>...
>At 05:40 PM 12/27/2005, Clay Irving wrote:
>>Here's one that has me a bit confused. I'm receiving mail from spammers
>>and the messages are being scored 30+, but they're also hitting on
>>USER_IN_WHITELIST which pushes the score positive.
>
>
>> Return-Path: <>
>> X-Original-To: [EMAIL PROTECTED]
>> Delivered-To: [EMAIL PROTECTED]
>> Received: by mail.mydomain.com (Postfix, from userid 2331)
>> id 425518146AE; Tue, 27 Dec 2005 14:04:52 -0800 (PST)
>> X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on
>> chatter.mydomain.com
>> X-Spam-Status: No, score=-70.2 required=6.5 tests=BAYES_99,
>> DATE_IN_FUTURE_06_12,RATWARE_MS_HASH,RATWARE_OUTLOOK_NONAME,
>> RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CHECK,
>> RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,
>> RCVD_IN_WHOIS_INVALID,SKX_TO_DBA,USER_IN_WHITELIST autolearn=no
>> version=3.1.0
>> From: Jodi Santiago <[EMAIL PROTECTED]>
>> To: [EMAIL PROTECTED]
>>
>>The user isn't in a whitelist, at least that I can find.
>
>Well, finding it is what we need to do. I've never seen a USER_IN_WHITELIST
>FP before..
>...
These are the recent "Return-Path: <>" spams. Most are for
male organ enlargement patches or ED drugs. The seem to be Leo or
one or his cronies (Pavka/Yambo); Very similar HTML pages can be
found on many sites labeled "VP-RX". Almost all of the spam is in
HTML directly - the past few days have had the domain, jerryfon.com-M
as a common target, but others at the same and close IPs have been in
use also. Mostly zombie delivery, but with an unusual twist - much of
it is coming from Europe (most zombies seen to be in order, US, Korea
then Japan, with the EU behind these three).
Paul Shupak
[EMAIL PROTECTED]
P.S. Make sure you haven't white-listed DSNs - the "Return-Path:" header
is forging a DSN.
