How to deal with this spam?

Shawn Iverson iversons at rushville.k12.in.us
Fri Jun 23 14:30:51 UTC 2017


Certainly (disclaimer:  I'm going to use "badword" in place of the actual
word in the email)

So, typically in local.cf, which is usually in /etc/mail/spamassassin, but
may vary on your install,

body MY_BAD_WORD_BODY  /\bbadword\b/i
score MY_BAD_WORD_BODY 2.0
describe MY_BAD_WORD_BODY Score emails with badword in body

header MY_BAD_WORD_HEADER /\bbadword\b/i
score MY_BAD_WORD_HEADER 2.0
describe MY_BAD_WORD_HEADER Score emails with badword in header

On Thu, Jun 22, 2017 at 2:08 PM, Paul Scott <sales at edenusa.com> wrote:

> Hello Shawn,
>
>
>
> Could you please write an example of how to write your own spamassassin
> rule and where it goes?
>
>
>
> Thank you very much!
>
>
>
> Sincerely,
>
>
>
> Paul Scott, Engineer
>
> Eden USA, Incorporated
> Event Production Services Since 1995
> Los Angeles-Las Vegas-New York
> sales at edenusa.com OR edenusasales at gmail.com
> Telephone(s): 866.501.3336 <(866)%20501-3336> OR 951.505.6967
> <(951)%20505-6967>
> Fax: 866.502.3336 <(866)%20502-3336>
>
>
>
> WEBSITE: https://www.edenusa.com
>
> FACEBOOK: http://www.facebook.com/edenusainc
>
>
>
> *From:* MailScanner [mailto:mailscanner-bounces+sales=edenusa.com at lists.
> mailscanner.info] *On Behalf Of *Shawn Iverson
> *Sent:* Monday, June 19, 2017 12:59 PM
> *To:* MailScanner Discussion <mailscanner at lists.mailscanner.info>
> *Subject:* Re: How to deal with this spam?
>
>
>
> The expletives in the email are a sure way to flag this one.  A
> spamassassin rule to find these words would do the trick nicely.
>
>
>
>
>
>
>
> On Mon, Jun 19, 2017 at 1:44 PM, Gao <gao at pztop.com> wrote:
>
> Hi,
>
> This spam message get a low score so it delivered to the user. Is there a
> way to let spamassassin catch it?
>
> Here is the spam mail:
>
> Return-Path: <magnaflow at webmail.md>
> X-Original-To: gjv at mydomain.com
> Delivered-To: gjv at mydomain.com
> Received: by zeta.mydomain.com (Postfix, from userid 5001)
>         id 3F8C2200BE800; Sun, 18 Jun 2017 19:03:08 -0700 (PDT)
> Received-SPF: none (webmail.md: No applicable sender policy available)
> receiver=zeta.mydomain.com; identity=mailfrom;
> envelope-from="magnaflow at webmail.md"; helo=smtp-proxy002.phy.lolipop.jp;
> client-ip=157.7.104.43
> Received: from smtp-proxy002.phy.lolipop.jp (smtp-proxy002.phy.lolipop.jp
> [157.7.104.43])
>         (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
> bits))
>         (No client certificate requested)
>         by zeta.mydomain.com (Postfix) with ESMTPS id 094292061FFD4
>         for <gjv at mydomain.com>; Sun, 18 Jun 2017 19:03:00 -0700 (PDT)
> Received: from smtp-proxy002.phy.lolipop.lan (HELO
> smtp-proxy002.phy.lolipop.jp) (172.19.44.43)
>   (smtp-auth username infallible-man at ojikan-haishaku.net, mechanism login)
