Well, OK I'm sure there is a rule that catches files like .bat .pif .exe .com, but anyway, I'm getting a lot of messages like:
> Received: from unknown (HELO inje.iskon.hr) ([213.191.128.16]) (envelope-sender ><[EMAIL PROTECTED]>) > [...] > X-Spam-Status: No, hits=0.5 required=5.6 tests=LARGE_HEX,RELAYING_FRAME version=2.20 > [...] > --M608E5Gt62681o15NX05jX22Eg8M1 > Content-Type: audio/x-wav; > name=alt.bat > Content-Transfer-Encoding: base64 > Content-ID: <C9Tne6X6cFqJj14jF> I'm sure the goal of the message is to make me write a .bat file (the same message appears in .exe, .pif, ... variants), that I then later execute. So, I wonder, why didn't the message hit any spamassassin rule? Or should I go and look into the rule format, and submit a rule for it? (I don't see a reason why generally I would want people to be able to send me .exe files, especially since I use linux:) Thanks, joostje Full headers below (BTW, this message was bounced several times to various computers, so that's why there are quite a few Recieved: headers. Also, the `From ' line got changed because of it, in the original worm it's a .hr adress). > From [EMAIL PROTECTED] Tue Apr 23 17:07:35 2002 > Received: from smtp26.wxs.nl (smtp26.wxs.nl [195.121.6.34]) > by co.uea.org (8.12.2/8.12.2/Debian -5) with ESMTP id g3NF7Woo013332 > for <[EMAIL PROTECTED]>; Tue, 23 Apr 2002 17:07:32 +0200 > Received: from warande1124.warande.uu.nl ([EMAIL PROTECTED] >[131.211.121.124]) > by smtp26.wxs.nl (8.12.1/8.12.1) with ESMTP id g3NF7RFE017470 > for <[EMAIL PROTECTED]>; Tue, 23 Apr 2002 17:07:27 +0200 > Received: from warande1124.warande.uu.nl (joosteto@localhost [127.0.0.1]) > by warande1124.warande.uu.nl (8.12.1/8.12.1/Debian -5) with ESMTP id >g3NF7Omi029948 > for <[EMAIL PROTECTED]>; Tue, 23 Apr 2002 17:07:24 +0200 > Received: (from joosteto@localhost) > by warande1124.warande.uu.nl (8.12.1/8.12.1/Debian -5) id g3NF7OsL029946 > for [EMAIL PROTECTED]; Tue, 23 Apr 2002 17:07:24 +0200 > Received: from co.uea.org (ip3e838ce6.speed.planet.nl [62.131.140.230]) > by warande1124.warande.uu.nl (8.12.1/8.12.1/Debian -5) with ESMTP id >g3NEWkmi022831 > for <[EMAIL PROTECTED]>; Tue, 23 Apr 2002 16:32:47 +0200 > Received: from co.uea.org (localhost [127.0.0.1]) > by co.uea.org (8.12.2/8.12.2/Debian -5) with ESMTP id g3NEWkoo011736 > for <[EMAIL PROTECTED]>; Tue, 23 Apr 2002 16:32:46 +0200 > Received: (from joostje@localhost) > by co.uea.org (8.12.2/8.12.2/Debian -5) id g3NEWkUD011735 > for [EMAIL PROTECTED]; Tue, 23 Apr 2002 16:32:46 +0200 > Resent-Message-Id: <[EMAIL PROTECTED]> > Received: from co.uea.org (localhost [127.0.0.1]) > by co.uea.org (8.12.2/8.12.2/Debian -5) with