Re: Rule Advice

[dennis]

On Jul 15, 2005, at 3:19 PM, Loren Wilton wrote:If that username starts with six digits, it hits that rule, as shown in Loren's example.  Ah, here is the From header:  From: 360° Skin Care <[EMAIL PROTECTED]>  Not 6 digits, but maybe the degree symbol is contributing. I'll advise notto start the username with 360°. No, you misunderstood again.  The part the rule is hitting on is the "" in the above example line.  Since the rule hit, I'm assuming this wan't really "" in the original mail, but more like "10001monkeys" or the like. Nope. It's a four letter name, like FRED. It didn't seem to be relevant to include the real full email address. Please let me know if you need it.This is also why I asked if you were referring to the Message-Id header since that is the only address that starts with six digits.I'm not sure what I keep misunderstanding. Can you elaborate?

Re: Fedora changed SpamAssassin default level to 7?

[David Brodbeck]

Kelson wrote:
> Ah, yes, the classic "I hate X, but I'd rather rant about it on my front
> porch than tell the people who can actually do something about it"
> stance.

Eh...I can sort of see both sides.  I hate projects that hide behind
Bugzilla, which has quite possibly the worst user interface I've ever
seen on a web-based application.  I have no experience with Fedora's
Bugzilla, but my experience with other projects is that Bugzilla also
seems to create a tedency to mark similar but unrelated bugs as
duplicates just to get rid of them.  "File it in Bugzilla" all too often
seems to be a quick way of saying "stop bugging us, we don't want to fix
it."

Re[2]: Does SA 304 look for these HTML tricks?

[Robert Menschel]

Hello Matt, Dr. Young,

Friday, July 15, 2005, 10:40:03 AM, you wrote:

MK> Dr Robert Young wrote:
>> .
>> {whatever}

MK> Those should both trip  HTML_FONT_SIZE_TINY.
MK> Unfortunately, that's a low scoring rule due to some FPs and limited number 
of
MK> spam hits in the 3.0 corpus. The FPs may or may not be corpus pollution 
based.
MK> *shrug*

They also hit slightly different rules (also with low scores, beacuse
of ham hits), in 70_sare_html3.cf

>> inserting "" in the middle of "key words"

MK> HTML tags are completely stripped before normal "body" rules are run, so 
this
MK> trick, or any other trick based on inserting tags, has no effect on SA at 
all.
MK> Only rawbody or full rules could be affected.

Except that SA does include some rawbody rules.  And here too, SARE
html rules will flag the match.

MK> The striping doesn't work with the font-size trick, as SA's body rules will 
see
MK> "VIwhateverAGRA"  for "VAwhateverAGRA".

Bob Menschel

Re: I am NOT a spammer

[David Brodbeck]

Don Levey wrote:
> 1) Segregate dynamic IPs into one netblock, static IPs into another.

I think as we get closer and closer to running out of IPv4 addresses,
this is going to get less and less common.  A lot of places can no
longer afford to have IPs sitting around unused because of subnetting.

Re: Does SA 304 look for these HTML tricks?

[Loren Wilton]

> Forcing the negative-scoring rules to run first causes SA to have to scan
the
> whole body twice, (once for the negatives, then once for the positives)
which
> nullifies the speed benefits. If SA did a pass-per-rule you could sort the
> passes and speed it up, but AFAIK SA does the body rules in parallel.

The first part isn't really true as worded/implied.  It has to scan as much
as it needs of the body for every rule, regardless of the order.

What SA is doing currently is wrapping each rule RE into a procedure and
emitting the equivalient of a file with all of those procedures and then
compiling it.  (Actually using a text string and an eval, of course).  After
all the rule procedures of a given type (body, rawbody, etc) it emits one
more procedure.  This procedure just consists of a bunch of lines to call
the other procedures.  Finally SA calls that one procedure, which runs all
of the rules.

Loren

Re: Does SA 304 look for these HTML tricks?

[Loren Wilton]

> I have a " font size=+0" & "font size=1"  sample, and from what I can

"font size=+0" and "font size=0" are not the same thing.  The first one sets
a relative font size.  In this case it is an unchanged relative value, which
is pretty stupid and useless, but certainly not illegal.  The font would be
the same size as it was previously. The second one makes a very small font,
which should be caught.

Loren

Re: Rule Advice

[Loren Wilton]

> If that username starts with six digits, it hits that rule, as shown
> in Loren's example.
>
> Ah, here is the From header:
>
> From: 360° Skin Care <[EMAIL PROTECTED]>
>
> Not 6 digits, but maybe the degree symbol is contributing. I'll advise not
to
> start the username with 360°.

