My users have been getting particularly insidious emails containing a
windows virus that purports to come from the system administrator.
One email header contains the following entry:
Received: from motorcityinteractive.com
(pcp09017048pcs.watrfd01.mi.comcast.net [69.244.154.112])
by mail.tqis.com (8.11.6/8.11.6) with ESMTP id j5AMQTR17538
for <[EMAIL PROTECTED]>; Fri, 10 Jun 2005 18:26:29 -0400
The host name in this line (motorcityinteractive) is obviously forged- but
not detected by SpamAssassin. Here is SpamAssassin's report on the email:
pts rule name description
---- ----------------------
--------------------------------------------------
0.0 NO_REAL_NAME From: does not include a real name
1.7 MSGID_FROM_MTA_ID Message-Id for external message added locally
0.2 HTML_20_30 BODY: Message is 20% to 30% HTML
0.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 HTML_MESSAGE BODY: HTML included in message
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.0000]
2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
address
[69.244.154.112 listed in dnsbl.sorbs.net]
0.0 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE
1.1 PRIORITY_NO_NAME Message has priority, but no X-Mailer/User-Agent
I would expect this test would be part of the distributed SpamAssassin
configuration files. Can anybody recommend an approach other than
reinventing the wheel?
-Jim
------- End of Forwarded Message -------
--
Open WebMail Project (http://openwebmail.org)