>   by smtp-proxy002.phy.lolipop.jp (qpsmtpd/0.82) with ESMTPA; Mon, 19 Jun
> 2017 11:02:57 +0900
> Received: from 127.0.0.1 (127.0.0.1)
>  by smtp-proxy002.phy.lolipop.jp (LOLIPOP-Fsecure);
>  Mon, 19 Jun 2017 11:02:39 +0900 (JST)
> X-Virus-Status: clean(LOLIPOP-Fsecure)
> Message-ID: <2E2B9DCEC5113FEC30357CC135F869A6 at webmail.md>
> From: "FUCK EXPRESS" <magnaflow at webmail.md>
> To: <andrewv at pxxxxxxxxxxco.com>,
>          <kcmp at kxxxxxxxxxv.us>,
>          <gjv at mydomain.com>,
>          <entitlementservices at xxxxx.com>,
>          <speechsc at ixxxxxxxxorg>,
>          <secretary at probxxxxxxxxxx.org>,
>          <sanne.gruter at txxxxxxxxxxxce.com.au>
> Subject: Easily find girlfriend for sex!
> Date: Mon, 19 Jun 2017 05:02:54 +0300
> MIME-Version: 1.0
> Content-Type: multipart/related; boundary="a2cbdfb6b071a510d6e2b2b00cff"
> X-mydomain-MailScanner-Information: Please contact the IT Administrator
> for more information
> X-mydomain-MailScanner-ID: 094292061FFD4.AE63B
> X-mydomain-MailScanner: Found to be clean
> X-mydomain-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,
>         score=0.901, required 4, BAYES_40 -0.00, DKIM_ADSP_NXDOMAIN 0.90,
>         HTML_MESSAGE 0.00, NO_DNS_FOR_FROM 0.00, RCVD_IN_DNSWL_NONE -0.00)
> X-mydomain-MailScanner-From: magnaflow at webmail.md
> X-Spam-Status: No
>
> This is a multi-part message in MIME format.
>
> --a2cbdfb6b071a510d6e2b2b00cff
> Content-Type: multipart/alternative; boundary="
> 1fbddb9e7f6b2eb9e29479934d6b"
>
>
> --1fbddb9e7f6b2eb9e29479934d6b
> Content-Type: text/plain; charset="windows-1251"
> Content-Transfer-Encoding: quoted-printable
>
> Fast f*ck with milfs- https://t.co/FqPPs0hQkH
>
> kx uij bcw g bea qqg
>
> ggxy wjg uyc tnseu y b
>
> arxp u gnv w uhqiq udooz
>
> aaazs i lwcfv gxfgd i lisd
>
> tatx gg old pe dyc byd
>
> sxpto rpq ggmwn j z rpora
>
> o tv ssib tr wsp ujlt
>
> ozec aa t sv ccxnn tr
>
> pqdz aqw yh wic xsza iwmg
>
> rqb fqrsg mx sk gawxi qe
>
> ckxbc yvbte xw ibpdd f os
>
> ph di grc c hid wgniy
>
> wru m w anvvs ipxq fvcxi
>
> k rlf xyyu s xqe l
>
> borvo cdke c k gmxu glmg
>
> pokm zbv nscf b x ufr
>
> hgx yig fnzg fdey sw d
>
> uh avrl nx u aheur aqvwk
>
> vrr rv i eac b zaoj
> xubkp snnyh qvq dwmln wmgjy g
>
> nld m hosy zd emvec jhn
>
> ik tdh z zp a hn
>
> dq ptzi mnt lzq kdsy mrz5/0MGkf+Bsf/AMVR/wAJb4c/
> 6GDSP/A2P/4qr/8AZlj/AM+kH/fAo/syx/59IP8AvgUe/wCQe55l
> D/hLfDn/AEMGkf8AgbH/APFUf8Jb4c/6GDSP/A2P/wCKq/
> 8A2ZY/8+kH/fAo/syx/wCfSD/vgUe/
> 5B7nmc5LfWer+NNFn0u7gvIra3uRK8DiRVLmLaNwyMnY3Gc8V19QQWtvb/6iGOP/
> AHVAqenGLV2+
> oSd9j//Z
>
> --a2cbdfb6b071a510d6e2b2b00cff--
>
>
> xa l ti dxu jsli xmane
>
> h rlu guxa e rkj lhgwl
>
> cwkcw enz w bk c am
>
> iomc ucvu adgy wcw r xskr
>
> lm pjbsa rbn mtos x c
>
> lnt cfjpk wlp gy ui yfa
>
> tl rdnzq j yupgu tjwdj q
>
> f vm pmw rjc es st
>
> xxsw ds qyu wcyul cdoa peugp
>
> jiii f vjlbg eles nfag qxnp
>
> qkvno qm fw hx ggzc tpov
