No subject
Thu Jan 12 21:14:02 GMT 2006
- Multiple "Subject:" lines are removed. The 1st one is kept.
Stef
> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Duncan, Brian M.
> Sent: 17 March 2005 15:06
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Spam that puts extra Subject lines in to avoid being
> quarantined/caught.
>
> Trying another time to mail the list about this type of
> Spamming. We are starting to get allot more of these and I
> could not find anything in the archives dealing with this. (I
> looked again)
>
> Far down below is the original message I sent the list.
>
> Basically what I am seeing is Spammers that put two subject
> lines into the message. Mailscanner only tags one of them.
> (99% of these have been ones that fail RBL check) We have
> rules setup in exchange that, then say if message subject has
> xxx in it, stick it in their Suspect folder.
> (Exchange is only paying attention to the LAST subject line in the
> headers)
>
> Anyway to get sendmail/Mailscanner to either cut out multiple
> subject lines, or to mark ALL of the subject lines in the headers?
>
> This is with mailscanner-4.35.11-1
>
> Another example:
>
> Received: from everest by nuuk.nshoster.com with local (Exim 4.44)id
>
> 1DBgQp-0003Ae-0D; Wed, 16 Mar 2005 16:51:59 -0500
> To: info at udnepal.com,
> richard at rotary1900.org
> From: fatima at beaconsfield.libdems.org.uk,
> bobby at studentnet.lv
> Cc: fatima at beaconsfield.libdems.org.uk
> REPLY-TO: info at udnepal.com
> Subject: {FAILED SC} Online Reservation Inquiry submitted by
>
> Content-Type: multipart/mixed;
> boundary=feawnqj
> Subject: Pharm discount
> Message-Id: <E1DBgQp-0003Ae-0D at nuuk.nshoster.com>
> Date: Wed, 16 Mar 2005 16:51:59 -0500
> X-AntiAbuse: This header was added to track abuse, please
> include it with
>
> any abuse report
> X-AntiAbuse: Primary Hostname - nuuk.nshoster.com
> X-AntiAbuse: Original Domain - kmzr.com
> X-AntiAbuse: Originator/Caller UID/GID - [32079 32079] / [47 12]
> X-AntiAbuse: Sender Address Domain - nuuk.nshoster.com
> X-Source:
>
> X-Source-Args:
>
> X-Source-Dir:
>
> X-KMZR-MailScanner-Information:
>
> X-MailScanner-SpamCheck: spam, SpamAssassin (score=9.369, required
>
> 7,BAYES_80 2.09, DISGUISE_VIAGRA 1.00, DRUGS_ANXIETY
>
> 0.10,DRUGS_ANXIETY_EREC 0.04, DRUGS_ERECTILE
> 0.22,HEADER_COUNT_CTYPE 1.77,
>
> HTML_20_30 0.23, HTML_MESSAGE 0.00,HTML_MIME_NO_HTML_TAG 0.14,
>
> MIME_BASE64_TEXT 0.30,MIME_HEADER_CTYPE_ONLY 0.11, MIME_HTML_ONLY
>
> 0.18,URIBL_OB_SURBL 3.21)
> X-MailScanner-SpamScore: sssssssss
> X-MailScanner-From: everest at nuuk.nshoster.com
> Return-Path: everest at nuuk.nshoster.com
> X-OriginalArrivalTime: 16 Mar 2005 21:57:53.0994 (UTC)
> FILETIME=[3479F2A0:01C52A73]
>
> -----Original Message-----
> From: Duncan, Brian M.
>
> Sent: Friday, January 28, 2005 10:45 AM
> To: 'MAILSCANNER at JISCMAIL.AC.UK'
> Subject: Removing MULTIPLE subject lines in a message.
>
>
> Forgive me if this has been covered in the mailing list. I
> searched the archives without any results..
>
> We are starting to receive messages now with multiple subject lines.
> (Ones with 2 subject lines total)
>
> In our environment we just modify the subject line on ANY
> message that is determined to be Spam. (Black listed, or
> scores higher then 7)
>
> We then rely on Exchange to move any messages with our
> modification into a local folder for the end users that is
> for Spam. (So they can look
> over)
>
> The problem we are seeing now is that Outlook/Exchange only
> seems to pay attention to the LAST subject line in a message.
> When one of these messages with 2 subject lines comes
> through, it gets caught. The 1st subject line is re-written,
> then it's forwarded to our Exchange server.
> The exchange server/outlook client only lists the LAST
> subject line from the message. So it winds up in their
> INBOX. If you look through the headers you can see..
