Hi Derrick, At 06/10/2002 13:04, Derrick 'dman' Hudson wrote: >On Mon, Jun 10, 2002 at 10:51:07AM -0800, Pete Hanson wrote: >| Not true. We're starting to see spam mail with huge attachments. > >What sort of attachments? What are the main identifying marks on the >messages?
Here's a nice example (I'm not going to include the whole damn thing unless you really want it - it's a 760k message): >From [EMAIL PROTECTED] Sun Jun 9 08:20:40 2002 >Return-Path: <[EMAIL PROTECTED]> >Received: from smtp.well.com (smtp.well.com [206.14.209.7]) > by mail.well.com (8.12.3/8.12.3) with ESMTP id g59EqrCJ021554 > for <[EMAIL PROTECTED]>; Sun, 9 Jun 2002 07:52:53 -0700 (PDT) >Received: from netcom.com (mx2.netcom.com [199.174.33.83]) > by smtp.well.com (8.12.3/8.12.3) with ESMTP id g59EqktH027311 > for <[EMAIL PROTECTED]>; Sun, 9 Jun 2002 07:52:46 -0700 (PDT) >Received: from soundwriters.net (host-180.soundwriters.net [64.67.213.180] (may be >forged)) > by netcom.com (8.9.3/8.9.3) with SMTP id JAA04842 > for <[EMAIL PROTECTED]>; Sun, 9 Jun 2002 09:50:09 -0500 (CDT) >Message-Id: <[EMAIL PROTECTED]> >Received: from Dator 9 ([212.209.222.139]) by soundwriters.net ( IA Mail Server >Version: 3.1.2.0 Build: 1061 ) ) ; 09 Jun 2002 14:32:26 UT >From: "tamfxcd" <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >Subject: 内斗威武、外斗已成瓮中之鳖 >To: [EMAIL PROTECTED] >X-Mailer: V3,1,6,1 (W95/NT) (Build: Oct 18 1999) >Mime-Version: 1.0 >Date: Mon, 10 Jun 2002 16:34:50 +0100 >Content-Type: multipart/mixed; boundary="----=_NextPart_000_007F_01BDF6C7.FABAC1B0" >Content-Transfer-Encoding: 7bit >X-UIDL: 8fc31c8e62d3b8bda76ed5f956ed594d >Status: R > >This is a MIME Message > >------=_NextPart_000_007F_01BDF6C7.FABAC1B0 >Content-Type: text/plain; charset="iso-8859-1" >Content-Transfer-Encoding: quoted-printable > > !! =B6=A9=D4=C4=BA=CD=C1=AA=C2=E7=A3=BA > >=C7=EB=CA=B9=D3=C3=D6=D0=BB=AA=C6=C0=CA=F6=BF=AF=CD=B7=B5=C4=B5=E7=D3=CA=B5= >=D8=D6=B7=BA=CD=C3=BF=C6=DA=D4=D3=D6=BE=D7=EE=BA=F3=D2=BB=D0=D0=B8=F8=B3=F6= >=B5=C4=B5=E7 >=D3=CA=D0=C5=CF=E4=A3=AC=BA=A3=CD=E2=C4=DC=B9=BB=BD=F8=C8=EB=D6=D0=BB=AA=C6= >=C0=CA=F6=CD=F8=D2=B3=B5=C4=C5=F3=D3=D1=D2=B2=BF=C9=CA=B9=D3=C3=CD=F8=C9=CF= >=CB=F9=CA=BE >=B5=E7=D3=CA=B5=D8=D6=B7=CD=AC=CE=D2=C3=C7=C1=AA=C2=E7=A1=A3 > >-------------------------------------------------------- > > =D6=D0=BB=AA=C6=C0=CA=F6=CA=C7=B1=A8=B5=C0=C6=C0=C2=DB=D6=D0=B9=B2=B9= >=FA=CA=C2=CC=AC=B5=C4=D5=FE=C2=DB=D0=D4=BF=AF=CE=EF > >The China Comment is a political essays, which sent >from Mainland China for domestic readers and overseas >chinese, who is concerned with developing of chinese >affairs and