On Wednesday, May 4, 2005, 9:21:11 PM, Craig Baird wrote: > Today, I've received a number of spams containing a domain that is listed on > almost all the SURBL lists. I've recieved around 10 of these today, and none > of them have hit on any of the SURBLs despite the domain being listed. Here > is the message:
> --- Begin Spam --- > Return-Path: <[EMAIL PROTECTED]> > X-Original-To: [EMAIL PROTECTED] > Delivered-To: [EMAIL PROTECTED] > Received: from localhost (unknown [127.0.0.1]) > by smtp.example.com (Postfix) with ESMTP id 120A626109D1; > Wed, 4 May 2005 19:56:58 -0600 (MDT) > Received: from smtp.example.com ([127.0.0.1]) > by localhost (smtp.example.com [127.0.0.1]) (amavisd-new, port 10024) > with ESMTP id 10856-05; Wed, 4 May 2005 19:56:57 -0600 (MDT) > Received: from ?rediffmail.com (c911beed.bhz.virtua.com.br [201.17.190.237]) > by smtp.example.com (Postfix) with ESMTP id 8DBA526107D0; > Wed, 4 May 2005 17:57:54 -0600 (MDT) > Reply-To: "Elizabeth" <[EMAIL PROTECTED]> > From: "Elizabeth" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: Find HOT girls in your area... > Date: Wed, 04 May 2005 19:58:01 -0400 > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="--09-5[5]-3237-7[3]-087[3]" > Message-Id: <[EMAIL PROTECTED]> > X-Virus-Scanned: by amavisd-new at example.com > X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on sa1.example.com > X-Spam-Status: No, score=1.7 required=7.0 tests=BAYES_50,MSGID_FROM_MTA_ID > autolearn=no version=3.0.2 > X-Spam-Level: * > ----09-5[5]-3237-7[3]-087[3] > Content-Type: ;text/plain; > Content-Transfer-Encoding: 7Bit > No playing games, get laid plain n simple. > All discreet , All the pleasure. > See it now below. > http://www.letmeseethelight.com/d/index.html > Nah > http://www.letmeseethelight.com/gone > ----09-5[5]-3237-7[3]-087[3]-- > --- End Spam --- > If you'll notice, the content type is shown as ";text/plain;". It seems that > the semicolons are causing Spamassassin not to parse the mail properly. If I > run the message through SA as-is, it hits on no SURBLs. However, if I remove > the semicolons, and run it again, it hits on all the SURBLs. Needless to > say, > it would seem some sneaky spammer has found another loophole... > Craig SA devs, should this get a bugzilla? Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
