From: Rich Shepard [mailto:[EMAIL PROTECTED]
>
> With your help the amount of spam getting past the various
> filters in my
> inbox (and that of my fiancee) has dropped dramatically. I appreciate
> learning from all of you.
>
> The past couple of days has seen the arrival of a new mutant species of
> spam: the empty message with a Windows .exe attachment that is base64
> encoded. SpamAssassin is giving them scores of 0.0. I have a
> postfix filter
> checking for exposed .exe attachments, but nothing seems to catch these
> guys. To add insult to injury, I have a postfix body check for '/Empty or
> malformed message/' that did nothing when the original message
> came in, but
> prevented me from send it on to the list here. :-(
>
> Below are the headers from one example, with the uucoded part
> removed. If
> I tell pine to look at the attachments, and start to save it, the
> name comes
> up with a .exe extension. If anyone has suggestions on how to identify and
> reject this format, please share them with me.
Also, I get these rules fired by-passing amavisd's blocking functions:
0.7 FH_HOST_EQ_D_D_D_D Host starts with d-d-d-d
4.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr
1)
1.4 FH_HELO_EQ_D_D_D_D Helo is d-d-d-d
3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
2.4 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: sender on bogons IP block
[112.140.35.193 listed in combined-HIB.dnsiplists.completewhois.com]
1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
[82.247.67.3 listed in combined.njabl.org]
0.0 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[82.247.67.3 listed in zen.spamhaus.org]
2.0 FM_DDDD_TIMES_2 Dual helo + host eq d_d_d_d
Did you get a latest ruleset and network tests on?
Cheers,
Giampaolo
>
> Rich
>
> --
> Richard B. Shepard, Ph.D. | The Environmental Permitting
> Applied Ecosystem Services, Inc. | Accelerator(TM)
> <http://www.appl-ecosys.com> Voice: 503-667-4517 Fax:
> 503-667-8863
> ==================================================================
> =========
> > From [EMAIL PROTECTED] Sun Jan 28 04:31:09 2007
> Return-Path: <[EMAIL PROTECTED]>
> X-Original-To: [EMAIL PROTECTED]
> Delivered-To: [EMAIL PROTECTED]
> Received: by salmo.appl-ecosys.com (Postfix, from userid 1006)
> id E6FC7DE; Sun, 28 Jan 2007 04:31:08 -0800 (PST)
> X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on
> salmo.appl-ecosys.com
> X-Spam-Level: X-Spam-Status: No, score=0.0 required=4.0 tests=BAYES_50
> autolearn=no
> version=3.1.7
> Received: from abjn32.neoplus.adsl.tpnet.pl (abjn32.neoplus.adsl.tpnet.pl
> [83.7.155.32])
> by salmo.appl-ecosys.com (Postfix) with SMTP id 210A258
> for <[EMAIL PROTECTED]>; Sun, 28 Jan 2007 04:29:55
> -0800 (PST)
> Received: from egvvx ([116.82.221.212])
> by abjn32.neoplus.adsl.tpnet.pl (8.13.4/8.13.4) with SMTP id
> l0SCY7oD053228;
> Sun, 28 Jan 2007 13:34:07 +0100
> Message-ID: <[EMAIL PROTECTED]>
> Date: Sun, 28 Jan 2007 13:29:22 +0100
> From: Dooley Dinah <[EMAIL PROTECTED]>
> User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
> MIME-Version: 1.0
> To: [EMAIL PROTECTED]
> Subject: Love at First Sight
> Content-Type: multipart/related;
> boundary="------------010904090903010104020004"
>
>
> [ Empty or malformed message. Displaying raw text. ]
>
> --------------010904090903010104020004
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> Content-Transfer-Encoding: 7bit
>
>
> --------------010904090903010104020004
> Content-Type: application/x-msdownload;
> name="flash postcard.exe"
> Content-Transfer-Encoding: base64
> Content-Disposition: inline;
> filename="flash postcard.exe"
