Consistent SPAM messages getting through

Mon Dec 15 15:30:30 GMT 2008

Nasser

Maybe this can be of a little help, the mail came through on my side as spam, with these hits

2.00

DCC_CHECK

Listed in DCC (http://rhyolite.com/anti-spam/dcc/)

0.65

DRUGS_ERECTILE

Refers to an erectile drug

1.54

DRUG_ED_CAPS

Mentions an E.D. drug

0.00

HTML_MESSAGE

HTML included in message

-1.00

RCVD_IN_DNSWL_LOW

Sender listed at http://www.dnswl.org/, low trust

1.69

RCVD_IN_NJABL_PROXY

NJABL: sender is an open proxy

0.74

SARE_HTML_A_BODY

Message body has very strange HTML sequence

1.67

SARE_HTML_IMG_ONLY

Short HTML msg, IMG and A HREF, maybe naught else

1.61

URIBL_AB_SURBLt

Contains an URL listed in the AB SURBL blocklist

4.00

URIBL_JP_SURBL

Contains an URL listed in the JP SURBL blocklist

2.13

URIBL_OB_SURBL

Contains an URL listed in the OB SURBL blocklist

2.47

URIBL_SBL

Contains an URL listed in the SBL blocklist

2.52

URIBL_SC_SURBL

Contains an URL listed in the SC SURBL blocklist

2.10

URIBL_WS_SURBL

Contains an URL listed in the WS SURBL blocklist

It pickup on the urls in the mail,
http://couragedoctor.com

I use the SARE ruleset for spamassassin, maybe you should try it......

From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Nasser Al-Zawawi
Sent: 15 December 2008 05:12 PM
To: mailscanner at lists.mailscanner.info
Subject: Consistent SPAM messages getting through

Hi,
I have RedHat ES 4 server running sendmail (8.13.1) and I am using the latest MailScanner version (4.73.4-2), ClamAV 0.94.2 and SpamAssassin 3.2.5.  Lately this kind of message has been getting through:
It says it is coming from my email or an alias on my system and it is marked urgent the subject is something like: "Your order", "Re: Your order", "Delivery Status Notification", "Delivery Status Notification (Failure)".  The content is a jpg picture of Viagra, CIALIS, LEVITRA and VPXL drugs.
Here is the message html source:
--------------
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=Windows-1252">
</HEAD>
<BODY><a href="http://couragedoctor.com/" target="_blank">
<img src="http://couragedoctor.com/8dvs9.jpg" border=0 alt="Having trouble viewing this email?
Click here to view as a webpage."></a></BODY></HTML>
---------
and here is the Internet headers:
---------
Return-Path: <sales at alz-inc.com>
Received: from catv54033BF7.pool.t-online.hu (catv54033BF7.pool.t-online.hu [84.3.59.247])
            by www.alz-inc.com (8.13.1/8.13.1) with SMTP id mBFEokoH025796
            for <sales at alz-inc.com>; Mon, 15 Dec 2008 09:50:47 -0500
Date: Mon, 15 Dec 2008 09:50:46 -0500
From: Nasser Al-Zawawi <sales at alz-inc.com>
Message-Id: <200812151450.mBFEokoH025796 at www.alz-inc.com>
To: <sales at alz-inc.com>
Subject: Re: Order status
MIME-Version: 1.0
Importance: High
Content-Type: text/html
X-alz-inc-MailScanner-Information: Please contact the ISP for more information
X-alz-inc-MailScanner-ID: mBFEokoH025796
X-alz-inc-MailScanner: Found to be clean
X-alz-inc-MailScanner-From: sales at alz-inc.com
X-Spam-Status: No
Status: O
X-UID: 455634
Content-Length: 364
X-Keywords:
-----------

They seem to come in patches of 4 (4 emails at a time).  I had it before I upgraded to the latest version and after upgrading.  I probably get about 80 message of this type per day.  Other types of SPAMs seem to be under control but this type is getting though.  I appreciate any help with this problem.

Best regards,

Nasser

This message has been scanned by Nexus Mail Gateway<http://www.numata.co.za/>

__________ Information from ESET NOD32 Antivirus, version of virus signature database 3373 (20080821) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

This message has been scanned by Nexus Mail Gateway

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081215/ae88e59d/attachment.html