>
> ti fr wt li lnnfd x
>
> ctdp nt vty grgxq wxwdv wgdf
>
> oeb gmqay hvhyk elx tup d
>
> jxk dsvd wb x d m
>
> ss kl bt syx ab x
> ...
>
> cj ct wss k mjux neo
>
> cr wevkg brh duerg zrs gdus
>
> r l t nw w w
>
> k c fhznn leo g eb
>
> sdn tkfg yz lx fy f
>
> vudw wxecl ojysm kisy yaqin lngmc
>
> nhhnu rp tv a bzm gpzo
>
> --1fbddb9e7f6b2eb9e29479934d6b
> Content-Type: text/html; charset="windows-1251"
> Content-Transfer-Encoding: quoted-printable
>
> <HTML><HEAD>
> <META http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dwindows=
> -1251">
> </HEAD>
> <BODY bgColor=3D#ffffff>
> <DIV align=3Dleft><FONT size=3D2 face=3DArial>Fast f*ck with milfs- <A=20
> href=3D"https://t.co/FqPPs0hQkH">https://t.co/FqPPs0hQkH</A></FONT></DIV>
> <DIV align=3Dleft><A href=3D"https://t.co/FqPPs0hQkH"><IMG border=3D0 hsp=
> ace=3D0=20
> alt=3D""=20
> src=3D"cid:7C746E7653B2443F8259615B684B2515 at webmail.md"></A></DIV>
> <DIV align=3Dleft>
> <DIV align=3Dleft>
> <DIV align=3Dleft><FONT color=3D#dfecf7>kx=20
> uij bcw g=20
> bea qqg</FONT></DIV>
> <DIV align=3Dleft><FONT color=3D#dfecf7>ggxy=20
> wjg uyc tnseu=20
> y b</FONT></DIV>
> <DIV align=3Dleft><FONT color=3D#dfecf7>arxp=20
> u gnv w=20
> uhqiq udooz</FONT></DIV>
> <DIV align=3Dleft><FONT color=3D#dfecf7>aaazs=20
> i lwcfv gxfgd=20
> i lisd</FONT></DIV>
> <DIV align=3Dleft>
> <DIV align=3Dleft>
> <DIV align=3Dleft><FONT color=3D#dfecf7>tatx=20
> gg old pe=20
> dyc byd</FONT></DIV>
> <DIV align=3Dleft><FONT color=3D#dfecf7>sxpto=20
> rpq ggmwn j=20
> z rpora</FONT></DIV>
> <DIV align=3Dleft><FONT color=3D#dfecf7>sxpto=20
> rpq ggmwn j=20
> z rpora</FONT></DIV>
> <DIV align=3Dleft><FONT color=3D#dfecf7>o=20
> tv ssib tr=20
> wsp ujlt</FONT></DIV>
> <DIV align=3Dleft><FONT color=3D#dfecf7>ozec=20
> aa t sv=20
> ccxnn tr</FONT></DIV>
> <DIV align=3Dleft><FONT color=3D#dfecf7>pqdz=20
> aqw yh wic=20
> xsza iwmg</FONT></DIV>
> <DIV align=3Dleft><FONT color=3D#dfecf7>rqb=20
> fqrsg mx sk=20
> gawxi qe</FONT></DIV>
> <DIV align=3Dleft>
> <DIV align=3Dleft>
> <DIV align=3Dleft><FONT color=3D#dfecf7>ckxbc=20
> yvbte xw ibpdd=20
> f os</FONT></DIV>
> <DIV align=3Dleft><FONT color=3D#dfecf7>ph=20
> di grc c=20
> hid wgniy</FONT></DIV>
> <DIV align=3Dleft><FONT color=3D#dfecf7>wru=20
> m w anvvs=20
> ipxq fvcxi</FONT></DIV>
> <DIV align=3Dleft><FONT color=3D#dfecf7>k=20
> rlf xyyu s=20
> xqe l</FONT></DIV>
> <DIV align=3Dleft><FONT color=3D#dfecf7>borvo=20
> cdke c k=20
> gmxu glmg</FONT></DIV>
> <DIV align=3Dleft><FONT color=3D#dfecf7>pokm=20
> zbv nscf b=20
> x ufr</FONT></DIV>
> <DIV align=3Dleft>
> <DIV align=3Dleft>
> <DIV align=3Dleft><FONT color=3D#dfecf7>hgx=205/0MGkf+
> Bsf/AMVR/wAJb4c/6GDSP/A2P/4qr/8AZlj/AM+kH/fAo/syx/59IP8AvgUe/wCQe55l
> D/hLfDn/AEMGkf8AgbH/APFUf8Jb4c/6GDSP/A2P/wCKq/
> 8A2ZY/8+kH/fAo/syx/wCfSD/vgUe/
> 5B7nmc5LfWer+NNFn0u7gvIra3uRK8DiRVLmLaNwyMnY3Gc8V19QQWtvb/6iGOP/
