The email you included ins't spam, its SOBIG.e.
Jerry
http://www.syslog.org
----- Original Message -----
From: "Michael Long" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, June 29, 2003 11:50 AM
Subject: [SAtalk] Spammers using bounces and encoding
I know this isn't a new thing necessarily in the internet world, but its
new for me. Lately in the past week I've gotten 3 or 4 bounces that came
from spammers. Apparently they set it up so that a legit (or maybe not
legit) mail server bounces back the full email to the recipients. This is
getting by spamassassin quite easily (.1 hits). Do you guys have anything
I can do?
The other thing this spammer did was encode their entire email so a simple
content scan would not work...
Here's an example:
(I took out boring header lines...)
Date: Sun, 29 Jun 2003 06:41:26 +0000
From: Mail Delivery System <[EMAIL PROTECTED]>
Subject: Mail delivery failed: returning message to sender
X-Failed-Recipients: [EMAIL PROTECTED]
X-AntiAbuse: This header was added to track abuse,
please include it with any abuse report
X-AntiAbuse: Primary Hostname - server3.serverbiz.net
X-AntiAbuse: Original Domain - infoave.net
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
Resent-From: [EMAIL PROTECTED]
X-Spam-Status: No, hits=0.1 required=5.0
tests=AWL,MAILER_DAEMON,UPPERCASE_25_50
version=2.55
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
[EMAIL PROTECTED]
User 0 set for local_delivery transport is on the never_users list:
retry timeout exceeded
------ This is a copy of the message, including all the headers. ------
------ The body of the message is 111498 characters long; only the first
------ 106496 or so are included here.
Return-path: <[EMAIL PROTECTED]>
Received: from [217.39.72.206] (helo=JIMCARTER)
by server3.serverbiz.net with esmtp (Exim 4.20)
id 19VZ4R-0007WP-Ls
for [EMAIL PROTECTED]; Thu, 26 Jun 2003 15:53:59 +0000
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Re: Movie
Date: Thu, 26 Jun 2003 16:53:33 +0100
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="CSmtpMsgPart123X456_000_0ED0AD2B"
Message-Id: <[EMAIL PROTECTED]>
This is a multipart message in MIME format
--CSmtpMsgPart123X456_000_0ED0AD2B
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Please see the attached zip file for details.
--CSmtpMsgPart123X456_000_0ED0AD2B
Content-Type: application/octet-stream;
name="your_details.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="your_details.zip
UEsDBBQAAgAIALCG2i789YYSm0ABAABSAQALAAAAZGV0YWlscy5waWbssmOMLkzbrnl3r7Zt27Zt
27Ztd6+2jdW2bdu27V5tc55vv9/eM5nJzPyZZP48R1I5qq46U7mqUrJa8YBfAAAA5J/x8wMAtAH+
...more encoded trash here.....
-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
