>...
>
>I was surprised to get an email with a list of drugs that scored
>relatively little on SA.
>Apparently, the spammer cleverly divided all the words into pairs of
>letters and placed each pair in the proper table cell just so that the it
>all appear right (all the drug names next to their prices).
>
>I also run all the network checks, but 24 hours ago when that message
>arrived, the URL it referred to (inspectioflig.com) was only listed in
>one place (URIBL_WS_SURBL). I checked it now and it appears in others
>as well.
>It also scored from Razor2 but all in all it penetrated my SA well
>below my threshold.
>
>It would be very difficult to write rules that would detect spam
>disguised like this in an HTML table.
>Any comment?
>
>--
>Ilan Aisic
>Registered Linux User 8124 http://counter.li.org
>
inspectioflig. com == Leo Kuvayev
Registration is fraudulent - Orhan Holdings is an auto parts
manufacturer with a plant at the address in Turkey and the email account
is invalid.
Leo is good at analysing SA for loopholes - seemingly more than
half the time people complain about some "new" obfuscation trick, it is
him (e.g. various redirector tricks, characters that fooled the SA and
Spamcop parsers, obfuscations that avoid the standard and SARE rules, etc.).
Just look at the Spamhaus listings for him (and they are running
far behind, both many new listings haven't been moved to his page, and
he copies the style of other spammers, so often the wrong spammer is
blamed).
Paul Shupak
[EMAIL PROTECTED]