> AHVAqenGLV2+
> oSd9j//Z
>
> --a2cbdfb6b071a510d6e2b2b00cff--
>
> yig fnzg fdey=20
> sw d</FONT></DIV>
> <DIV align=3Dleft><FONT color=3D#dfecf7>uh=20
> avrl nx u=20
> aheur aqvwk</FONT></DIV>
> <DIV align=3Dleft><FONT color=3D#dfecf7>vrr=20
> rv i eac=20
> b zaoj</FONT></DIV>
> <DIV align=3Dleft><FONT color=3D#dfecf7>xubkp=20
> snnyh qvq dwmln=20
> wmgjy g</FONT></DIV>
> <DIV align=3Dleft><FONT color=3D#dfecf7>vudw=20
> wxecl ojysm kisy=20
> yaqin lngmc</FONT></DIV>
> <DIV align=3Dleft><FONT color=3D#dfecf7>nhhnu=20
> rp tv a=20
> bzm=20
> gpzo</FONT></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></=
> DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></D=
> IV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DI=
> V></DIV></DIV></BODY></HTML>
>
> --1fbddb9e7f6b2eb9e29479934d6b--
>
> --a2cbdfb6b071a510d6e2b2b00cff
> Content-Type: image/jpeg; name="zawly.jpg"
> Content-Transfer-Encoding: base64
> Content-ID: <7C746E7653B2443F8259615B684B2515 at webmail.md>
>
> /9j/4AAQSkZJRgABAQAAAQABAAD//gA7Q1JFQVRPUjogZ2QtanBlZyB2MS4
> wICh1c2luZyBJSkcg
> SlBFRyB2ODApLCBxdWFsaXR5ID0gODAK/9sAQwAGBAUGBQQGBgUGBwcGCAoQCgo
> JCQoUDg8MEBcU
> GBgXFBYWGh0lHxobIxwWFiAsICMmJykqKRkfLTAtKDAlKCko/
> 9sAQwEHBwcKCAoTCgoTKBoWGigo
>
>
> <DIV align=3Dleft><FONT color=3D#dfecf7>vudw=20
> wxecl ojysm kisy=20
> yaqin lngmc</FONT></DIV>
> <DIV align=3Dleft><FONT color=3D#dfecf7>nhhnu=20
> rp tv a=20
> bzm=20
> gpzo</FONT></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></=
> DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></D=
> IV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DI=
> V></DIV></DIV></BODY></HTML>
>
> --1fbddb9e7f6b2eb9e29479934d6b--
>
> --a2cbdfb6b071a510d6e2b2b00cff
> Content-Type: image/jpeg; name="zawly.jpg"
> Content-Transfer-Encoding: base64
> Content-ID: <7C746E7653B2443F8259615B684B2515 at webmail.md>
>
> /9j/4AAQSkZJRgABAQAAAQABAAD//gA7Q1JFQVRPUjogZ2QtanBlZyB2MS4
> wICh1c2luZyBJSkcg
> SlBFRyB2ODApLCBxdWFsaXR5ID0gODAK/9sAQwAGBAUGBQQGBgUGBwcGCAoQCgo
> JCQoUDg8MEBcU
> GBgXFBYWGh0lHxobIxwWFiAsICMmJykqKRkfLTAtKDAlKCko/
> 9sAQwEHBwcKCAoTCgoTKBoWGigo
> ......
> 5/0MGkf+Bsf/AMVR/wAJb4c/6GDSP/A2P/4qr/8AZlj/AM+kH/fAo/syx/
> 59IP8AvgUe/wCQe55l
> D/hLfDn/AEMGkf8AgbH/APFUf8Jb4c/6GDSP/A2P/wCKq/
> 8A2ZY/8+kH/fAo/syx/wCfSD/vgUe/
> 5B7nmc5LfWer+NNFn0u7gvIra3uRK8DiRVLmLaNwyMnY3Gc8V19QQWtvb/6iGOP/
> AHVAqenGLV2+
> oSd9j//Z
>
> --a2cbdfb6b071a510d6e2b2b00cff--
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
>
>
>
> --
>
> Shawn Iverson, CETL
>
> Director of Technology
>
> Rush County Schools
>
> 765-932-3901 x271 <(765)%20932-3901>
>
> iversons at rushville.k12.in.us
>
>
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
>


-- 
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 x271
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20170623/74356785/attachment.html>


More information about the MailScanner mailing list