Increase in spam getting through
Jeff A. Earickson
jaearick at colby.edu
Tue Aug 1 14:03:57 IST 2006
Thanks! I just rolled this into my spam.assassin.prefs.conf,
and it is already whapping the spam.
Jeff Earickson
Colby College
On Tue, 1 Aug 2006, Randal, Phil wrote:
> Date: Tue, 1 Aug 2006 13:19:11 +0100
> From: "Randal, Phil" <prandal at herefordshire.gov.uk>
> Reply-To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> Subject: RE: Increase in spam getting through
>
> Derek Harding posted this rule on the spamassassin-users mailing list:
>
> rawbody INLINE_IMAGE /src\s*=\s*["']cid:/i
> describe INLINE_IMAGE Inline Images
> score INLINE_IMAGE 1.5
>
> That'll get all inline images, not just the spammy ones.
>
> I'm scoring it 2 at the moment (but our bayes is well trained and can
> compensate).
>
> Phil
>
> --
> Phil Randal
> Network Engineer
> Herefordshire Council
> Hereford, UK
>
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info
>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf
>> Of rob freeman
>> Sent: 01 August 2006 12:45
>> To: MailScanner discussion
>> Subject: Increase in spam getting through
>>
>> Running MailScanner 4.53.8 on CentOS 4.3. It is a front end
>> to our exchange 2003 server. Have rules_du_jour running with
>> these rules:
>>
>> TRUSTED_RULESETS="SARE_STOCKS SARE_ADULT SARE_HTML0 SARE_OBFU
>> TRIPWIRE SARE_EVILNUMBERS0 SARE_RANDOM SARE_REDIRECT_POST300
>> SARE_BAYES_POISON_NXM SARE_HTML1 SARE_HEADER0 SARE_HEADER1
>> SARE_SPECIFIC SARE_BML SARE_FRAUD SARE_SPOOF SARE_OEM
>> SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_UNSUB SARE_URI";
>>
>> Also have DCC, pyzor, razor, and bayes going.
>>
>> We have a rise on spam getting through in the past 2 weeks.
>> Mostly looks like an image with words at the end. Here is
>> the mail source:
>>
>> <html xmlns:v="urn:schemas-microsoft-com:vml"
>> xmlns:o="urn:schemas-microsoft-com:office:office"
>> xmlns:w="urn:schemas-microsoft-com:office:word"
>> xmlns:st1="urn:schemas-microsoft-com:office:smarttags"
>> xmlns="http://www.w3.org/TR/REC-html40">
>> <head>
>> <meta name=Generator content="Microsoft Word 11 (filtered medium)">
>> <!--[if !mso]>
>> <style>
>> v\:* {behavior:url(#default#VML);}
>> o\:* {behavior:url(#default#VML);}
>> w\:* {behavior:url(#default#VML);}
>> shape {behavior:url(#default#VML);}
>> </style>
>> <![endif]--><o:SmartTagType
>> namespaceuri="urn:schemas-microsoft-com:office:smarttags"
>> name="City"/>
>> <o:SmartTagType
>> namespaceuri="urn:schemas-microsoft-com:office:smarttags"
>> name="place"/>
>> <!--[if !mso]>
>> <style>
>> st1\:*{behavior:url(#default#ieooui) }
>> </style>
>> <![endif]-->
>> <style>
>> <!--
>> /* Style Definitions */
>> p.MsoNormal, li.MsoNormal, div.MsoNormal
>> {margin:0cm;
>> margin-bottom:.0001pt;
>> font-size:12.0pt;
>> font-family:"Times New Roman";}
>> a:link, span.MsoHyperlink
>> {color:blue;
>> text-decoration:underline;}
>> a:visited, span.MsoHyperlinkFollowed
>> {color:purple;
>> text-decoration:underline;}
>> span.EmailStyle17
>> {mso-style-type:personal-compose;
>> font-family:Arial;
>> color:windowtext;}
>> @page Section1
>> {size:595.3pt 841.9pt;
>> margin:2.0cm 42.5pt 2.0cm 3.0cm;}
>> div.Section1
>> {page:Section1;}
>> -->
>> </style>
>> </head>
>> <body lang=EN link=blue vlink=purple>
>> <div class=Section1>
>> <p class=MsoNormal><font size=2 face=Arial><span
>> style='font-size:10.0pt;
>> font-family:Arial'><img width=429 height=526 id="_x0000_i1025"
>> src="cid:image001.gif at 01C6B486.796DE3A0"></span></font><font
>> size=2 face=Arial><span
>> lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'><o:p></o:p></span><
>> /font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>Deals And Sale
>> Items Keyword Group Product StoreAll Products View: GridSort
>> Top Price<o:p></o:p></span></font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>delicacy Before cm
>> equipment amount floor referred washing machines hookups
>> motors<o:p></o:p></span></font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>achieve speeds
>> beyond Notebook smaller slower capacity. whereas
>> newest<o:p></o:p></span></font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>startup rises
>> decay younger fewer startstop better surviving literally
>> drags Maxtor series<o:p></o:p></span></font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>area Cup World
>> pertinent<o:p></o:p></span></font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>Partial Response
>> Maximum algorithm Textured Landing Zones HDDs UltraDMA/ ATAPI
>> releases barrier broken First<o:p></o:p></span></font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>reports<o:p></o:p><
>> /span></font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>merchants provided
>> third parties purposes only.<o:p></o:p></span></font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>Greek Award
>> winning area Cup World pertinent info Cup.
