I've been getting a particular spam repeatedly that manages to slip through
SA virtually every time - I've posted most of it (edited for
inoffensiveness, and to munge the URL's so he doesn't get hits) here along
with the SA analysis:
(begin spam)
Received: (qmail 5167 invoked by alias); 14 Nov 2003 06:27:39 -0000
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 5164 invoked from network); 14 Nov 2003 06:27:38 -0000
Received: from el-4-mx-15.relia-network.net (HELO mail.ilinear.com)
(216.190.159.15)
by booboo.janeshouse.com (192.168.0.6) with ESMTP; 14 Nov 2003 06:27:38
-0000
Received: by mail.ilinear.com; Thu, 13 Nov 2003 23:26:51 -0700
(envelope-from <[EMAIL PROTECTED]>)
Content-Type: multipart/alternative; boundary="----=_Y7ndKJ9s_pls8YRsc_D"
Subject: Tomorrow
MIME-Version: 1.0
From: "Mark" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Date: Thu, 13 Nov 2003 23:26:51 -0700
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on
booboo.janeshouse.com
X-Spam-Status: No, hits=1.4 required=4.5 tests=HTML_FONTCOLOR_UNKNOWN,
HTML_FONT_INVISIBLE,HTML_MESSAGE,MIME_HTML_NO_CHARSET autolearn=no
version=2.60
X-Spam-Level: *
------=_Y7ndKJ9s_pls8YRsc_D
Content-Type: text/plain
Content-Transfer-Encoding: 8bit
Exc1us1ve v1de0s of (-deleted-):
httx://el4.inumberone.com/m/c/368663/1007/1125
Push th1s to st0p your future newz:
httx://el4.inumberone.com/m/[EMAIL PROTECTED]
------=_Y7ndKJ9s_pls8YRsc_D
Content-Type: text/html
Content-Transfer-Encoding: 8bit
<HTML>
<body><!-- magenta --><CENTER><!-- cappucino -->
<img src="httx://el4.inumberone.com/m/v/368663/1007/mustang.jpg">
<!-- cappucino --><!-- cappucino --><!-- cappucino --><!-- cappucino --><!--
cappucino --><!-- cappucino --><a
href="httx://el4.inumberone.com/m/c/368663/1007/1125" target="_blank">
<!-- cappucino --><!-- cappucino --><!-- cappucino --><!-- cappucino --><!--
cappucino -->
<center><img src="httx://el4.inumberone.com/tours/tb/bcws/bcws1.jpg"
width="641" height="435" border="0"></center>
<!-- cappucino --></a><!-- cappucino --><!-- cappucino -->
<p><!-- cappucino --><!-- cappucino --><!-- cappucino --><!-- cappucino -->
<!-- cappucino --><!-- cappucino --><!-- cappucino --><!-- cappucino -->
<!-- cappucino --><!-- cappucino --><!-- cappucino --><!-- cappucino -->
<a href="httx://el4.inumberone.com/m/[EMAIL PROTECTED]">
<!-- cappucino --><!-- cappucino --><!-- cappucino --><!-- cappucino -->
<!-- cappucino --><!-- cappucino --><!-- cappucino -->
<img src="httx://el4.inumberone.com/tours/rm4.gif" width="453" height="47"
border="0">
<!-- cappucino --><!-- cappucino --><!-- cappucino --><!-- cappucino --><!--
cappucino --></a>
</p><!-- cappucino --><!-- cappucino --><!-- cappucino --><!-- cappucino
--><!-- cappucino -->
<FONT SIZE=1 COLOR="white">
(inserted here was a two-paragraph news story about the Beltway Sniper case)
</FONT>
</CENTER></body></HTML>
------=_Y7ndKJ9s_pls8YRsc_D--
(end spam)
Now, I'm a newbie where it comes to actually trying to figure out how to
make SA better, but I see at least one test that could be created/used here:
the username that the spammer uses is identical to the victim username, just
from a different domain. That's rare enough that it would likely be a
spammer signature. It also didn't pick up that my e-mail address is
embedded in the body.
I wouldn't rule out that I've done something wrong with SA for it to miss
these (I get about 2-3 similar ones per week), but it does capture the vast
bulk of my spam successfully.
--
- Josh Turiel [EMAIL PROTECTED]
I have an existentialist map. It has "you are here" written all over it.
-Steven Wright
-------------------------------------------------------
This SF. Net email is sponsored by: GoToMyPC
GoToMyPC is the fast, easy and secure way to access your computer from
any Web browser or wireless device. Click here to Try it Free!
https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
