[SAtalk] Spammers using bounces and encoding

Sun, 29 Jun 2003 09:36:29 -0700

I know this isn't a new thing necessarily in the internet world, but its new for me. Lately in the past week I've gotten 3 or 4 bounces that came from spammers. Apparently they set it up so that a legit (or maybe not legit) mail server bounces back the full email to the recipients. This is getting by spamassassin quite easily (.1 hits). Do you guys have anything I can do?

The other thing this spammer did was encode their entire email so a simple content scan would not work...


Here's an example:
(I took out boring header lines...)
Date: Sun, 29 Jun 2003 06:41:26 +0000
From: Mail Delivery System <[EMAIL PROTECTED]>
Subject: Mail delivery failed: returning message to sender
X-Failed-Recipients: [EMAIL PROTECTED]
X-AntiAbuse: This header was added to track abuse,
please include it with any abuse report
X-AntiAbuse: Primary Hostname - server3.serverbiz.net
X-AntiAbuse: Original Domain - infoave.net
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
Resent-From: [EMAIL PROTECTED]
X-Spam-Status: No, hits=0.1 required=5.0
        tests=AWL,MAILER_DAEMON,UPPERCASE_25_50
        version=2.55
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

 [EMAIL PROTECTED]
   User 0 set for local_delivery transport is on the never_users list:
   retry timeout exceeded

------ This is a copy of the message, including all the headers. ------
------ The body of the message is 111498 characters long; only the first
------ 106496 or so are included here.

Return-path: <[EMAIL PROTECTED]>
Received: from [217.39.72.206] (helo=JIMCARTER)
        by server3.serverbiz.net with esmtp (Exim 4.20)
        id 19VZ4R-0007WP-Ls
        for [EMAIL PROTECTED]; Thu, 26 Jun 2003 15:53:59 +0000
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Re: Movie
Date: Thu, 26 Jun 2003 16:53:33 +0100
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="CSmtpMsgPart123X456_000_0ED0AD2B"
Message-Id: <[EMAIL PROTECTED]>

This is a multipart message in MIME format

--CSmtpMsgPart123X456_000_0ED0AD2B
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Please see the attached zip file for details.
--CSmtpMsgPart123X456_000_0ED0AD2B
Content-Type: application/octet-stream;
        name="your_details.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
        filename="your_details.zip

UEsDBBQAAgAIALCG2i789YYSm0ABAABSAQALAAAAZGV0YWlscy5waWbssmOMLkzbrnl3r7Zt27Zt
27Ztd6+2jdW2bdu27V5tc55vv9/eM5nJzPyZZP48R1I5qq46U7mqUrJa8YBfAAAA5J/x8wMAtAH+
...more encoded trash here.....



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to