New Spam?

Alex Broens ms-list at alexb.ch
Tue Sep 11 06:20:36 IST 2007 

On 9/11/2007 6:41 AM, Seamus Allan wrote:
> 
> Scott Silva wrote:
>> Seamus Allan spake the following on 9/10/2007 2:01 PM:
>>> Hi guys,
>>>
>>> I don't *think* I have seen this mentioned, but I got an interesting 
>>> piece of spam this morning.
>>> It was an HTML email with the words Viagra and Cialis in it, and a 
>>> small amount of random lettering right aligned. My scanner let it 
>>> through, giving it scores for obfuscated text, but nothing for the 
>>> words. Puzzled, I highlighted the word Viagra, and to my surprise 
>>> half of the random text on the right selected too. I think they are 
>>> using DIV's or something to hide text in text, but display it 
>>> correctly to be read.
>>> I have uploaded a copy of the file if anyone wants to have a look, 
>>> perhaps you'll see some of this in your inbox's soon?
>>> Any ideas on how to catch this?
>>>
>>> http://files.rheelweb.co.nz/spam.txt
>>> http://files.rheelweb.co.nz/spam.eml
>>>
>>> Cheers
>>>
>>> Seamus
>> My system seemed to score it high enough to at least mark it.
>> Content analysis details:   (8.7 points, 5.0 required)
>>
>>  pts rule name              description
>> ---- ---------------------- 
>> --------------------------------------------------
>>  2.6 HTML_OBFUSCATE_10_20   BODY: Message is 10% to 20% HTML obfuscation
>>  0.0 HTML_MESSAGE           BODY: HTML included in message
>>  0.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
>>                             [score: 0.5000]
>>  1.5 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
>>  1.7 SARE_HTML_USL_OBFU     RAW: Message body has very strange HTML 
>> sequence
>>  3.0 URIBL_BLACK            Contains an URL listed in the URIBL blacklist
>>                             [URIs: advertisingcs.com]
>>
>> The original message was not completely plain text, and may be unsafe to
>> open with some email clients; in particular, it may contain a virus,
>> or confirm that your address can receive spam.  If you wish to view
>> it, it may be safer to save it to a file and open it with an editor.
>>
>>
>>
> Curiously when this email came in, it didn't trigger the URIBL rule, yet 
> when I invoke spamassassin from the command line (as the correct user 
> etc) it does fire the URIBL rule.
> I wonder why this is?

Assume a MailScanner gremlin listed it.

More information about the MailScanner mailing list