Tiny text only spam (semi OT)

Scott Silva ssilva at sgvwater.com
Tue Jul 14 20:14:37 IST 2009 

on 7-2-2009 1:39 PM Alessandro Bianchi spake the following:
> Hi guys
> 
> Those damned spemmers have found a way to break in
> 
> After image only spam, they have managed to build plain text only spam
> (no links or hrml or images, just text) that slips throught my MS
> installation.
> 
> They often place in ortographic errors to "fool" spamassassin.
> 
> Here is an example:
> <<< START -- destination address has been maqued
> 
> From - Mon Jun 29 15:03:22 2009
> X-Mozilla-Status: 0001
> X-Mozilla-Status2: 00000000
> Return-Path: <bivalved at rojax.com>
> X-Original-To: xxxxxxxxxxxxxxxxxxxxxx
> Delivered-To: xxxxxxxxxxxxxxxxxxxxxxxx
> X-Greylist: delayed 312 seconds by postgrey-1.30 at Log; Sun, 28 Jun 2009 15:09:01 CEST
> Received: from jtuxl.forthnet.gr (adsl144-208.lsf.forthnet.gr [79.103.75.208])
> 	by cdnet02.cdnet.it (Postfix) with SMTP id A17793880EF
> 	for <xxxxxxxxxxxxxxxxx>; Sun, 28 Jun 2009 15:09:01 +0200 (CEST)
> Date: Sun, 28 Jun 2009 13:09:04 +0100
> Content-Type: text/plain;
>  charset="windows-1256"
> From: "kayaker"<bivalved at rojax.com>
> MIME-Version: 1.0
> To: xxxxxxxxxxxxxxxxxxxxxxx
> Message-ID: <x7V604791328Pspc0cNmxMjk at manetasmetal.gr>
> Subject: How To Make A iGprl As Hot As Paris Hilton Achieve Multiple Orgasms
> X-skynet-srl-MailScanner-ID: A17793880EF.A13C2
> X-MailScanner: Found to be clean
> X-MailScanner-SpamScore: s
> X-MailScanner-From: bivalved at rojax.com
> X-skynet-srl-MailScanner-Watermark: 1246799344.38984 at X6K8Q1cEZ6QnFvmnvQtBwQ
> X-Spam-Status: No
> 
> Hfow To Make A Girl Ass Hot As Paris Hilton Achieve Multiple Orgasms www. pill20. com. Girl, 5, Forced To Apologize For Hugging Claassmate
> 
> 
> <<<< END
> 
> Blocking the from address is completely useless since it is randomly
> changed and the same is for subject and text content.
> 
> Has anyone else seen a similar behaviour and found a solution?
> 
> Thank you ad best regards
> 
> Alessandro
This is how that scores on my system;

Content analysis details:   (16.0 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 2.5 RCVD_IN_UCE_PFSM_3     RBL: Received via a relay in UCE_PFSM_3
                            [79.103.75.208 listed in dnsbl-3.uceprotect.net]
 2.0 RCVD_IN_UCE_PFSM_2     RBL: Received via a relay in UCE_PFSM_2
                            [79.103.75.208 listed in dnsbl-2.uceprotect.net]
 1.2 TO_MALFORMED           To: has a malformed address
 0.1 BOTNET_CLIENTWORDS     Hostname contains client-like substrings
        [botnet_clientwords,ip=79.103.75.208,rdns=adsl144-208.lsf.forthnet.gr]
 4.0 BOTNET                 Relay might be a spambot or virusbot
[botnet0.8,ip=79.103.75.208,rdns=adsl144-208.lsf.forthnet.gr,client,clientwords]
 0.1 BOTNET_CLIENT          Relay has a client-like hostname
 [botnet_client,ip=79.103.75.208,rdns=adsl144-208.lsf.forthnet.gr,clientwords]
 1.4 SARE_ADULT2            BODY: Contains adult material
 1.7 SARE_BETTERORG         BODY: Talks about getting better orgasms
 0.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
                            [score: 0.5431]
 2.9 DCC_CHECK              Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
 0.1 RDNS_DYNAMIC           Delivered to trusted network by host with
                            dynamic-looking rDNS




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090714/6fef7dfb/signature.bin

More information about the MailScanner mailing list