* Loren Wilton wrote (08/02/07 19:46):
>> As for LW_STOCK_SPAM4, it's being triggered by the fact that the message
>> is base-64 encoded text AND has a Date: header that's missing a proper
>> timezone. Apparently a batch of stock spam went out at some point with
>> both of these abnormal features. I have to admit, it's a pretty rare
>> combination.
>>
>>> Date: February 6, 2007 9:52:29 AM PST
>>
>> That should, properly, should read something like this:
>> Date: Wed, 06 Feb 2007 09:52:29 -0800
>
> Actually LW_STOCK_SPAM4 was written on 02/19/2006, and is looking for a
> Base64 encoded message that has a valid timezone that is specifically
> "\s\+0000", not an invalid time zone.
>
> Internally I have it scored at 5 points and haven't had a problem with it,
> but people don't send me messages from Blackberrys.
>
> I suppose a blackberry might not have a clock so send all messages as though
> they came from London regardless of where they are. That would somewhat
> surprise me, since cell phones certainly know where they are and what time
> it is. But if Verizon is involved then it is certainly possible that the
> software has been deliberately crippled in a number of ways, and creating a
> proper date header might be one of those deliberate malfunctions.
Just to confirm that this unmodified rule does hit some legit blackberry
e-mail, here's an example (apologies for the obfuscation, but I've only
messed with addresses. It's not my e-mail):
Return-path: <someone's address>
Envelope-to: <my wife>
Delivery-date: Wed, 07 Feb 2007 17:21:42 +0000
Received: from smtp02.bis.eu.blackberry.com ([216.9.253.49])
by mail.barcombe.net with esmtp (Exim 4.63)
(envelope-from <the sender>)
id 1HEqUG-0008Ku-IV
for my wife's address; Wed, 07 Feb 2007 17:21:41 +0000
Message-ID:
<[EMAIL PROTECTED]>
Content-Transfer-Encoding: base64
Reply-To: the sender
References: <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
Sensitivity: Normal
Importance: Normal
To: "My Wife" <Her address>
Subject: Re: 25th august
From: the sender
Date: Wed, 7 Feb 2007 17:22:58 +0000
Content-Type: text/plain; charset="Windows-1252"
MIME-Version: 1.0
X-AntiVirus: Clean
X-Spam-Score: 2.1
X-Spam-Level: ++
X-Spam-Report: Barcombe.net spam report: Score = 2.1.
Tests=BAYES_00=-2.599,LW_STOCK_SPAM4=1.66,MIME_BASE64_NO_NAME=0.224,MIME_BASE64_TEXT=1.885,NO_REAL_NAME=0.961
A bit of grepping suggests that LW_STOCK_SPAM4 has hit 5 ham and 3 spam
(all scoring 20+) on that server since about November. So its usefulness
is perhaps questionable. Normal disclaimer applies: this is only one
low-traffic server. I live in the UK which might make the +0000 timezone
more likely.
[Also see the thread "Blackberry email"]
Chris (whose mail from blackberries has all been received OK)
