>>From [EMAIL PROTECTED] Wed May 4 21:21:27 2005
>...
>Date: Wed, 4 May 2005 22:21:11 -0600
>From: Craig Baird <[EMAIL PROTECTED]>
>To: users@spamassassin.apache.org
>Subject: Content type allowing spammers to evade URIBL
>...
>
>Today, I've received a number of spams containing a domain that is listed on
>almost all the SURBL lists. I've recieved around 10 of these today, and none
>of them have hit on any of the SURBLs despite the domain being listed. Here
>is the message:
>
>--- Begin Spam ---
>
>Return-Path: <[EMAIL PROTECTED]>
>X-Original-To: [EMAIL PROTECTED]
>Delivered-To: [EMAIL PROTECTED]
>Received: from localhost (unknown [127.0.0.1])
> by smtp.example.com (Postfix) with ESMTP id 120A626109D1;
> Wed, 4 May 2005 19:56:58 -0600 (MDT)
>Received: from smtp.example.com ([127.0.0.1])
> by localhost (smtp.example.com [127.0.0.1]) (amavisd-new, port 10024)
> with ESMTP id 10856-05; Wed, 4 May 2005 19:56:57 -0600 (MDT)
>Received: from ?rediffmail.com (c911beed.bhz.virtua.com.br [201.17.190.237])
> by smtp.example.com (Postfix) with ESMTP id 8DBA526107D0;
> Wed, 4 May 2005 17:57:54 -0600 (MDT)
>Reply-To: "Elizabeth" <[EMAIL PROTECTED]>
>From: "Elizabeth" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Subject: Find HOT girls in your area...
>Date: Wed, 04 May 2005 19:58:01 -0400
>MIME-Version: 1.0
>Content-Type: multipart/alternative;
> boundary="--09-5[5]-3237-7[3]-087[3]"
>Message-Id: <[EMAIL PROTECTED]>
>X-Virus-Scanned: by amavisd-new at example.com
>X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on sa1.example.com
>X-Spam-Status: No, score=1.7 required=7.0 tests=BAYES_50,MSGID_FROM_MTA_ID
> autolearn=no version=3.0.2
>X-Spam-Level: *
>
>
>----09-5[5]-3237-7[3]-087[3]
>Content-Type: ;text/plain;
>Content-Transfer-Encoding: 7Bit
>
>No playing games, get laid plain n simple.
>All discreet , All the pleasure.
>See it now below.
>
>http://www.letmeseethelight.com/d/index.html
>
>
>
>
>
>Nah
>http://www.letmeseethelight.com/gone
>
>----09-5[5]-3237-7[3]-087[3]--
>
>--- End Spam ---
>
>If you'll notice, the content type is shown as ";text/plain;". It seems that
>the semicolons are causing Spamassassin not to parse the mail properly. If I
>run the message through SA as-is, it hits on no SURBLs. However, if I remove
>the semicolons, and run it again, it hits on all the SURBLs. Needless to say,
>it would seem some sneaky spammer has found another loophole...
>
>Craig
>
For anyone keeping track, this is multitrade at a "new" address, but
using name servers they already have. Also an invalid registration (report it
to wdprs.internic.net), the telephone number for the registrant and contacts
is disconnected.
Multitrade has gotten quite good at "beating" both SpamCop and SA
recently! (non-matching boundary tags, invalid HTML, non-822 compliant content,
etc.).
Paul Shupak
[EMAIL PROTECTED]