>> Over<o:p></o:p></span></font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>From
>> Katrina<o:p></o:p></span></font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>width Neel Spikes
>> granular opposite opposed spikes appear. These magnets align
>> because cancel<o:p></o:p></span></font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>eBooks variety
>> subjects such as: novels<o:p></o:p></span></font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>Barcode UNIX
>> WebCam download: Most popular Releases
>> Picks<o:p></o:p></span></font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>sims Film video
>> film emulateur google<o:p></o:p></span></font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>warnings worldwide
>> local groups climate severe news. browsers FTP Usenet
>> readers<o:p></o:p></span></font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>host page.
>> knowledge HTML.<o:p></o:p></span></font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>behind devices.
>> FCAL connected fibre optics. networks protocols iSCSI
>> Ethernet well.SATA pair receiving device.<o:p></o:p></span></font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>audience member.
>> Fact Day: pound<o:p></o:p></span></font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>Buying Selling
>> Models Cutting<o:p></o:p></span></font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>Buy Yahoo
>> YahooMail pageYahoo InNew User Sign Primary Clothing Garden
>> My Lists CareHome<o:p></o:p></span></font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>APIs powering
>> Tech. paid Inc. Rights<o:p></o:p></span></font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>name... eg.
>> Solaris SunOS SCO<o:p></o:p></span></font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>HDA. Almost
>> designer Kenneth Haughton rifle suited protected center harsh
>> delicacy Before cm equipment amount floor referred
>> washing<o:p></o:p></span></font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>NEWS Center Here
>> will latest sites: English USA/UK German Spanish French
>> Italian<o:p></o:p></span></font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>this. Website
>> Tools counters polls engines add homepage
>> Website.<o:p></o:p></span></font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>PSP audio MP...
>> Studio WinTasks Uniblue Ltd WinBackup sluggish. engine... LI
>> Controls Trial Deluxe<o:p></o:p></span></font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>Beverage Genealogy
>> Health Nutrition Parenting Science Animation Authoring
>> Editing Media ActiveX Compilers Libraries
>> Debugging<o:p></o:p></span></font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>Players PlugIns
>> Streaming Puzzles<o:p></o:p></span></font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>basic rate. cases
>> Small Interface ESDI always werent downward
>> wouldnt<o:p></o:p></span></font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>browsers<o:p></o:p>
>> </span></font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>actual<o:p></o:p></
>> span></font></p>
>> <p class=MsoNormal><font size=2 face=Arial><span lang=EN-US
>> style='font-size:10.0pt;font-family:Arial'>him student Visa
>> when others cannot PM Lifetime Fiscal
>> approved<o:p></o:p></span></font></p>
>> </div>
>> </body>
>> </html>
>>
>>
>> And the scores we get are:
>>
>> Subject: bresil But
>> Date: Mon, 31 Jul 2006 09:48:28 -0200
>> MIME-Version: 1.0
>> Content-Type: multipart/related;
>> boundary="----=_NextPart_000_0003_01C6B486.796DE3A0"
>> X-Mailer: Microsoft Office Outlook, Build 11.0.5510
>> Thread-Index: Aca0hnlt/AzKFLsrRCKrOczif4fQrQ==
>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
>> Message-Id: <CCF5EA78369450E.1D03680AAF at direct-adsl.nl>
>> X-fleetone.com-MailScanner-Information: Please contact the
>> ISP for more information
>> X-fleetone.com-MailScanner: Found to be clean
>> X-fleetone.com-MailScanner-SpamCheck: not spam, SpamAssassin
>> (score=2.963,
>> required 6, ALL_TRUSTED 1.00, BAYES_50 0.00,
>> DATE_IN_FUTURE_03_06 1.96, HTML_MESSAGE 0.00)
>> X-fleetone.com-MailScanner-SpamScore: 2
>> X-fleetone.com-MailScanner-From: xbalmmoiw at direct-adsl.nl
>> Return-Path: xbalmmoiw at direct-adsl.nl
>> X-OriginalArrivalTime: 31 Jul 2006 08:05:33.0309 (UTC)
>> FILETIME=[18E0AAD0:01C6B478]
>> ------=_NextPart_000_0003_01C6B486.796DE3A0
>> Content-Type: multipart/alternative;
>> boundary="----=_NextPart_001_0004_01C6B486.796DE3A0"
>> ------=_NextPart_001_0004_01C6B486.796DE3A0
>> Content-Type: text/plain;
>> charset="us-ascii"
>> Content-Transfer-Encoding: 7bit
>> ------=_NextPart_001_0004_01C6B486.796DE3A0
>> Content-Type: text/html;
>> charset="us-ascii"
>> Content-Transfer-Encoding: quoted-printable
>>
>> ------=_NextPart_001_0004_01C6B486.796DE3A0--
>> ------=_NextPart_000_0003_01C6B486.796DE3A0
>> Content-Type: image/gif;
>> name="image001.gif"
>> Content-Transfer-Encoding: base64
>> Content-ID: <image001.gif at 01C6B486.796DE3A0>
>>
>> ------=_NextPart_000_0003_01C6B486.796DE3A0--
>>
>> A MailScanner --lint does not return any problems on the server:
>>
>> [root at bouncy spamassassin]# /usr/sbin/MailScanner --lint
>> Read 757 hostnames from the phishing whitelist
>> Checking for SpamAssassin errors (if you use it)...
>> Using SpamAssassin results cache
>> Connected to SpamAssassin cache database
>> SpamAssassin reported no errors.
>>
>> Not sure why this is being sent on as non spam. Any thoughts?
>>
>> Rob
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
More information about the MailScanner
mailing list