No, you misunderstood again.  The part the rule is hitting on is the ""
in the above example line.  Since the rule hit, I'm assuming this wan't
really "" in the original mail, but more like "10001monkeys" or the
like.

Loren

Re: Penny stocks, microcaps, etc.

[Loren Wilton]

> The spams I've seen contain a LARGE disclaimer, with granted a FEW
> typos. Does any of this help anyones rules?

Yes, that is a good source for rules.  Some of the SARE rules for this are
based on some ruels I wrote, and they were looking for interesting phrases
and spellings in that discalimer.

Loren

Re: this receive line only in spam

[Kai Schaetzl]

Chris Santerre wrote on Fri, 15 Jul 2005 14:24:55 -0400:

> I played too much PSP and it has effected my brain pod :)

Well, have a nice weekend with or without the PSP :-)

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org

Re: rawbody or body

[Matt Kettler]

Tim Macrina wrote:

Can anyone explain to me what the difference is between rawbody and
body when writing spamassassin rules. 



Theo, etc explained the difference between rawbody and body quite well. I won't 
re-iterate that.


> I am currently using body for
> most of my body rules but I did find one that was not working. I was
> looking for a specific html tag and it did not work but when I changed
> it to rawbody it worked. can I/should I change all my rules to use
> rawbody.

Theo also answered this, but I wanted to clarify a bit:

No you should not change all your rules to rawbody. They'll appear to work if 
you change them to rawbody, but any HTML tag insertion obfuscations will prevent 
your rules from matching their desired text. That's not a good thing as it's a 
popular trick for spammers. Things like: "VIAGRA" will not bother 
a body rule, but a rawbody rule will be tricked by the insertion.



Only use rawbody when you want to examine HTML tags or line-break placement.

Body is for general-purpose body text checks.

full is best left for advanced tricks (qp encoding checks, etc.)

Re: Does SA 304 look for these HTML tricks?

[Matt Kettler]

Dr Robert Young wrote:
I have a " font size=+0" & "font size=1"  sample, and from what I can 
tell in the report, this rule is not being hit. But I thought there were 
some "small font" rules included. Hence ( at least in part) my question.


Being fairly new to SA, does it go through "each and every" rule and 
test listed , on each email?


Short of SA crashing, yes. All tests that are enabled are run, every time. No 
bailouts.


There's been some proposals to add the optional ability for a black or 
whitelisted message to bail out of the tests early, but AFAIK that's not been 
done yet, and even if it is it would be a "post 3.1.0" feature, possibly 3.2.0.



And before you or someone asks, as someone always does, no SA can't bail out as 
soon as it hits the spam tag threshold. SA supported that feature a LONG time 
ago (SA 2.20?) and it caused FPs because it bailed out before the 
negative-scoring rules ran.


Forcing the negative-scoring rules to run first causes SA to have to scan the 
whole body twice, (once for the negatives, then once for the positives) which 
nullifies the speed benefits. If SA did a pass-per-rule you could sort the 
passes and speed it up, but AFAIK SA does the body rules in parallel.


However, bailing out on a white/blacklist doesn't suffer from risk of FP/FNs.. 
you can work out the black/whitelists during the header pass and decide to bail 
before the body scan. The body rules are unlikely to overwhelm the 
black/whitelist, and if you are relying on that behavior you can always not use 
the bail-out.

Re: rawbody or body

[Bill Landry]

- Original Message - 
From: "Tim Macrina" <[EMAIL PROTECTED]>



Can anyone explain to me what the difference is between rawbody and
body when writing spamassassin rules. I am currently using body for
most of my body rules but I did find one that was not working. I was
looking for a specific html tag and it did not work but when I changed
it to rawbody it worked. can I/should I change all my rules to use
rawbody. Thank you


See: 
http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Conf.html#rule_definitions_and_privileged_settings 
for a complete description of two.


Bill 

Re: rawbody or body

[Theo Van Dinter]

On Fri, Jul 15, 2005 at 03:14:08PM -0400, Tim Macrina wrote:
> Can anyone explain to me what the difference is between rawbody and
> body when writing spamassassin rules. I am currently using body for

It's pretty well documented, but basically there's 3 states of message:

- pristine, used for full rules, exactly how the message looks when it comes in

- raw, used for rawbody rules, if there's encoding (quoted-printable or
  base64), the text parts are decoded and concatenated together.  you still
  get all the HTML bits and such.

- rendered, used for body rules, the raw data is taken and has html parts
  decoded.  you're left with text-only.


Basically, you always want to use rendered/body, unless you need to
see HTML tags which means use a rawbody, unless you really want to see
everything including encodings which needs full.  (and if you think you
need "full" for something, you're probably better of writing a plugin,
btw.)

