Re: sneaky pharma spam shooting past standard rules

Thu, 15 Oct 2009 08:45:58 -0700 


15.10.2009 18:38, Jason Haar kirjoitti:

I just received what appeared to be a standard "certain north american
country" pharma spam that went straight by rules I have that normally
catch it. Within Thunderbird (and any other HTML-capable MUA) it's
blatantly shouting its wares.  Clever usage of SPANs appear to enable it
to sneak straight by SA.

http://pastebin.com/m56d2db96

Is this something SA normally has components in place to catch/parse?




Spam detection software, running on the system
"wellington.fredriksson.dy.fi", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  All customers know that �Can cfl adia gp nPha
tgj rmacy�
   online dru kjw gstore is the cheapest place to buy me co dica iih
tions online.
   Now it is confirmed by the results of survey taken by the Independent He
  lxq alth Orga cqp nization. [...]

Content analysis details:   (20.2 points, 5.0 required)

 pts rule name              description
---- ----------------------
--------------------------------------------------
 1.0 RCVD_IN_BRBL_LASTEXT   RBL: Received via a relay in Barracuda BRBL
                            [79.163.117.156 listed in
bb.barracudacentral.org]
 0.9 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
                            [79.163.117.156 listed in zen.spamhaus.org]
 1.7 RCVD_IN_HOSTKARMA_BL   RBL: HostKarma: relay in black list
                      [79.163.117.156 listed in
hostkarma.junkemailfilter.com]
 0.0 PRICES_ARE_AFFORDABLE  BODY: Message says that prices aren't too
                            expensive
 0.3 KHOP_HELO_FCRDNS       Relay HELO differs from its IP's reverse DNS
 1.2 KHOP_2IPS_RCVD         Received: Relay identifies itself as wrong IP
 6.0 L_TAB_IN_FROM          L_TAB_IN_FROM
 4.0 BOTNET                 Relay might be a spambot or virusbot
[botnet0.8,ip=79.163.117.156,rdns=public30108.xdsl.centertel.pl,maildomain=ooshop.com,client,ipinhostname,clientwords]
 2.0 BAYES_80               BODY: Bayesian spam probability is 80 to 95%
                            [score: 0.9231]
 1.0 HTML_MESSAGE           BODY: HTML included in message
 2.0 KHOP_DNSBL_BUMP        Hits a trusted non-overlapping DNSBL

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.


--
http://www.iki.fi/jarif/



Attachment:
pgp7pBWC9H2jT.pgp

Description: PGP signature






















					Reply via email to