SPAM and procmail
Jeff Macdonald
jeff.macdonald at virtualbuilder.com
Thu Jan 15 13:56:46 EST 2004
On Thu, 2004-01-15 at 10:46, Jeff Macdonald wrote:
> On Wed, 2004-01-14 at 15:37, Chris wrote:
> > >
> > > You're likely to see more of this. It's an attempt to bypass bayesian
> > > style mail filters. I'm not using one yet, so I don't know how
> > > successful this tactic is. Irregardless, I'm still of the opinion that
> > > spammers are lower life forms than even SCO executives.
> > >
> >
> > Unfortunately, the Bayesian filters don't filter these out too successfully....
> > file:///tmp/evolution-file:///tmp/evolution-500-2785/drag-n-drop-liiyFT/Re: EY, important of those500-2785/drag-n-drop-onEGhp/Re: EY, important of those
>
> I thought that too. It turned out that I didn't have the perl module
> Net::DNS installed on my machine which allows RBL checks to happen. Once
> I installed Net::DNS, SA started feeding those type of messages to the
> Bayesian filter and those messages are now being scored high by the
> Bayesian filter in addition to the RBL checks. I'll send a sample
> message once I have some more spam (I just cleaned out my spam folder).
>
Attached is such a message. This will probably set off some filters, but
note the bayes_99 rule matching and the mostly random words.
-------------- next part --------------
>From ozpaapy at india.com Thu Jan 15 12:36:06 2004
Received: from localhost [127.0.0.1] by server1.virtualbuilder.com with
SpamAssassin (2.61 1.212.2.1-2003-12-09-exp); Thu, 15 Jan 2004 12:36:06
-0600
From: "Kathie Keys" <ozpaapy at india.com>
To: jeff at virtualbuilder.com
Subject: Re: EY, important of those
Date: Thu, 15 Jan 2004 01:30:46 +0100
Message-Id: <XWUQDKC-0005437687511 at cocoa>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on
server1.virtualbuilder.com
X-Spam-Status: Yes, hits=9.5 required=5.0 tests=BAYES_99,HTML_MESSAGE,
RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DSBL,RCVD_IN_NJABL,RCVD_IN_NJABL_PROXY,
RCVD_IN_SORBS,RCVD_IN_SORBS_HTTP autolearn=no version=2.61
X-Spam-Level: *********
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_4006DD96.E31F6D71"
X-Evolution-Source: imap://jeff@rackspace.virtualbuilder.com/
This is a multi-part message in MIME format.
------------=_4006DD96.E31F6D71
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Spam detection software, running on the system "server1.virtualbuilder.com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or block
similar future email. If you have any questions, see
jeff at virtualbuilder.com for details.
Content preview: robe orthodontic dialectic buzzard deaconess glottis
thetis censor annuli dungeon stressful haven plume countryman casino
widen turpentine diadem Free CableTV!No more pay!%
URI:http://www.3002hosting.com/cable/
URI:http://www.3002hosting.com/fiter1.jpg arcturus contradistinct
iconoclast rundown burnout marino biddy discriminant bodybuilder
hydrangea rothschild landfill scoundrel rangeland atlantica vivo sub
sure bayport inordinate calcite churchmen roughish timeout drainage
resent inhale halocarbon chaise schlieren shop peek connect sumner
celanese signature coquette arcadia area substitutionary cellar billie
cotillion merle caveat afterward campus provocation orifice threshold
antipathy convulse checkerberry analeptic persecution cabinetmake usaf
babble antigen beecham poetic bystander permutation gerry kennan lenore
forlorn chalmers polarogram reub acrylate sympathy reflect ac cyclopean
dyadic irreversible appointe abetting view magneto vorticity grope
audiotape amen cognition waltham moravia zion distraught scottsdale
conflagration abandon chrysolite elastic bran poncho dropout actuarial
columbine cleft ace appalachia prologue allowance aptitude floorboard
courtier bell astronaut polygon drainage pivotal appearance photolytic
screech conundrum licensor cryptogram collimate geochemistry butternut
indicter mete burke w inertial burglar kremlin iroquois rough ia
doleful rhythmic scrimmage baghdad desist gallantry reprieve orville
adirondack macrostructure grandpa kennel semblance tammany palermo
attache archipelago pabst committeewomen bimetallic greatcoat
protophyta corpora beaten articulate biennium deniable caribou
basepoint dryad bimodal incommunicable schoolwork silicate durkee
anyplace historian external capsule shrunken microscopy macroscopic
custer embedder locomotor cannon aloha his balkan teleprocessing
declamatory scrawny lev cumulate quotation brownian lisp pravda
bespectacled scour sugar bet decimal preservation monte detest pewter
eliot hurst breed ciliate feast treadle bergland wilfred adjourn
bibliophile jay rhesus chalcedony egypt dachshund pledge wardrobe
arcane shriek absence cavil concordant taurus embroil mongoose bellmen
zimmerman ame [...]