situation=2E > >------------------------------ >--------------------------- > > =D5=FD=B8=E6=D6=D0=B9=B2=B5=B3=B7=CB=B5=B1=BE=D6 > >=BE=A1=B9=DC=C4=E3=C3=C7=C5=C9=B3=F6=CC=D8=CE=F1=B2=BB=B6=CF=B5=D8=B7=A2=B3= >=F6=CB=C0=CD=F6=CD=FE=D0=B2=A3=AC=CE=DE=D0=DD=D6=B9=B5=D8=BD=F8=D0=D0=B2=A1= >=B6=BE=B9=A5=BB=F7 >=A3=AC=D3=CA=BC=FE=D5=A8=B5=AF=BA=E4=D5=A8=A3=AC=B5=AB=D6=D0=BB=AA=C6=C0=CA= >=F6=BF=F9=C8=BB=B2=BB=CE=AA=CB=F9=B6=AF=A3=AC=CB=FC=C4=BF=C7=B0=D2=D1=BE=AD= >=CE=AC=B3=D6=D2=BB >=C4=EA=D3=D0=D3=E0=B5=C4=CF=F2=D6=D0=B9=B2=B9=FA=B4=F3=C2=BD=B7=A2=D0=D0=B0= >=D9=CD=F2=B7=DD=B5=C4=BC=C7=C2=BC=A3=AC=BA=DC=BF=EC=BE=CD=BB=E1=B4=EF=B5=BD= >=C7=A7=CD=F2=B7=DD >=A1=A3=CE=D2=C3=C7=D4=DA=B4=CB=D4=D9=B4=CE=D5=FD=B8=E6=D6=D0=B9=B2=B5=B3=B7= >=CB=B5=B1=BE=D6=A3=AC=D6=BB=D2=AA=C4=E3=C3=C7=D2=BB=C8=D5=B2=BB=CD=A3=D6=B9= >=B6=D4=D1=D4=C2=DB >=D7=D4=D3=C9=B5=C4=C6=C8=BA=A6=A3=AC=D2=BB=C8=D5=B2=BB=B7=C5=C6=FA=B9=B2=B2= >=FA=B7=A8=CE=F7=CB=B9=BC=AB=C8=A8=D7=A8=D5=FE=A3=AC=D6=D0=BB=AA=C6=C0=CA=F6= >=BE=CD=D3=C0=D4=B6 >=BB=E1=CF=F1=B2=E5=C8=EB=C4=E3=C3=C7=D0=C4=D4=E0=B5=C4=D8=B0 >=CA=D7=D2=BB=D1= >=F9=A3=AC=D2=D4=C6=E4=CC=D8=D3=D0=B5=C4=C9=B1=B7=CB=D0=A7=C1=A6=A3=AC=BB=EE= >=D4=BE=D4=DA=C9=EE >=CA=DC=B9=B2=B2=FA=C6=C8=BA=A6=B5=C4=D6=D0=B9=B2=B9=FA=C3=F1=D6=DA=D0=C4=D6= >=D0=A1=A3 > > -- =D6=D0=BB=AA=C6=C0=CA=F6=B1=E0=BC=AD=B2=BF= >-------------------------------------------------------- There are 3 more quoted-printable attachments in the message. When passed through /usr/local/bin/spamassassin directly, it produces the following report: SPAM: -------------------- Start SpamAssassin results ---------------------- SPAM: This mail is probably spam. The original message has been altered SPAM: so you can recognise or block similar unwanted mail in future. SPAM: See http://spamassassin.org/tag/ for more details. SPAM: SPAM: Content analysis details: (8.5 hits, 5 required) SPAM: Hit! (-0.7 points) Bulk email software fingerprints found in headers SPAM: Hit! (2.4 points) 'Message-Id' was added by a relay (2) SPAM: Hit! (1.3 points) 'Received:' has 'may be forged' warning SPAM: Hit! (0.5 points) BODY: A WHOLE LINE OF YELLING DETECTED SPAM: Hit! (0.0 points) Reply-To: massively different from From: or To: SPAM: Hit! (1.9 points) Subject is all capitals SPAM: Hit! (3.1 points) Subject is full of 8-bit characters SPAM: SPAM: -------------------- End of SpamAssassin results --------------------- If I pass just the first *3.6k* of the message (just the stuff shown above), it scores 8 points (only the WHOLE LINE OF YELLING is omitted). Pete `-_-' _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
