> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 28, 2003 1:37 PM > To: Chris Santerre > Cc: Spamassassin-Talk (E-mail) > Subject: Re: [SAtalk] [RD] this is the spam I'm fighting, and > why rules > don't hit. > > > > Chris Santerre writes: > > I finally got one of these boogers above a 7 so I had the > raw in my trap. > > Take a look at this raw mbox email and why SA rules don't > hit. The MUA > > decodes the email and shows the spam when read. After the > ************* is > > what the decoded base64 looks like. Headers don't matter. > I've looked at > > them all. No pattern, always different, either DSL or open > relay. Don't tell > > me to use an RBL or I'll send the tree ents after you!!! > (Guess what movie I > > watched last night?) ;) > > 2.60 sees it just fine: > > Spam detection software, running on the system "jalapeno", has > identified this incoming email as possible spam. The > original message > has been attached to this so you can view it (if it isn't > spam) or block > similar future email. If you have any questions, see > @@CONTACT_ADDRESS@@ for details. > > Content preview: > URI:*http:/internet-generic-pharmacy.com/remove REMOVE > ME NOW PLEASE > URI:http://wWW.LibiDO-HeALTH.NET/af%66i%6C/n%6D/?i%644 > > URI:http://ImG.lIBIDo-HEALtH.NEt/n%6D/%6E%6d%2D%69%6d%67.%6Ap% > 67 [...] > > Content analysis details: (8.1 points, 5.0 required) > > pts rule name description > ---- ---------------------- > -------------------------------------------------- > 0.5 REMOVE_REMOVAL_2WORD BODY: List removal information > 0.5 HTML_60_70 BODY: Message is 60% to 70% HTML > 1.8 BAYES_60 BODY: Bayesian spam probability > is 60 to 70% > [score: 0.6314] > 1.2 MIME_HTML_MOSTLY BODY: Multipart message mostly > text/html MIME > 0.1 HTML_MESSAGE BODY: HTML included in message > 1.5 HTML_IMAGE_ONLY_02 BODY: HTML: images with 0-200 > bytes of words > 1.0 MIME_BASE64_TEXT RAW: Message text disguised > using base64 encoding > 1.0 MIME_HTML_NO_CHARSET RAW: Message text in HTML > without charset > 0.5 HTTP_EXCESSIVE_ESCAPES URI: Completely unnecessary > %-escapes inside a URL > > --j. >
Is that from the email I sent to list, or did you get this spam directly? You mean without the HTML code decoded, SA 2.60 decoded it and checked it? I just want to really clarify that, so I can stop working on it. It SA 2.60 decoded the base64 then check it, then the devs are truly white wizards :P --Chris Santerre of the shire. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
