[SAtalk] New one for me

Fri, 13 Jun 2003 21:32:09 -0700 

Anyone have a nice rule that will catch the attached? It got negative
scores with fake In-Reply-To, Approved-By, and X-Authentication-Warning
lines. Also, note the faked PGP signature with random words following
it. Sure is a lot of trouble to go through just to get a piece of spam
to my inbox.

-- 
Regards,
 Matt                         
Return-Path: <[EMAIL PROTECTED]>
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: from valodata.com (unknown [203.15.67.220])
        by ns1.thoene.net (Postfix) with SMTP id 408955432E
        for <[EMAIL PROTECTED]>; Fri, 13 Jun 2003 19:55:17 -0700 (PDT)
Received: (qmail 12953 invoked by uid 501); 13 Jun 2003 23:59:07 -0000
Delivered-To: [EMAIL PROTECTED]
Date: 13 Jun 2003 23:59:07 -0000
Message-ID: <[EMAIL PROTECTED]>
From: "Ling Gloor" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: RE: special delivery pfft.
X-Mailer: MSN Explorer 6.00.0010.0912
X-OriginalArrivalTime: FILETIME=[X:X]
X-Originating-Ip: [192.168.1.1]
Approved-By: RzneXznggRzneXerzrqlk.pbzRzneX
In-Reply-To: RzneXznggRzneXerzrqlk.pbzRzneX
X-Authentication-Warning: RzneXznggRzneXerzrqlk.pbzRzneX
MIME-Version: 1.0
Content-Type: text/html;
        charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, hits=-2.6 required=4.0
        tests=APPROVED_BY,HTML_50_60,HTML_IMAGE_ONLY_06,HTML_WEB_BUGS,
              IN_REP_TO,MIME_HTML_ONLY,PGP_SIGNATURE,
              RCVD_IN_OSIRUSOFT_COM,RCVD_IN_SBL,USER_AGENT_MSN,
              X_AUTH_WARNING
        autolearn=ham version=2.54
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.54 (1.174.2.17-2003-05-11-exp)
X-Spam-Report:   This mail is probably spam.  The original message has been attached
  along with this report, so you can recognize or block similar unwanted
  mail in future.  See http://spamassassin.org/tag/ for more details.
  Content preview:  
URI:http://www.valodata.com/int/index.html?aa=intm5&ab=matt&ac=remedyx.com
  URI:http://www.valodata.com/int/int2.jpg?ba=intm5&bb=matt&bc=remedyx.com
  URI:http://www.valodata.com/nomore/search.html?ca=intm5&cb=matt&cc=remedyx.com
  URI:http://www.valodata.com/int/unk.gif?da=intm5&db=matt&dc=remedyx.com
  [...] 
  Content analysis details:   (-2.60 points, 4 required)
  IN_REP_TO          (-0.4 points) Has a In-Reply-To header
  APPROVED_BY        (-0.1 points) Has an Approved-By moderated list header
  X_AUTH_WARNING     (-0.4 points) Has a X-Authentication-Warning header
  HTML_WEB_BUGS      (0.1 points)  BODY: Image tag with an ID code to identify you
  HTML_50_60         (0.1 points)  BODY: Message is 50% to 60% HTML
  HTML_IMAGE_ONLY_06 (0.6 points)  BODY: HTML has images with 400-600 bytes of words
  RCVD_IN_OSIRUSOFT_COM (0.9 points)  RBL: Received via a relay in relays.osirusoft.com
  [RBL check: found 220.67.15.203.relays.osirusoft.com., type: 127.0.0.6]
  RCVD_IN_SBL        (1.1 points)  RBL: Received via SBLed relay, see 
http://www.spamhaus.org/sbl/
  [RBL check: found 220.67.15.203.sbl.spamhaus.org.]
  USER_AGENT_MSN     (-2.3 points) Headers indicate valid mail from MSN
  PGP_SIGNATURE      (-2.3 points) Contains a PGP-signed message
  MIME_HTML_ONLY     (0.1 points)  Message only has text/html MIME parts
X-UIDL: 3&d!!TWD"!RmO"!#Zk"!

<body bgcolor=white>
<div align="center">
<table border="0" cellspacing="0" cellpadding="0">
<tr>
<td>
<a href="http://www.valodata.com/int/index.html?aa=intm5&ab=matt&ac=remedyx.com";>
<img src="http://www.valodata.com/int/int2.jpg?ba=intm5&bb=matt&bc=remedyx.com"; 
border=0>
</a></td>
</tr>
</table>
<Br><Br><br><br><Br><Br><br><br><Br><Br><br><br><Br><Br><br><br><Br><Br><br><br>
<Br><Br><br><br><Br><Br><br><br><Br><Br><br><br><Br><Br><br><br><Br><Br><br><br>
<Br><Br><br><br><Br><Br><br><br><Br><Br><br><br><Br><Br><br><br><Br><Br><br><br>
<Br><Br><br><br><Br><Br><br><br><Br><Br><br><br><Br><Br><br><br><Br><Br><br><br>
<Br><Br><br><br><Br><Br><br><br><Br><Br><br><br><Br><Br><br><br><Br><Br><br><br>
<Br><Br><br><br><Br><Br><br><br><Br><Br><br><br><Br><Br><br><br><Br><Br><br><br>
<p><font size="2"><br>
<a href="http://www.valodata.com/nomore/search.html?ca=intm5&cb=matt&cc=remedyx.com";>
<img src="http://www.valodata.com/int/unk.gif?da=intm5&db=matt&dc=remedyx.com"; 
border=0></a></font></p>
<br><br>  
<p><font size="2" color=white>
-----BEGIN PGP SIGNATURE-----
i3A/A9UAPmf7ZbesiT+lEZdqEQJJ6QCeJcBgl19C3ErrfhM3h7z5Kg49xU89oKHG
L79MJrvpvQ0ofECdfGbuRfwe
=u41Z
-----END PGP SIGNATURE-----
<br>
horrendously munched launderings shooters prowess winker tutankhamon schweitzer 
blighted cogitated  higher sneezes reoccur resisting alternates calamity waving 
boundlessness navigators anatole  ethically descent serif tonio officio tumult 
amounting delegate penumbra stimulating 
evens garibaldi ascribes jaunt injuring sorters backwaters alcestis fiftieth pore  
RzneXznggRzneXerzrqlk.pbzRzneX directories ostrich drip crusts gastronomy alsatians 
imprecisely clara caches predominated 
</font></p> 
</div>
</body>

Reply via email to