No subject


Thu Jan 12 21:14:02 GMT 2006


- Multiple "Subject:" lines are removed. The 1st one is kept.

Stef

> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Duncan, Brian M.
> Sent: 17 March 2005 15:06
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Spam that puts extra Subject lines in to avoid being
> quarantined/caught.
>
> Trying another time to mail the list about this type of
> Spamming.  We are starting to get allot more of these and I
> could not find anything in the archives dealing with this. (I
> looked again)
>
> Far down below is the original message I sent the list.
>
> Basically what I am seeing is Spammers that put two subject
> lines into the message.  Mailscanner only tags one of them.
> (99% of these have been ones that fail RBL check)  We have
> rules setup in exchange that, then say if message subject has
> xxx in it, stick it in their Suspect folder.
> (Exchange is only paying attention to the LAST subject line in the
> headers)
>
> Anyway to get sendmail/Mailscanner to either cut out multiple
> subject lines, or to mark ALL of the subject lines in the headers?
>
> This is with mailscanner-4.35.11-1
>
> Another example:
>
> Received: from everest by nuuk.nshoster.com with local (Exim 4.44)id
>
>  1DBgQp-0003Ae-0D; Wed, 16 Mar 2005 16:51:59 -0500
> To: info at udnepal.com,
>  richard at rotary1900.org
> From: fatima at beaconsfield.libdems.org.uk,
>  bobby at studentnet.lv
> Cc: fatima at beaconsfield.libdems.org.uk
> REPLY-TO: info at udnepal.com
> Subject: {FAILED SC} Online Reservation Inquiry submitted by
>
> Content-Type: multipart/mixed;
>  boundary=feawnqj
> Subject: Pharm discount
> Message-Id: <E1DBgQp-0003Ae-0D at nuuk.nshoster.com>
> Date: Wed, 16 Mar 2005 16:51:59 -0500
> X-AntiAbuse: This header was added to track abuse, please
> include it with
>
>  any abuse report
> X-AntiAbuse: Primary Hostname - nuuk.nshoster.com
> X-AntiAbuse: Original Domain - kmzr.com
> X-AntiAbuse: Originator/Caller UID/GID - [32079 32079] / [47 12]
> X-AntiAbuse: Sender Address Domain - nuuk.nshoster.com
> X-Source:
>
> X-Source-Args:
>
> X-Source-Dir:
>
> X-KMZR-MailScanner-Information:
>
> X-MailScanner-SpamCheck: spam, SpamAssassin (score=9.369, required
>
>  7,BAYES_80 2.09, DISGUISE_VIAGRA 1.00, DRUGS_ANXIETY
>
>  0.10,DRUGS_ANXIETY_EREC 0.04, DRUGS_ERECTILE
> 0.22,HEADER_COUNT_CTYPE 1.77,
>
>  HTML_20_30 0.23, HTML_MESSAGE 0.00,HTML_MIME_NO_HTML_TAG 0.14,
>
>  MIME_BASE64_TEXT 0.30,MIME_HEADER_CTYPE_ONLY 0.11, MIME_HTML_ONLY
>
>  0.18,URIBL_OB_SURBL 3.21)
> X-MailScanner-SpamScore: sssssssss
> X-MailScanner-From: everest at nuuk.nshoster.com
> Return-Path: everest at nuuk.nshoster.com
> X-OriginalArrivalTime: 16 Mar 2005 21:57:53.0994 (UTC)
> FILETIME=[3479F2A0:01C52A73]
>
> -----Original Message-----
> From: Duncan, Brian M.
>
> Sent: Friday, January 28, 2005 10:45 AM
> To: 'MAILSCANNER at JISCMAIL.AC.UK'
> Subject: Removing MULTIPLE subject lines in a message.
>
>
> Forgive me if this has been covered in the mailing list.  I
> searched the archives without any results..
>
> We are starting to receive messages now with multiple subject lines.
> (Ones with 2 subject lines total)
>
> In our environment we just modify the subject line on ANY
> message that is determined to be Spam. (Black listed, or
> scores higher then 7)
>
> We then rely on Exchange to move any messages with our
> modification into a local folder for the end users that is
> for Spam. (So they can look
> over)
>
> The problem we are seeing now is that Outlook/Exchange only
> seems to pay attention to the LAST subject line in a message.
>  When one of these messages with 2 subject lines comes
> through, it gets caught.  The 1st subject line is re-written,
> then it's forwarded to our Exchange server.
> The exchange server/outlook client only lists the LAST
> subject line from the message.  So it winds up in their
> INBOX.  If you look through the headers you can see..
>
> I was wondering if there is an easy way to handle this on the
> Sendmail/MailScanner side..
>
> Thanks!
>
> I will include headers of a message we have this problem with:
>
>
> Received: from RJX ([218.107.2.59])by venus.KMZR.COM
> (8.11.6/8.11.2) with
>
>  SMTP id j0SDSbL06054;Fri, 28 Jan 2005 07:28:38 -0600
> Message-Id: <200501281328.j0SDSbL06054 at venus.KMZR.COM>
> Received: from abac.com ([28.90.248.212]) by
> crisscross.iupi.pt       
>
