Re: hey john spam

MATSUDA Yoh-ichi Sat, 28 Jan 2006 05:24:10 -0800

Hello.

From: "John Fleming" <[EMAIL PROTECTED]>
Subject: hey john spam
Date: Fri, 27 Jan 2006 19:48:03 -0500


> This is a new one for me.  Today I've received some mail with "hey john" in 
> the subject, and the mail otherwise appears blank.  It didn't contain a 
> virus, or it would've been discarded by ClamAV.
> 
> Are these familiar to you guys?  What's the point of them?  Headers of one 
> below:  Thanks!  - John
> 
> Return-Path: <[EMAIL PROTECTED]>
> X-Original-To: [EMAIL PROTECTED]
> Delivered-To: [EMAIL PROTECTED]
> Received: from ln (unknown [217.96.67.109])
>  by wa9als.com (Postfix) with SMTP id 4AD4D33E60D
>  for <[EMAIL PROTECTED]>; Fri, 27 Jan 2006 16:54:33 -0500 (EST)
> Message-ID: <[EMAIL PROTECTED]>
> From: "Medeiros Pablo" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: hey john
> Date:   Fri, 27 Jan 2006 22:58:47 -0800
> MIME-Version: 1.0
> Content-Type: multipart/related;
>  type="multipart/alternative";
>  boundary="----=_NextPart_000_000E_01C62395.3B540860"
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2900.2180
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
> X-Virus-Status: No
> X-Virus-Checker-Version: Luke wa9als.com running clamassassin 1.2.1 with 
> ClamAV 0.88/1254/Fri Jan 27 12:22:39 2006 signatures 35.1254
> X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on Luke.wa9als.com
> X-Spam-Level: **
> X-Spam-Status: No, score=2.3 required=5.0 
> tests=BAYES_60,DATE_IN_FUTURE_06_12
>  autolearn=no version=3.0.3
> Status:
> X-Antivirus: AVG for E-mail 7.1.375 [267.14.23/243]
> 
> 

I received 2 similiar spams.
Then, I wrote rules below:

#---
full MULTIPART_EMPTY 
/(\r|\n){2}\-{6}=_NextPart_\d{3}_\d{4}_\w{8}\.\w{8}(\r|\n)Content\-Type: 
multipart\/alternative\;(\r|\n)\tboundary=\"\-{4}=_NextPart_\d{3}_\d{4}_\w{8}\.\w{8}\"(\r|\n){2,}\-{6}=_NextPart_\d{3}_\d{4}_\w{8}\.\w{8}(\r|\n)Content\-Type:
 
text\/plain\;(\r|\n)\tcharset=\"Windows-1252\"(\r|\n)Content-Transfer-Encoding: 
quoted-printable(\r|\n){2,}/

meta MULTIEMPTY99 MULTIPART_EMPTY && BAYES_99
score MULTIEMPTY99 5.0

meta MULTIEMPTYFUTURE DATE_IN_FUTURE_06_12 && MULTIPART_EMPTY
score MULTIEMPTYFUTURE 3.5
#---
--
Nothing but a peace sign.
MATSUDA Yoh-ichi(yoh)
mailto:[EMAIL PROTECTED]
http://www.flcl.org/~yoh/diary/ (only Japanese)

Re: hey john spam

Reply via email to