Tiny text only spam (semi OT)

Alex Broens ms-list at alexb.ch
Fri Jul 3 08:31:34 IST 2009 

On 7/3/2009 9:19 AM, --[ UxBoD ]-- wrote:
> ----- "Alessandro Bianchi" <alex at skynet-srl.com> wrote: 
>> Hi guys 
>>
>> Those damned spemmers have found a way to break in 
>>
>> After image only spam, they have managed to build plain text only spam (no links or hrml or images, just text) that slips throught my MS installation. 
>>
>> They often place in ortographic errors to "fool" spamassassin. 
>>
>> Here is an example: 
>> <<< START -- destination address has been maqued 
>>
>> From - Mon Jun 29 15:03:22 2009
> X-Mozilla-Status: 0001
> X-Mozilla-Status2: 00000000
> Return-Path: <bivalved at rojax.com> X-Original-To: xxxxxxxxxxxxxxxxxxxxxx
> Delivered-To: xxxxxxxxxxxxxxxxxxxxxxxx
> X-Greylist: delayed 312 seconds by postgrey-1.30 at Log; Sun, 28 Jun 2009 15:09:01 CEST
> Received: from jtuxl.forthnet.gr (adsl144-208.lsf.forthnet.gr [79.103.75.208])
> 	by cdnet02.cdnet.it (Postfix) with SMTP id A17793880EF
> 	for <xxxxxxxxxxxxxxxxx>; Sun, 28 Jun 2009 15:09:01 +0200 (CEST)
> Date: Sun, 28 Jun 2009 13:09:04 +0100
> Content-Type: text/plain;
>  charset="windows-1256"
> From: "kayaker" <bivalved at rojax.com> MIME-Version: 1.0
> To: xxxxxxxxxxxxxxxxxxxxxxx
> Message-ID: <x7V604791328Pspc0cNmxMjk at manetasmetal.gr> Subject: How To Make A iGprl As Hot As Paris Hilton Achieve Multiple Orgasms
> X-skynet-srl-MailScanner-ID: A17793880EF.A13C2
> X-MailScanner: Found to be clean
> X-MailScanner-SpamScore: s
> X-MailScanner-From: bivalved at rojax.com X-skynet-srl-MailScanner-Watermark: 1246799344.38984 at X6K8Q1cEZ6QnFvmnvQtBwQ
> X-Spam-Status: No
> 
> Hfow To Make A Girl Ass Hot As Paris Hilton Achieve Multiple Orgasms www. pill20. com. Girl, 5, Forced To Apologize For Hugging Claassmate <<<< END 
>> Blocking the from address is completely useless since it is randomly changed and the same is for subject and text content. 
>>
>> Has anyone else seen a similar behaviour and found a solution? 
>>
>> Thank you ad best regards 
>>
>> Alessandro 
>>
>>
>> -- 
>>
> 
> Yep, I am getting a lot of these though most are being blocked.  Here is what SA is doing :-
> 
> [BAYES_95=3, RCVD_IN_BRBL=3, RCVD_IN_JMF_BL=1.5,RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RDNS_DYNAMIC=0.1,SARE_ADULT2=1.42, SARE_CHARSET_W1251=1.656]
> 

there's rules floating around the SA list...
probably the better place to look/ask

More information about the MailScanner mailing list