>  (InterMail vK.4.04.00.00 813-535-420 license
>
>  5uz341wo5802c0kq1v5mts5394z8rdj1)         with ESMTP id
>
>  <75579863733746.EUMI071.cosy at abac.com>         for <mccord at kmzr.com>;
> Fri,
>
>  28 Jan 2005 11:21:00 -0200
> Received: from mail pickup service by hotmail.com with
> Microsoft SMTPSVC;
>
>  Fri, 28 Jan 2005 19:25:00 +0600
> Received: from 24.240.198.188 by ami.demagogue.hotmail.msn.com with
>
>  HTTP;Fri, 28 Jan 2005 14:27:00 +0100 GMT
> X-Originating-IP: [18.219.66.153]
> X-Originating-Email: [combat at abac.com]
> From: "Augusta Wood" <Reevesxfkyy at topteam.bg>,  "Augusta
> Wood" <Reevesxfkyy at topteam.bg>
> To: mccord at kmzr.com,
>  "Mccord" <mccord at kmzr.com>
> Subject: {FAILED SC} Spyware Aiert - January 25th
> Date: Fri, 28 Jan 2005 14:26:00 +0100
> Mime-Version: 1.0
> Received: from abac.com ([100.144.236.240])         by
> crisscross.iupi.pt 
>
>        (InterMail vK.4.04.00.00 218-712-387 license
>
>  5uz341wo5802c0kq1v5mts5394z8rdj1)         with ESMTP id
>
>  <67078592714268.CCLC9817.crisscross.iupi.pt>         for
> <mccord at kmzr.com>;
>   Fri, 28 Jan 2005 17:26:00 +0400
> Subject: Spyware Aiert - January 25th
> Sender: "Augusta Wood" <Reevesxfkyy at topteam.bg>
> X-KMZR-MailScanner-Information:
>
> X-MailScanner-SpamCheck: spam, SpamAssassin (score=22.075, required
>
>  7,autolearn=spam, BAYES_80 2.09, INVALID_TZ_GMT 0.20, LONGWORD
>
>  0.30,LONGWORDS 2.26, MR_NOT_ATTRIBUTED_IP 0.20, MR_STRANGE_QUESTION
>
>  1.50,MSGID_FROM_MTA_HEADER 0.05, MSGID_FROM_MTA_ID 1.72, NO_RDNS2
>
>  0.01,RCVD_IN_DSBL 3.81, RCVD_IN_SORBS 1.00, URIBL_OB_SURBL
>
>  3.21,URIBL_SC_SURBL 4.26, URIBL_WS_SURBL 1.46)
> X-MailScanner-SpamScore: ssssssssssssssssssssss
> X-MailScanner-From: reevesxfkyy at topteam.bg
> Return-Path: Reevesxfkyy at topteam.bg
> X-OriginalArrivalTime: 28 Jan 2005 13:30:17.0277 (UTC)
> FILETIME=[81717ED0:01C5053D]
>
>
>
> Brian M. Duncan
>
> Katten Muchin Zavis Rosenman
> 525 West Monroe Street
> Chicago IL 60661-3693
> 312-577-8045
>
> brian.duncan at kmzr.com
>
> ===========================================================
>
> Important:
> This electronic mail message and any attached files contain
> information intended for the exclusive use of the individual
> or entity to whom it is addressed and may contain information
> that is proprietary, privileged, confidential and/or exempt
> from disclosure under applicable law.  If you are not the
> intended recipient, you are hereby notified that any viewing,
> copying, disclosure or distribution of this information may
> be subject to legal restriction or sanction.  Please notify
> the sender, by electronic mail or telephone, of any
> unintended recipients and delete the original message without
> making any copies.
>
> ===========================================================
>
> ------------------------ MailScanner list
> ------------------------ To unsubscribe, email
> jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ
> (http://www.mailscanner.biz/maq/) and the archives
> (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
> --
> This email has been scanned by the Level 5 Internet
> MailCrusader for viruses, spam and dangerous content.
> For more information please visit http://www.l5net.net
>
>

------------------------ MailScanner list ------------------------ To
unsubscribe, email jiscmail at jiscmail.ac.uk with the words: 'leave
mailscanner' in the body of the email. Before posting, read the MAQ
(http://www.mailscanner.biz/maq/) and the archives
(http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

===========================================================

Important:
This electronic mail message and any attached files contain information
intended for the exclusive use of the individual or entity to whom it is
addressed and may contain information that is proprietary, privileged,
confidential and/or exempt from disclosure under applicable law.  If you
are not the intended recipient, you are hereby notified that any viewing,
copying, disclosure or distribution of this information may be subject to
legal restriction or sanction.  Please notify the sender, by electronic
mail or telephone, of any unintended recipients and delete the original
message without making any copies.

===========================================================

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the Mailscanner mailing list