Increase in spam getting through
Randal, Phil
prandal at herefordshire.gov.uk
Tue Aug 1 13:19:11 IST 2006
Derek Harding posted this rule on the spamassassin-users mailing list:
rawbody INLINE_IMAGE /src\s*=\s*["']cid:/i
describe INLINE_IMAGE Inline Images
score INLINE_IMAGE 1.5
That'll get all inline images, not just the spammy ones.
I'm scoring it 2 at the moment (but our bayes is well trained and can
compensate).
Phil
--
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf
> Of rob freeman
> Sent: 01 August 2006 12:45
> To: MailScanner discussion
> Subject: Increase in spam getting through
>
> Running MailScanner 4.53.8 on CentOS 4.3. It is a front end
> to our exchange 2003 server. Have rules_du_jour running with
> these rules:
>
> TRUSTED_RULESETS="SARE_STOCKS SARE_ADULT SARE_HTML0 SARE_OBFU
> TRIPWIRE SARE_EVILNUMBERS0 SARE_RANDOM SARE_REDIRECT_POST300
> SARE_BAYES_POISON_NXM SARE_HTML1 SARE_HEADER0 SARE_HEADER1
> SARE_SPECIFIC SARE_BML SARE_FRAUD SARE_SPOOF SARE_OEM
> SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_UNSUB SARE_URI";
>
> Also have DCC, pyzor, razor, and bayes going.
>
> We have a rise on spam getting through in the past 2 weeks.
> Mostly looks like an image with words at the end. Here is
> the mail source:
>
> <html xmlns:v="urn:schemas-microsoft-com:vml"
> xmlns:o="urn:schemas-microsoft-com:office:office"
> xmlns:w="urn:schemas-microsoft-com:office:word"
> xmlns:st1="urn:schemas-microsoft-com:office:smarttags"
> xmlns="http://www.w3.org/TR/REC-html40">
> <head>
> <meta name=Generator content="Microsoft Word 11 (filtered medium)">
> <!--[if !mso]>
> <style>
> v\:* {behavior:url(#default#VML);}
> o\:* {behavior:url(#default#VML);}
> w\:* {behavior:url(#default#VML);}
> shape {behavior:url(#default#VML);}
> </style>
> <![endif]--><o:SmartTagType
> namespaceuri="urn:schemas-microsoft-com:office:smarttags"
> name="City"/>
> <o:SmartTagType
> namespaceuri="urn:schemas-microsoft-com:office:smarttags"
> name="place"/>
> <!--[if !mso]>
> <style>
> st1\:*{behavior:url(#default#ieooui) }
> </style>
> <![endif]-->
> <style>
> <!--
> /* Style Definitions */
> p.MsoNormal, li.MsoNormal, div.MsoNormal
> {margin:0cm;
> margin-bottom:.0001pt;
> font-size:12.0pt;
> font-family:"Times New Roman";}
> a:link, span.MsoHyperlink
> {color:blue;
> text-decoration:underline;}
> a:visited, span.MsoHyperlinkFollowed
> {color:purple;
> text-decoration:underline;}
> span.EmailStyle17
> {mso-style-type:personal-compose;
> font-family:Arial;
> color:windowtext;}
> @page Section1
> {size:595.3pt 841.9pt;
> margin:2.0cm 42.5pt 2.0cm 3.0cm;}
> div.Section1
> {page:Section1;}
> -->
> </style>
> </head>
> <body lang=EN link=blue vlink=purple>
> <div class=Section1>
> <p class=MsoNormal><font size=2 face=Arial><span
> style='font-size:10.0pt;
> font-family:Arial'><img width=429 height=526 id="_x0000_i1025"
> src="cid:image001.gif at 01C6B486.796DE3A0"></span></font><font
> size=2 face=Arial><span
> lang=EN-US
> style='font-size:10.0pt;font-family:Arial'><o:p></o:p></span><
> /font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>Deals And Sale
> Items Keyword Group Product StoreAll Products View: GridSort
> Top Price<o:p></o:p></span></font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>delicacy Before cm
> equipment amount floor referred washing machines hookups
> motors<o:p></o:p></span></font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>achieve speeds
> beyond Notebook smaller slower capacity. whereas
> newest<o:p></o:p></span></font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>startup rises
> decay younger fewer startstop better surviving literally
> drags Maxtor series<o:p></o:p></span></font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>area Cup World
> pertinent<o:p></o:p></span></font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>Partial Response
> Maximum algorithm Textured Landing Zones HDDs UltraDMA/ ATAPI
> releases barrier broken First<o:p></o:p></span></font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>reports<o:p></o:p><
> /span></font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>merchants provided
> third parties purposes only.<o:p></o:p></span></font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>Greek Award
> winning area Cup World pertinent info Cup.
