unidentified pharmacy spam

Scott Silva ssilva at sgvwater.com
Tue Sep 26 17:08:51 IST 2006 

Daniel Maher spake the following on 9/26/2006 8:08 AM:
> The attached Spam made it through untagged.  It’s clearly Pharmacy spam. :/
> 
>  
> 
> I’ve got the SARE pharmacy rules and such enabled – normally, Pharmacy
> spam doesn’t make it though at all.  I’ve run the body of this message
> through a couple of times, and it never gets identified.  Does anybody
> have any ideas what it’s doing to avoid detection?
> 
>  
> 
>  
> 
> --
> 
>   _
>  °v°  Daniel Maher
> /(_)\ Administrateur Système Unix
> 
>  ^ ^  Unix System Administrator
> 
>  
> 
> //Sentio aliquos togatos contra me conspirare.//
> 
>  
> 
> 
> ------------------------------------------------------------------------
> 
> Microsoft Mail Internet Headers Version 2.0
> Received: from mdc-owa01.ubisoft.org ([10.129.1.20]) by UBIMAIL1.ubisoft.org with Microsoft SMTPSVC(6.0.3790.1830);
> 	 Tue, 26 Sep 2006 10:34:41 -0400
> Received: from mail01.ubisoft.com ([216.98.56.138]) by mdc-owa01.ubisoft.org with Microsoft SMTPSVC(6.0.3790.1830);
> 	 Tue, 26 Sep 2006 10:34:40 -0400
> Received: from imca.org (147.Red-81-33-45.dynamicIP.rima-tde.net [81.33.45.147])
> 	by mail01.ubisoft.com (Postfix) with SMTP id 0DD0769B16
> 	for <billing at ubisoft.com>; Tue, 26 Sep 2006 14:34:37 +0000 (GMT)
> Message-ID: <01c6e178$e190dbd0$932d2151 at PT381350998>
> Date: Tue, 26 Sep 2006 15:34:32 +0000
> X-MSMail-Priority: Normal
> X-Priority: 3
> Reply-To: "Melisizwe Joslyn" <kourtyartri at imca.org>
> From: "Melisizwe Joslyn" <kourtyartri at imca.org>
> To: <billing99 at ubisoft.com>
> Subject: PHAzmiRMACY
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> 	boundary="----=_NextPart_000_7FD5_01C6E181.435543D0"
> X-Mailer: Microsoft Outlook Express 6.00.2900.2180
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
> X-Ubisoft-MailScanner-Information: Please contact administrators99 at ubisoft.qc.ca
> X-Ubisoft-MailScanner: Found to be clean
> X-Ubisoft-MailScanner-SpamCheck: not spam, SpamAssassin (score=2.089,
> 	required 6, BAYES_40 -0.18, FORGED_RCVD_HELO 0.14, HTML_MESSAGE 0.50,
> 	URIBL_SBL 1.64)
> X-Ubisoft-MailScanner-SpamScore: 2
> X-MailScanner-From: kourtyartri at imca.org
> Return-Path: kourtyartri at imca.org
> X-OriginalArrivalTime: 26 Sep 2006 14:34:40.0595 (UTC) FILETIME=[E67D8A30:01C6E178]
> 
> ------=_NextPart_000_7FD5_01C6E181.435543D0
> Content-Type: text/plain;
> 	charset="Windows-1252"
> Content-Transfer-Encoding: quoted-printable
> 
> ------=_NextPart_000_7FD5_01C6E181.435543D0
> Content-Type: text/html;
> 	charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> 
> 
> ------=_NextPart_000_7FD5_01C6E181.435543D0--
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML><HEAD>
> 
> <META content="MSHTML 6.00.2800.1106" name=GENERATOR>
> <STYLE></STYLE>
> </HEAD>
> <BODY bgColor=#ffffff>
> <DIV>Hi</DIV>
> <P><FONT face=Arial>VAtLIUM</FONT></P>
> <P><FONT face=Arial>CItALIS</FONT></P>
> <P><FONT face=Arial>AMtBIEN</FONT></P>
> <P><FONT face=Arial>VItAGRA</FONT></P>
> <DIV>Economize 50 % <A href="http://www.gansedinkumasde.com">http://www.gansedinkumasde.com</A></DIV>
> <DIV>&nbsp;</DIV>
> <DIV><HR></DIV>
> <P>change can be postponed.<BR>
> never  had  any intention of supplying the antidote. I would certainly<BR>
>  Landing party for Liokukae?<BR></P></BODY></HTML>
> 
I get the following hits
Content analysis details:   (9.1 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 2.0 TVD_SPACED_SUBJECT_WORD Subject has spammy looking subject
 0.1 FORGED_RCVD_HELO       Received: contains a forged HELO
-1.0 BAYES_00               BODY: Bayesian spam probability is 0 to 1%
                            [score: 0.0000]
 1.5 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
                            above 50%
                            [cf: 100]
 1.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                            [cf: 100]
 1.0 RCVD_IN_UCE_PFSM_2     RBL: Received via a relay in UCE_PFSM_2
                            [81.33.45.147 listed in dnsbl-2.uceprotect.net]
 2.5 FORGED_OUTLOOK_TAGS    Outlook can't send HTML in this format


-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

More information about the MailScanner mailing list