>
> I was wondering if there is an easy way to handle this on the
> Sendmail/MailScanner side..
>
> Thanks!
>
> I will include headers of a message we have this problem with:
>
>
> Received: from RJX ([218.107.2.59])by venus.KMZR.COM
> (8.11.6/8.11.2) with
>
> SMTP id j0SDSbL06054;Fri, 28 Jan 2005 07:28:38 -0600
> Message-Id: <200501281328.j0SDSbL06054 at venus.KMZR.COM>
> Received: from abac.com ([28.90.248.212]) by
> crisscross.iupi.pt
>
> (InterMail vK.4.04.00.00 813-535-420 license
>
> 5uz341wo5802c0kq1v5mts5394z8rdj1) with ESMTP id
>
> <75579863733746.EUMI071.cosy at abac.com> for <mccord at kmzr.com>;
> Fri,
>
> 28 Jan 2005 11:21:00 -0200
> Received: from mail pickup service by hotmail.com with
> Microsoft SMTPSVC;
>
> Fri, 28 Jan 2005 19:25:00 +0600
> Received: from 24.240.198.188 by ami.demagogue.hotmail.msn.com with
>
> HTTP;Fri, 28 Jan 2005 14:27:00 +0100 GMT
> X-Originating-IP: [18.219.66.153]
> X-Originating-Email: [combat at abac.com]
> From: "Augusta Wood" <Reevesxfkyy at topteam.bg>, "Augusta
> Wood" <Reevesxfkyy at topteam.bg>
> To: mccord at kmzr.com,
> "Mccord" <mccord at kmzr.com>
> Subject: {FAILED SC} Spyware Aiert - January 25th
> Date: Fri, 28 Jan 2005 14:26:00 +0100
> Mime-Version: 1.0
> Received: from abac.com ([100.144.236.240]) by
> crisscross.iupi.pt
>
> (InterMail vK.4.04.00.00 218-712-387 license
>
> 5uz341wo5802c0kq1v5mts5394z8rdj1) with ESMTP id
>
> <67078592714268.CCLC9817.crisscross.iupi.pt> for
> <mccord at kmzr.com>;
> Fri, 28 Jan 2005 17:26:00 +0400
> Subject: Spyware Aiert - January 25th
> Sender: "Augusta Wood" <Reevesxfkyy at topteam.bg>
> X-KMZR-MailScanner-Information:
>
> X-MailScanner-SpamCheck: spam, SpamAssassin (score=22.075, required
>
> 7,autolearn=spam, BAYES_80 2.09, INVALID_TZ_GMT 0.20, LONGWORD
>
> 0.30,LONGWORDS 2.26, MR_NOT_ATTRIBUTED_IP 0.20, MR_STRANGE_QUESTION
>
> 1.50,MSGID_FROM_MTA_HEADER 0.05, MSGID_FROM_MTA_ID 1.72, NO_RDNS2
>
> 0.01,RCVD_IN_DSBL 3.81, RCVD_IN_SORBS 1.00, URIBL_OB_SURBL
>
> 3.21,URIBL_SC_SURBL 4.26, URIBL_WS_SURBL 1.46)
> X-MailScanner-SpamScore: ssssssssssssssssssssss
> X-MailScanner-From: reevesxfkyy at topteam.bg
> Return-Path: Reevesxfkyy at topteam.bg
> X-OriginalArrivalTime: 28 Jan 2005 13:30:17.0277 (UTC)
> FILETIME=[81717ED0:01C5053D]
>
>
>
> Brian M. Duncan
>
> Katten Muchin Zavis Rosenman
> 525 West Monroe Street
> Chicago IL 60661-3693
> 312-577-8045
>
> brian.duncan at kmzr.com
>
> ===========================================================
>
> Important:
> This electronic mail message and any attached files contain
> information intended for the exclusive use of the individual
> or entity to whom it is addressed and may contain information
> that is proprietary, privileged, confidential and/or exempt
> from disclosure under applicable law. If you are not the
> intended recipient, you are hereby notified that any viewing,
> copying, disclosure or distribution of this information may
> be subject to legal restriction or sanction. Please notify
> the sender, by electronic mail or telephone, of any
> unintended recipients and delete the original message without
> making any copies.
>
> ===========================================================
>
> ------------------------ MailScanner list
> ------------------------ To unsubscribe, email
> jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ
> (http://www.mailscanner.biz/maq/) and the archives
> (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
> --
> This email has been scanned by the Level 5 Internet
> MailCrusader for viruses, spam and dangerous content.
> For more information please visit http://www.l5net.net
>
>
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list