Content type allowing spammers to evade URIBL

5 May 2005 04:21:47 -0000 

Today, I've received a number of spams containing a domain that is listed on 
almost all the SURBL lists.  I've recieved around 10 of these today, and none 
of them have hit on any of the SURBLs despite the domain being listed.  Here 
is the message:

---  Begin Spam  ---

Return-Path: <[EMAIL PROTECTED]>
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: from localhost (unknown [127.0.0.1])
        by smtp.example.com (Postfix) with ESMTP id 120A626109D1;
        Wed,  4 May 2005 19:56:58 -0600 (MDT)
Received: from smtp.example.com ([127.0.0.1])
 by localhost (smtp.example.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 10856-05; Wed,  4 May 2005 19:56:57 -0600 (MDT)
Received: from ?rediffmail.com (c911beed.bhz.virtua.com.br [201.17.190.237])
        by smtp.example.com (Postfix) with ESMTP id 8DBA526107D0;
        Wed,  4 May 2005 17:57:54 -0600 (MDT)
Reply-To: "Elizabeth" <[EMAIL PROTECTED]>
From: "Elizabeth" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Find HOT girls in your area...
Date: Wed, 04 May 2005 19:58:01 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="--09-5[5]-3237-7[3]-087[3]"
Message-Id: <[EMAIL PROTECTED]>
X-Virus-Scanned: by amavisd-new at example.com
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on sa1.example.com
X-Spam-Status: No, score=1.7 required=7.0 tests=BAYES_50,MSGID_FROM_MTA_ID 
        autolearn=no version=3.0.2
X-Spam-Level: *


----09-5[5]-3237-7[3]-087[3]
Content-Type: ;text/plain;
Content-Transfer-Encoding: 7Bit

No playing games, get laid plain n simple.
All discreet , All the pleasure.
See it now below.

http://www.letmeseethelight.com/d/index.html





Nah
http://www.letmeseethelight.com/gone

----09-5[5]-3237-7[3]-087[3]--

--- End Spam ---

If you'll notice, the content type is shown as ";text/plain;".  It seems that 
the semicolons are causing Spamassassin not to parse the mail properly.  If I 
run the message through SA as-is, it hits on no SURBLs.  However, if I remove 
the semicolons, and run it again, it hits on all the SURBLs.  Needless to say, 
it would seem some sneaky spammer has found another loophole...

Craig

Reply via email to