-- 
Randomly Generated Tagline:
I'm used to seeing people promoted ahead of me -- friends, co-workers, 
 Tibor.  I never thought it'd be my own wife.
 
-- Homer Simpson
   Marge Gets A Job


pgpb2k872by2f.pgp
Description: PGP signature

rawbody or body

[Tim Macrina]

Can anyone explain to me what the difference is between rawbody and
body when writing spamassassin rules. I am currently using body for
most of my body rules but I did find one that was not working. I was
looking for a specific html tag and it did not work but when I changed
it to rawbody it worked. can I/should I change all my rules to use
rawbody. Thank you

Re: Does SA 304 look for these HTML tricks?

[Justin Mason]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Theo Van Dinter writes:
> On Fri, Jul 15, 2005 at 01:40:03PM -0400, Matt Kettler wrote:
> > Those should both trip  HTML_FONT_SIZE_TINY.
> > Unfortunately, that's a low scoring rule due to some FPs and limited number 
> > of spam hits in the 3.0 corpus. The FPs may or may not be corpus pollution 
> > based. *shrug*
> 
> Legit senders use tiny fonts.  Looking at some of my rule FPs: CNET,
> Hersey's, L.L. Bean, Adidas, etc.

yep, in my corpus it's not pollution either.  legit senders certainly
write some spammy-looking HTML, and there's nothing we can do about
that :(  

> Based on my last run, it's actually more of a ham rule apparently:
> 
> OVERALL%   SPAM% HAM% S/ORANK   SCORE  NAME
>   9357982015115640.876   0.000.00  (all messages)
> 100.000  87.6425  12.35750.876   0.000.00  (all messages as %)
>   0.093   0.0805   0.18160.307   0.330.00  HTML_FONT_SIZE_TINY
> 
> > The striping doesn't work with the font-size trick, as SA's body rules will 
> > see "VIwhateverAGRA"  for "VAwhateverAGRA".
> 
> FYI, There's a BZ ticket open about that.  Basically the code considers
> that stuff "invisible", but currently the body rules don't differentiate
> between visible vs invisible.

Bayes does, though, iirc.

- --j.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFC2An1MJF5cimLx9ARAktjAJ91gwBO0QM4QAkSJgT1qmUeIsKcXgCgmDCh
v7WinIyPhTTVbgpDhEloMA4=
=/XyE
-END PGP SIGNATURE-

Re: Does SA 304 look for these HTML tricks?

[Dr Robert Young]

I have a " font size=+0" & "font size=1"  sample, and from what I can 
tell in the report, this rule is not being hit. But I thought there 
were some "small font" rules included. Hence ( at least in part) my 
question.


Being fairly new to SA, does it go through "each and every" rule and 
test listed , on each email?



On Jul 15, 2005, at 12:56 PM, Daryl C. W. O'Shea wrote:


Dr Robert Young wrote:

.
{whatever}
inserting "" in the middle of "key words"


When you pass an email through SpamAssassin with things like the above 
in it, do you see any tests hit?








Dr. Robert Young
ALI Database Consultants
1151 Williams Dr
Aiken SC 29803
USA

WWW: http://www.aliconsultants.com
Tele: 1-803-648-5931
Toll free in US: 1-866-257-8970 Fax:1-803-641-0345
Email: [EMAIL PROTECTED]
"Source of Rdb Controller, software for database analysis &  
performance tuning"

RE: this receive line only in spam

[Chris Santerre]

> -Original Message-
> From: Kai Schaetzl [mailto:[EMAIL PROTECTED]
> Sent: Friday, July 15, 2005 1:15 PM
> To: users@spamassassin.apache.org
> Subject: Re: this receive line only in spam
> 
> 
> Chris Santerre wrote on Fri, 15 Jul 2005 11:59:33 -0400:
> 
> > That subnet is listed in spews. Block away!
> 
> Spews is not reliable at all, don't use it for blocking!

Yeah I got Spamcop and spews confused. I'm having a pretty bad day for
paying attention. I'm thinking of stepping away from the keyboard for a
while. I played too much PSP and it has effected my brain pod :) 

--Chris (O, O, Trinagle, [], O, Triangle, ...)

