Increase in spam getting through

rob freeman rob at robhq.com
Tue Aug 1 12:45:26 IST 2006 

Running MailScanner 4.53.8 on CentOS 4.3.  It is a front end to our exchange 2003 server.  Have rules_du_jour running with these rules:
 
TRUSTED_RULESETS="SARE_STOCKS SARE_ADULT SARE_HTML0 SARE_OBFU TRIPWIRE SARE_EVILNUMBERS0 SARE_RANDOM SARE_REDIRECT_POST300 SARE_BAYES_POISON_NXM SARE_HTML1 SARE_HEADER0 SARE_HEADER1 SARE_SPECIFIC SARE_BML SARE_FRAUD SARE_SPOOF SARE_OEM SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_UNSUB SARE_URI";

Also have DCC, pyzor, razor, and bayes going.  
 
We have a rise on spam getting through in the past 2 weeks.  Mostly looks like an image with words at the end.  Here is the mail source:
 
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
shape {behavior:url(#default#VML);}
</style>
<![endif]--><o:SmartTagType
 namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="City"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
 name="place"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
    {margin:0cm;
    margin-bottom:.0001pt;
    font-size:12.0pt;
    font-family:"Times New Roman";}
a:link, span.MsoHyperlink
    {color:blue;
    text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
    {color:purple;
    text-decoration:underline;}
span.EmailStyle17
    {mso-style-type:personal-compose;
    font-family:Arial;
    color:windowtext;}
@page Section1
    {size:595.3pt 841.9pt;
    margin:2.0cm 42.5pt 2.0cm 3.0cm;}
div.Section1
    {page:Section1;}
-->
</style>
</head>
<body lang=EN link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><img width=429 height=526 id="_x0000_i1025"
src="cid:image001.gif at 01C6B486.796DE3A0"></span></font><font size=2 face=Arial><span
lang=EN-US style='font-size:10.0pt;font-family:Arial'><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>Deals And Sale Items Keyword Group Product StoreAll Products View: GridSort Top Price<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>delicacy Before cm equipment amount floor referred washing machines hookups motors<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>achieve speeds beyond Notebook smaller slower capacity. whereas newest<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>startup rises decay younger fewer startstop better surviving literally drags Maxtor series<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>area Cup World pertinent<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>Partial Response Maximum algorithm Textured Landing Zones HDDs UltraDMA/ ATAPI releases barrier broken First<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>reports<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>merchants provided third parties purposes only.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>Greek Award winning area Cup World pertinent info Cup. Over<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>From Katrina<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>width Neel Spikes granular opposite opposed spikes appear. These magnets align because cancel<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>eBooks variety subjects such as: novels<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>Barcode UNIX WebCam download: Most popular Releases Picks<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>sims Film video film emulateur google<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>warnings worldwide local groups climate severe news. browsers FTP Usenet readers<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>host page. knowledge HTML.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>behind devices. FCAL connected fibre optics. networks protocols iSCSI Ethernet well.SATA pair receiving device.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>audience member. Fact Day: pound<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>Buying Selling Models Cutting<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>Buy Yahoo YahooMail pageYahoo InNew User Sign Primary Clothing Garden My Lists CareHome<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>APIs powering Tech. paid Inc. Rights<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>name... eg. Solaris SunOS SCO<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>HDA. Almost designer Kenneth Haughton rifle suited protected center harsh delicacy Before cm equipment amount floor referred washing<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>NEWS Center Here will latest sites: English USA/UK German Spanish French Italian<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>this. Website Tools counters polls engines add homepage Website.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>PSP audio MP... Studio WinTasks Uniblue Ltd WinBackup sluggish. engine... LI Controls Trial Deluxe<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>Beverage Genealogy Health Nutrition Parenting Science Animation Authoring Editing Media ActiveX Compilers Libraries Debugging<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>Players PlugIns Streaming Puzzles<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>basic rate. cases Small Interface ESDI always werent downward wouldnt<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>browsers<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>actual<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial'>him student Visa when others cannot PM Lifetime Fiscal approved<o:p></o:p></span></font></p>
</div>
</body>
</html>

 
And the scores we get are:
 
Subject: bresil But
Date:  Mon, 31 Jul 2006 09:48:28 -0200
MIME-Version: 1.0
Content-Type: multipart/related;
 boundary="----=_NextPart_000_0003_01C6B486.796DE3A0"
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: Aca0hnlt/AzKFLsrRCKrOczif4fQrQ==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
Message-Id: <CCF5EA78369450E.1D03680AAF at direct-adsl.nl>
X-fleetone.com-MailScanner-Information: Please contact the ISP for more information
X-fleetone.com-MailScanner: Found to be clean
X-fleetone.com-MailScanner-SpamCheck: not spam, SpamAssassin (score=2.963,
 required 6, ALL_TRUSTED 1.00, BAYES_50 0.00,
 DATE_IN_FUTURE_03_06 1.96, HTML_MESSAGE 0.00)
X-fleetone.com-MailScanner-SpamScore: 2
X-fleetone.com-MailScanner-From: xbalmmoiw at direct-adsl.nl
Return-Path: xbalmmoiw at direct-adsl.nl
X-OriginalArrivalTime: 31 Jul 2006 08:05:33.0309 (UTC) FILETIME=[18E0AAD0:01C6B478]
------=_NextPart_000_0003_01C6B486.796DE3A0
Content-Type: multipart/alternative;
 boundary="----=_NextPart_001_0004_01C6B486.796DE3A0"
------=_NextPart_001_0004_01C6B486.796DE3A0
Content-Type: text/plain;
 charset="us-ascii"
Content-Transfer-Encoding: 7bit
------=_NextPart_001_0004_01C6B486.796DE3A0
Content-Type: text/html;
 charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

------=_NextPart_001_0004_01C6B486.796DE3A0--
------=_NextPart_000_0003_01C6B486.796DE3A0
Content-Type: image/gif;
 name="image001.gif"
Content-Transfer-Encoding: base64
Content-ID: <image001.gif at 01C6B486.796DE3A0>

------=_NextPart_000_0003_01C6B486.796DE3A0--
 
A MailScanner --lint does not return any problems on the server:
 
[root at bouncy spamassassin]# /usr/sbin/MailScanner --lint
Read 757 hostnames from the phishing whitelist
Checking for SpamAssassin errors (if you use it)...
Using SpamAssassin results cache
Connected to SpamAssassin cache database
SpamAssassin reported no errors.

Not sure why this is being sent on as non spam.  Any thoughts?
 
Rob

More information about the MailScanner mailing list