> /My dog is very promiscuous\./
> 
> ...while enigmatic, this could very well hit quite a few porn spams!
> 
LOL!!

I looked thru some corpus and I have a bunch of these spams. They score from
8.5-24 points :)

Common points among the spams:
Sent from differnt IP's (What a surprise!)

All have a tracking header, but name changed:
Kel-Tracking: <Y3NhbnRlcnJlQG1lcmNoYW50c292ZXJzZWFzLmNvbQ==>
The key is it they ALL ended with "==>"

X-Mailer: PHP (or PHP2) in header.

All tried to use the To: Me From: Me trick.

All have a workstation name in the forged received header (except one)
Received: from computer [66.1.188.160] by munged.com with eSMTP; 
        Mon, 3 Nov 2003 19:10:40 -0700
And that workstation name show up at the end of the message ID:
Message-ID: <[EMAIL PROTECTED]>

They all had HTML titles ;)

The latest ones had empty heads (pun intended!)
<head></head>

And more importantly they ALL had more numbers then letters in their OBFU.
Trying to get past a lot of OBFU rules. Looks like we need a little update
to those:
"4KO79TS427f64R6bc59687J81Sd6269Wx7TIo58wn3564V852B1y6996imIdec"

They all used period OBFU. 

So we have even more we can tag them on. Like I said, these were caught, and
never delievered even without looking for these things. 

--Chris


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to