> Over<o:p></o:p></span></font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>From
> Katrina<o:p></o:p></span></font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>width Neel Spikes
> granular opposite opposed spikes appear. These magnets align
> because cancel<o:p></o:p></span></font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>eBooks variety
> subjects such as: novels<o:p></o:p></span></font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>Barcode UNIX
> WebCam download: Most popular Releases
> Picks<o:p></o:p></span></font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>sims Film video
> film emulateur google<o:p></o:p></span></font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>warnings worldwide
> local groups climate severe news. browsers FTP Usenet
> readers<o:p></o:p></span></font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>host page.
> knowledge HTML.<o:p></o:p></span></font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>behind devices.
> FCAL connected fibre optics. networks protocols iSCSI
> Ethernet well.SATA pair receiving device.<o:p></o:p></span></font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>audience member.
> Fact Day: pound<o:p></o:p></span></font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>Buying Selling
> Models Cutting<o:p></o:p></span></font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>Buy Yahoo
> YahooMail pageYahoo InNew User Sign Primary Clothing Garden
> My Lists CareHome<o:p></o:p></span></font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>APIs powering
> Tech. paid Inc. Rights<o:p></o:p></span></font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>name... eg.
> Solaris SunOS SCO<o:p></o:p></span></font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>HDA. Almost
> designer Kenneth Haughton rifle suited protected center harsh
> delicacy Before cm equipment amount floor referred
> washing<o:p></o:p></span></font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>NEWS Center Here
> will latest sites: English USA/UK German Spanish French
> Italian<o:p></o:p></span></font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>this. Website
> Tools counters polls engines add homepage
> Website.<o:p></o:p></span></font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>PSP audio MP...
> Studio WinTasks Uniblue Ltd WinBackup sluggish. engine... LI
> Controls Trial Deluxe<o:p></o:p></span></font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>Beverage Genealogy
> Health Nutrition Parenting Science Animation Authoring
> Editing Media ActiveX Compilers Libraries
> Debugging<o:p></o:p></span></font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>Players PlugIns
> Streaming Puzzles<o:p></o:p></span></font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>basic rate. cases
> Small Interface ESDI always werent downward
> wouldnt<o:p></o:p></span></font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>browsers<o:p></o:p>
> </span></font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>actual<o:p></o:p></
> span></font></p>
> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
> style='font-size:10.0pt;font-family:Arial'>him student Visa
> when others cannot PM Lifetime Fiscal
> approved<o:p></o:p></span></font></p>
> </div>
> </body>
> </html>
>
>
> And the scores we get are:
>
> Subject: bresil But
> Date: Mon, 31 Jul 2006 09:48:28 -0200
> MIME-Version: 1.0
> Content-Type: multipart/related;
> boundary="----=_NextPart_000_0003_01C6B486.796DE3A0"
> X-Mailer: Microsoft Office Outlook, Build 11.0.5510
> Thread-Index: Aca0hnlt/AzKFLsrRCKrOczif4fQrQ==
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
> Message-Id: <CCF5EA78369450E.1D03680AAF at direct-adsl.nl>
> X-fleetone.com-MailScanner-Information: Please contact the
> ISP for more information
> X-fleetone.com-MailScanner: Found to be clean
> X-fleetone.com-MailScanner-SpamCheck: not spam, SpamAssassin
> (score=2.963,
> required 6, ALL_TRUSTED 1.00, BAYES_50 0.00,
> DATE_IN_FUTURE_03_06 1.96, HTML_MESSAGE 0.00)
> X-fleetone.com-MailScanner-SpamScore: 2
> X-fleetone.com-MailScanner-From: xbalmmoiw at direct-adsl.nl
> Return-Path: xbalmmoiw at direct-adsl.nl
> X-OriginalArrivalTime: 31 Jul 2006 08:05:33.0309 (UTC)
> FILETIME=[18E0AAD0:01C6B478]
> ------=_NextPart_000_0003_01C6B486.796DE3A0
> Content-Type: multipart/alternative;
> boundary="----=_NextPart_001_0004_01C6B486.796DE3A0"
> ------=_NextPart_001_0004_01C6B486.796DE3A0
> Content-Type: text/plain;
> charset="us-ascii"
> Content-Transfer-Encoding: 7bit
> ------=_NextPart_001_0004_01C6B486.796DE3A0
> Content-Type: text/html;
> charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
>
> ------=_NextPart_001_0004_01C6B486.796DE3A0--
> ------=_NextPart_000_0003_01C6B486.796DE3A0
> Content-Type: image/gif;
> name="image001.gif"
> Content-Transfer-Encoding: base64
> Content-ID: <image001.gif at 01C6B486.796DE3A0>
>
> ------=_NextPart_000_0003_01C6B486.796DE3A0--
>
> A MailScanner --lint does not return any problems on the server:
>
> [root at bouncy spamassassin]# /usr/sbin/MailScanner --lint
> Read 757 hostnames from the phishing whitelist
> Checking for SpamAssassin errors (if you use it)...
> Using SpamAssassin results cache
> Connected to SpamAssassin cache database
> SpamAssassin reported no errors.
>
> Not sure why this is being sent on as non spam. Any thoughts?
>
> Rob
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
More information about the MailScanner
mailing list