ESMTP id g3NEQhoo011405; > Tue, 23 Apr 2002 16:26:43 +0200 > Received: (from root@localhost) > by co.uea.org (8.12.2/8.12.2/Debian -5) id g3NEQghE011404; > Tue, 23 Apr 2002 16:26:42 +0200 > Received: from smtp27.wxs.nl (smtp27.wxs.nl [195.121.6.56]) > by co.uea.org (8.12.2/8.12.2/Debian -5) with ESMTP id g3NEQUoo011389 > for <[EMAIL PROTECTED]>; Tue, 23 Apr 2002 16:26:31 +0200 > Received: from arkanoid.cybercomm.nl (arkanoid.cybercomm.nl [213.196.1.80]) > by smtp27.wxs.nl (8.12.1/8.12.1) with SMTP id g3NEQTot028806 > for <[EMAIL PROTECTED]>; Tue, 23 Apr 2002 16:26:30 +0200 > Received: (qmail 6252 invoked by uid 6505); 23 Apr 2002 14:16:37 -0000 > Received: (qmail 6215 invoked from network); 23 Apr 2002 14:16:35 -0000 > Received: from unknown (HELO inje.iskon.hr) ([213.191.128.16]) (envelope-sender ><[EMAIL PROTECTED]>) > by arkanoid.cybercomm.nl (qmail-ldap-1.03) with SMTP > for <[EMAIL PROTECTED]>; 23 Apr 2002 14:16:35 -0000 > Received: from Ipxiqe (IDENT:[EMAIL PROTECTED] [213.191.150.140]) > by mail.iskon.hr (8.11.4/8.11.4/Iskon 8.11.3-1) with SMTP id g3NEPuI24163 > for <[EMAIL PROTECTED]>; Tue, 23 Apr 2002 16:25:56 +0200 (MEST) > Date: Tue, 23 Apr 2002 16:25:56 +0200 (MEST) > Message-Id: <[EMAIL PROTECTED]> > From: Larisabenson <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Onmouseover > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary=M608E5Gt62681o15NX05jX22Eg8M1 > Resent-From: [EMAIL PROTECTED] > Resent-Date: Tue, 23 Apr 2002 16:32:46 +0200 > Resent-To: [EMAIL PROTECTED] > Resent-From: [EMAIL PROTECTED] > Resent-Date: Tue, 23 Apr 2002 17:07:24 +0200 > Resent-To: [EMAIL PROTECTED] > X-Spam-Status: No, hits=2.5 required=5.6 >tests=LARGE_HEX,RELAYING_FRAME,FORGED_YAHOO_RCVD version=2.20 > X-Spam-Level: ** > Content-Length: 126594 > Lines: 1750 > > --M608E5Gt62681o15NX05jX22Eg8M1 > Content-Type: text/html; > Content-Transfer-Encoding: quoted-printable > > <HTML><HEAD></HEAD><BODY> > <iframe src=3Dcid:C9Tne6X6cFqJj14jF height=3D0 width=3D0> > </iframe> > <FONT></FONT></BODY></HTML> > > --M608E5Gt62681o15NX05jX22Eg8M1 > Content-Type: audio/x-wav; > name=alt.bat > Content-Transfer-Encoding: base64 > Content-ID: <C9Tne6X6cFqJj14jF> > > TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4g > RE9TIG1vZGUuDQ0KJAAAAAAAAAAYmX3gXPgTs1z4E7Nc+BOzJ+Qfs1j4E7Pf5B2zT/gTs7Tn > GbNm+BOzPucAs1X4E7Nc+BKzJfgTs7TnGLNO+BOz5P4Vs134E7NSaWNoXPgTswAAAAAAAAAA > UEUAAEwBBAC4jrc8AAAAAAAAAADgAA8BCwEGAADAAAAAkAgAAAAAAFiEAAAAEAAAANAAAAAA > QAAAEAAAABAAAAQAAAAAAAAABAAAAAAAAAAAYAkAABAAAAAAAAACAAAAAAAQAAAQAAAAABAA > ABAAAAAAAAAQAAAAAAAAAAAAAAAg1gAAZAAAAABQCQAQAAAAAAAAAAAAAAAAAAAAAAAAAAAA > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
