How do I beat this spam?

Zaeem Arshad zaeem.arshad at gmail.com
Fri Jun 25 15:50:30 IST 2010 

On Fri, Jun 25, 2010 at 6:05 PM, --[ UxBoD ]-- <uxbod at splatnix.net> wrote:
> ----- Original Message -----
>> Le 23/06/2010 17:48, Peter Ong a écrit :
>> > Here's the original message with headers:
>> > http://pastebin.com/NpZnVU2T
>>
>> That scores pretty high here (see below). Admittedly most of the
>> points
>> are from Bayes and network checks, but even if the sender wasn't
>> blacklisted at the time you received the mail there should have been
>> enough fodder to score as spam.
>>
>> > Content analysis details: (15.2 points, 5.0 required)
>> >
>> >  pts rule name description
>> > ---- ----------------------
>> > --------------------------------------------------
>> >  1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
>> >                             https://senderscore.org/blacklistlookup/
>> >                             [208.92.232.69 listed in
>> >                             bl.score.senderscore.com]
>> >  1.4 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT
>> >                             [208.92.232.69 listed in
>> >                             bb.barracudacentral.org]
>> >  1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist
>> >                             [URIs: netmagasap.com]
>> >  3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
>> >                             [score: 1.0000]
>> >  0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay
>> >  lines
>> >  0.4 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image
>> >  area
>> >  0.0 HTML_MESSAGE BODY: HTML included in message
>> >  0.8 MPART_ALT_DIFF BODY: HTML and text parts are different
>> >  0.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
>> >  0.0 MIME_BASE64_TEXT RAW: Message text disguised using base64
>> >  encoding
>> >  1.5 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
>> >  0.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
>> >  1.9 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence
>> >  level
>> >                             above 50%
>> >                             [cf: 100]
>> >  0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
>> >                             [cf: 100]
>> >  0.3 DIGEST_MULTIPLE Message hits more than one network digest check
>> >  0.4 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML
>> >  tag
>> >  0.0 MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME
>> >  parts
>> >  0.0 T_REMOTE_IMAGE Message contains an external image
>>
>> John.
>>
>
> Ya, I get a similar result to John:
>
> Content analysis details:   (27.6 points, 5.0 required)
>
>  pts rule name              description
> ---- ---------------------- --------------------------------------------------
>  3.0 RCVD_IN_BRBL           RBL: Received via relay listed in Barracuda RBL
>                            [208.92.232.69 listed in b.barracudacentral.org]
>  1.7 URIBL_BLACK            Contains an URL listed in the URIBL blacklist
>                            [URIs: netmagasap.com]
>  4.0 URIBL_IVMURI           Contains a URL listed on ivmURI found at invaluement.com
>                            [URIs: netmagasap.com]
>  1.5 RCVD_IN_JMF_BL         RBL: Sender listed in JMF-BLACK
>                       [208.92.232.69 listed in hostkarma.junkemailfilter.com]
>  1.4 RCVD_IN_BRBL_LASTEXT   RBL: RCVD_IN_BRBL_LASTEXT
>                            [208.92.232.69 listed in bb.barracudacentral.org]
>  5.0 RCVD_IN_IVMSIP         RBL: listed on ivmSIP found at invaluement.com
>                            [208.92.232.69 listed in sip.invaluement.com]
>  0.0 UNPARSEABLE_RELAY      Informational: message has unparseable relay lines
>  0.4 HTML_IMAGE_RATIO_02    BODY: HTML has a low ratio of text to image area
>  0.0 HTML_MESSAGE           BODY: HTML included in message
>  0.8 BAYES_50               BODY: Bayes spam probability is 40 to 60%
>                            [score: 0.4997]
>  0.8 MPART_ALT_DIFF         BODY: HTML and text parts are different
>  0.7 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
>  1.7 MIME_BASE64_TEXT       RAW: Message text disguised using base64 encoding
>  1.1 DCC_CHECK              Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
>  0.9 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
>  1.9 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
>                            above 50%
>                            [cf: 100]
>  0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
>                            [cf: 100]
>  1.4 PYZOR_CHECK            Listed in Pyzor (http://pyzor.sf.net/)
>  0.3 DIGEST_MULTIPLE        Message hits more than one network digest check
>  0.4 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML tag
>  0.0 MIME_HTML_ONLY_MULTI   Multipart message only has text/html MIME parts
>  0.0 T_REMOTE_IMAGE         Message contains an external image
>
> --

I got a similar result as these guys. In addition to that, you can
block the specific character set in your MTA before it's even passed
to MailScanner. I do something like this in postfix header_checks to
get rid of unwanted character sets.

/^Subject:.*=\?(big5|euc-kr|gb2312|ks_c_5601-1987)\?/   REJECT Not
these charactersets



--
Zaeem

More information about the MailScanner mailing list