk,
 bobby at studentnet.lv
Cc: fatima at beaconsfield.libdems.org.uk
REPLY-TO: info at udnepal.com
Subject: {FAILED SC} Online Reservation Inquiry submitted by
Content-Type: multipart/mixed;
 boundary=feawnqj
Subject: Pharm discount
Message-Id: <E1DBgQp-0003Ae-0D at nuuk.nshoster.com>
Date: Wed, 16 Mar 2005 16:51:59 -0500
X-AntiAbuse: This header was added to track abuse, please include it
with
 any abuse report
X-AntiAbuse: Primary Hostname - nuuk.nshoster.com
X-AntiAbuse: Original Domain - kmzr.com
X-AntiAbuse: Originator/Caller UID/GID - [32079 32079] / [47 12]
X-AntiAbuse: Sender Address Domain - nuuk.nshoster.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-KMZR-MailScanner-Information:
X-MailScanner-SpamCheck: spam, SpamAssassin (score=9.369, required
 7,BAYES_80 2.09, DISGUISE_VIAGRA 1.00, DRUGS_ANXIETY
 0.10,DRUGS_ANXIETY_EREC 0.04, DRUGS_ERECTILE 0.22,HEADER_COUNT_CTYPE
1.77,
 HTML_20_30 0.23, HTML_MESSAGE 0.00,HTML_MIME_NO_HTML_TAG 0.14,
 MIME_BASE64_TEXT 0.30,MIME_HEADER_CTYPE_ONLY 0.11, MIME_HTML_ONLY
 0.18,URIBL_OB_SURBL 3.21)
X-MailScanner-SpamScore: sssssssss
X-MailScanner-From: everest at nuuk.nshoster.com
Return-Path: everest at nuuk.nshoster.com
X-OriginalArrivalTime: 16 Mar 2005 21:57:53.0994 (UTC)
FILETIME=[3479F2A0:01C52A73]

-----Original Message-----
From: Duncan, Brian M.
Sent: Friday, January 28, 2005 10:45 AM
To: 'MAILSCANNER at JISCMAIL.AC.UK'
Subject: Removing MULTIPLE subject lines in a message.


Forgive me if this has been covered in the mailing list.  I searched the
archives without any results..

We are starting to receive messages now with multiple subject lines.
(Ones with 2 subject lines total)

In our environment we just modify the subject line on ANY message that
is determined to be Spam. (Black listed, or scores higher then 7)

We then rely on Exchange to move any messages with our modification into
a local folder for the end users that is for Spam. (So they can look
over)

The problem we are seeing now is that Outlook/Exchange only seems to pay
attention to the LAST subject line in a message.  When one of these
messages with 2 subject lines comes through, it gets caught.  The 1st
subject line is re-written, then it's forwarded to our Exchange server.
The exchange server/outlook client only lists the LAST subject line from
the message.  So it winds up in their INBOX.  If you look through the
headers you can see..

I was wondering if there is an easy way to handle this on the
Sendmail/MailScanner side..

Thanks!

I will include headers of a message we have this problem with:


Received: from RJX ([218.107.2.59])by venus.KMZR.COM (8.11.6/8.11.2)
with
 SMTP id j0SDSbL06054;Fri, 28 Jan 2005 07:28:38 -0600
Message-Id: <200501281328.j0SDSbL06054 at venus.KMZR.COM>
Received: from abac.com ([28.90.248.212]) by crisscross.iupi.pt        
 (InterMail vK.4.04.00.00 813-535-420 license
 5uz341wo5802c0kq1v5mts5394z8rdj1)         with ESMTP id
 <75579863733746.EUMI071.cosy at abac.com>         for <mccord at kmzr.com>;
Fri,
 28 Jan 2005 11:21:00 -0200
Received: from mail pickup service by hotmail.com with Microsoft
SMTPSVC;
 Fri, 28 Jan 2005 19:25:00 +0600
Received: from 24.240.198.188 by ami.demagogue.hotmail.msn.com with
 HTTP;Fri, 28 Jan 2005 14:27:00 +0100 GMT
X-Originating-IP: [18.219.66.153]
X-Originating-Email: [combat at abac.com]
From: "Augusta Wood" <Reevesxfkyy at topteam.bg>,
 "Augusta Wood" <Reevesxfkyy at topteam.bg>
To: mccord at kmzr.com,
 "Mccord" <mccord at kmzr.com>
Subject: {FAILED SC} Spyware Aiert - January 25th
Date: Fri, 28 Jan 2005 14:26:00 +0100
Mime-Version: 1.0
Received: from abac.com ([100.144.236.240])         by
crisscross.iupi.pt  
       (InterMail vK.4.04.00.00 218-712-387 license
 5uz341wo5802c0kq1v5mts5394z8rdj1)         with ESMTP id
 <67078592714268.CCLC9817.crisscross.iupi.pt>         for
<mccord at kmzr.com>;
  Fri, 28 Jan 2005 17:26:00 +0400
Subject: Spyware Aiert - January 25th
Sender: "Augusta Wood" <Reevesxfkyy at topteam.bg>
X-KMZR-MailScanner-Information:
X-MailScanner-SpamCheck: spam, SpamAssassin (score=22.075, required
 7,autolearn=spam, BAYES_80 2.09, INVALID_TZ_GMT 0.20, LONGWORD
 0.30,LONGWORDS 2.26, MR_NOT_ATTRIBUTED_IP 0.20, MR_STRANGE_QUESTION
 1.50,MSGID_FROM_MTA_HEADER 0.05, MSGID_FROM_MTA_ID 1.72, NO_RDNS2
 0.01,RCVD_IN_DSBL 3.81, RCVD_IN_SORBS 1.00, URIBL_OB_SURBL
 3.21,URIBL_SC_SURBL 4.26, URIBL_WS_SURBL 1.46)
X-MailScanner-SpamScore: ssssssssssssssssssssss
X-MailScanner-From: reevesxfkyy at topteam.bg
Return-Path: Reevesxfkyy at topteam.bg
X-OriginalArrivalTime: 28 Jan 2005 13:30:17.0277 (UTC)
FILETIME=[81717ED0:01C5053D]



Brian M. Duncan
Katten Muchin Zavis Rosenman
525 West Monroe Street
Chicago IL 60661-3693
312-577-8045

brian.duncan at kmzr.com

===========================================================

Important:
This electronic mail message and any attached files contain information
intended for the exclusive use of the individual or entity to whom it is
addressed and may contain information that is proprietary, privileged,
confidential and/or exempt from disclosure under applicable law.  If you
are not the intended recipient, you are hereby notified that any viewing,
copying, disclosure or distribution of this information may be subject to
legal restriction or sanction.  Please notify the sender, by electronic
mail or telephone, of any unintended recipients and delete the original
message without making any copies.

===========================================================

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list