New Spam?

Seamus Allan seamus at rheelweb.co.nz
Tue Sep 11 05:41:18 IST 2007 

Scott Silva wrote:
> Seamus Allan spake the following on 9/10/2007 2:01 PM:
>> Hi guys,
>>
>> I don't *think* I have seen this mentioned, but I got an interesting 
>> piece of spam this morning.
>> It was an HTML email with the words Viagra and Cialis in it, and a 
>> small amount of random lettering right aligned. My scanner let it 
>> through, giving it scores for obfuscated text, but nothing for the 
>> words. Puzzled, I highlighted the word Viagra, and to my surprise 
>> half of the random text on the right selected too. I think they are 
>> using DIV's or something to hide text in text, but display it 
>> correctly to be read.
>> I have uploaded a copy of the file if anyone wants to have a look, 
>> perhaps you'll see some of this in your inbox's soon?
>> Any ideas on how to catch this?
>>
>> http://files.rheelweb.co.nz/spam.txt
>> http://files.rheelweb.co.nz/spam.eml
>>
>> Cheers
>>
>> Seamus
> My system seemed to score it high enough to at least mark it.
> Content analysis details:   (8.7 points, 5.0 required)
>
>  pts rule name              description
> ---- ---------------------- 
> --------------------------------------------------
>  2.6 HTML_OBFUSCATE_10_20   BODY: Message is 10% to 20% HTML obfuscation
>  0.0 HTML_MESSAGE           BODY: HTML included in message
>  0.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
>                             [score: 0.5000]
>  1.5 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
>  1.7 SARE_HTML_USL_OBFU     RAW: Message body has very strange HTML 
> sequence
>  3.0 URIBL_BLACK            Contains an URL listed in the URIBL blacklist
>                             [URIs: advertisingcs.com]
>
> The original message was not completely plain text, and may be unsafe to
> open with some email clients; in particular, it may contain a virus,
> or confirm that your address can receive spam.  If you wish to view
> it, it may be safer to save it to a file and open it with an editor.
>
>
>
Curiously when this email came in, it didn't trigger the URIBL rule, yet 
when I invoke spamassassin from the command line (as the correct user 
etc) it does fire the URIBL rule.
I wonder why this is?

Seamus

More information about the MailScanner mailing list