Content analysis details: (9.5 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
0.1 HTML_MESSAGE BODY: HTML included in message
1.1 RCVD_IN_SORBS_HTTP RBL: SORBS: sender is open HTTP proxy server
[200.174.120.36 listed in dnsbl.sorbs.net]
0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS
[200.174.120.36 listed in dnsbl.sorbs.net]
0.1 RCVD_IN_NJABL RBL: Received via a relay in dnsbl.njabl.org
[200.174.120.36 listed in dnsbl.njabl.org]
0.7 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org
[<http://dsbl.org/listing?ip=200.174.120.36>]
0.5 RCVD_IN_NJABL_PROXY RBL: NJABL: sender is an open proxy
[200.174.120.36 listed in dnsbl.njabl.org]
1.5 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?200.174.120.36>]
The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
------------=_4006DD96.E31F6D71
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit
Return-Path: <ozpaapy at india.com>
Received: from 17412036.virtua.com.br (17412036.virtua.com.br
[200.174.120.36]) by server1.virtualbuilder.com (8.11.6/8.11.6) with SMTP
id i0FIZwL19436 for <jeff at virtualbuilder.com>; Thu, 15 Jan 2004 12:35:58
-0600
Received: from [200.174.120.36] by 3002hosting.comIP with HTTP; Wed, 14 Jan
2004 17:31:46 -0700
From: "Kathie Keys" <ozpaapy at india.com>
To: jeff at virtualbuilder.com
Subject: Re: EY, important of those
Mime-Version: 1.0
X-Mailer: mPOP Web-Mail 2.19
X-Originating-IP: [3002hosting.comIP]
Date: Thu, 15 Jan 2004 01:30:46 +0100
Reply-To: "Kathie Keys" <ozpaapy at india.com>
Content-Type: multipart/alternative; boundary="--ALT--TTAY11974475500121"
Message-Id: <XWUQDKC-0005437687511 at cocoa>
----ALT--TTAY11974475500121
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
robe orthodontic dialectic buzzard deaconess
glottis thetis censor annuli dungeon stressful haven plume countryman
casino widen turpentine diadem
----ALT--TTAY11974475500121
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 8bit
<HTML><HEAD>
<BODY>
<p>Fr</affect>ee Ca</ineffectual>bleTV!N</crappie>o mo</launch>re p</donahue>ay!%</p>
<a href="http://www.3002hosting.com/cable/">
<img border="0" src="http://www.3002hosting.com/fiter1.jpg"></a>
arcturus contradistinct iconoclast rundown burnout marino biddy discriminant bodybuilder hydrangea rothschild landfill scoundrel rangeland atlantica vivo sub sure bayport inordinate calcite churchmen roughish timeout <BR>
drainage resent inhale halocarbon chaise schlieren shop peek connect sumner celanese <BR>
signature coquette arcadia area substitutionary cellar billie cotillion merle caveat afterward campus provocation orifice threshold antipathy convulse <BR>
checkerberry analeptic persecution cabinetmake usaf babble antigen beecham poetic bystander permutation gerry kennan lenore forlorn chalmers polarogram reub acrylate sympathy reflect ac cyclopean dyadic irreversible appointe abetting view magneto vorticity grope <BR>
audiotape amen cognition waltham moravia zion distraught scottsdale conflagration abandon <BR>
chrysolite elastic bran poncho dropout actuarial columbine cleft ace appalachia prologue allowance aptitude floorboard courtier bell astronaut polygon drainage pivotal appearance photolytic screech conundrum <BR>
licensor cryptogram collimate geochemistry butternut indicter mete burke w inertial burglar kremlin iroquois rough ia doleful rhythmic scrimmage baghdad desist gallantry reprieve orville adirondack macrostructure grandpa kennel semblance tammany palermo attache archipelago pabst committeewomen bimetallic greatcoat protophyta corpora <BR>
beaten articulate biennium deniable caribou basepoint dryad bimodal incommunicable schoolwork silicate durkee anyplace historian external capsule shrunken microscopy macroscopic custer embedder locomotor cannon aloha his <BR>
balkan teleprocessing declamatory scrawny lev cumulate quotation brownian lisp pravda bespectacled scour sugar bet decimal preservation monte detest pewter eliot hurst breed ciliate feast treadle bergland wilfred adjourn bibliophile jay rhesus chalcedony egypt dachshund pledge wardrobe <BR>
arcane shriek absence cavil concordant taurus embroil mongoose bellmen zimmerman amethyst splutter otherwise quonset ahmadabad germanic cankerworm embodiment extramarital caleb scarf triumphal <BR>
schubert etude stink isadore prolong sightsee ingrown derision backscatter bacteria seater aide windy moss octoroon coffer german anne conspiratorial dependent naked reprisal belch authoritarian helmet squid <BR>
</BODY>
</HTML>
----ALT--TTAY11974475500121--
------------=_4006DD96.E31F6D71--
More information about the gnhlug-discuss
mailing list