 

Re: Net::DNS and Spamassassin

[Matthias Fuhrmann]

On Thu, 14 Jul 2005, Matthias Fuhrmann wrote:

> On Thu, 14 Jul 2005, Jose Hidalgo wrote:
>
> > OS: FreeBSD 4.9-RELEASE-p12
> >
> > p5-Mail-SpamAssassin-3.0.4
> > p5-Net-DNS-0.51
> > razor-agents-2.72
> > perl-5.8.7
> >
> > When trying to report a message it fails with the following error:
> >
> > razor2 report failed: No such file or directory Died at
> > /usr/local/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/Reporter.pm line
> > 148,  line 1. Use of inherited AUTOLOAD for non-method
> > Net::DNS::mx() is deprecated at
> > /usr/local/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/Reporter.pm line
> > 464. 1 message(s) examined. Can't locate auto/Net/DNS/mx.al in @INC
> > (@INC contains: lib /usr/local/lib/perl5/site_perl/5.8.7
> > /usr/local/lib/perl5/site_perl/5.8.7/mach /usr/local/lib/perl5/site_perl
> > /usr/local/lib/perl5/5.8.7/BSDPAN /usr/local/lib/perl5/5.8.7/mach
> > /usr/local/lib/perl5/5.8.7) at
> > /usr/local/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/Reporter.pm line
> > 464
>
> i found this:
> http://comments.gmane.org/gmane.mail.spam.spamassassin.general/68718
>
> they say, downgrading Net::DNS to 0.49 would fix that issue.

there is 0.52 of Net::Dns:

http://search.cpan.org/CPAN/authors/id/O/OL/OLAF/Net-DNS-0.52.tar.gz

regards,
Matthias

Re: Does SA 304 look for these HTML tricks?

[Theo Van Dinter]

On Fri, Jul 15, 2005 at 01:40:03PM -0400, Matt Kettler wrote:
> Those should both trip  HTML_FONT_SIZE_TINY.
> Unfortunately, that's a low scoring rule due to some FPs and limited number 
> of spam hits in the 3.0 corpus. The FPs may or may not be corpus pollution 
> based. *shrug*

Legit senders use tiny fonts.  Looking at some of my rule FPs: CNET,
Hersey's, L.L. Bean, Adidas, etc.

Based on my last run, it's actually more of a ham rule apparently:

OVERALL%   SPAM% HAM% S/ORANK   SCORE  NAME
  9357982015115640.876   0.000.00  (all messages)
100.000  87.6425  12.35750.876   0.000.00  (all messages as %)
  0.093   0.0805   0.18160.307   0.330.00  HTML_FONT_SIZE_TINY

> The striping doesn't work with the font-size trick, as SA's body rules will 
> see "VIwhateverAGRA"  for "VAwhateverAGRA".

FYI, There's a BZ ticket open about that.  Basically the code considers
that stuff "invisible", but currently the body rules don't differentiate
between visible vs invisible.

-- 
Randomly Generated Tagline:
"Not a morning person" doesn't even begin to cover it.


pgp07SP3SFTiu.pgp
Description: PGP signature

Re: Does SA 304 look for these HTML tricks?

[Matt Kettler]

Dr Robert Young wrote:

.
{whatever}


Those should both trip  HTML_FONT_SIZE_TINY.
Unfortunately, that's a low scoring rule due to some FPs and limited number of 
spam hits in the 3.0 corpus. The FPs may or may not be corpus pollution based. 
*shrug*



inserting "" in the middle of "key words"


HTML tags are completely stripped before normal "body" rules are run, so this 
trick, or any other trick based on inserting tags, has no effect on SA at all. 
Only rawbody or full rules could be affected.


The striping doesn't work with the font-size trick, as SA's body rules will see 
"VIwhateverAGRA"  for "VAwhateverAGRA".

Re: Rule Advice

[Kai Schaetzl]

 wrote on Fri, 15 Jul 2005 09:52:26 -0700:

> Not 6 digits, but maybe the degree symbol is contributing. I'll   
> advise not to start the username with 360°.

That degree sign isn't allowed unescaped in there anyway.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org

Re: Whitelisting for users on 3.0.4 and BSD in regards to 3.1.X

[Kai Schaetzl]

The Doctor wrote on Fri, 15 Jul 2005 10:03:10 -0600:

> 1)  I do have user-configs that have whitelists but it seems to have next to 
> no 
>effect.  What could be wrong?

what about details?

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org

Re: this receive line only in spam

[Kai Schaetzl]

Chris Santerre wrote on Fri, 15 Jul 2005 11:59:33 -0400:

> That subnet is listed in spews. Block away!

Spews is not reliable at all, don't use it for blocking!

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org

Re: Distinguishing between mail that is "almost certainly" or "pr obably" spam

[Richard Duran]

On 7/12/05, Kang, Joseph S. <[EMAIL PROTECTED]> wrote:
> Richard, I didn't think this was possible either but I just tried it.
> 
> What I did was create a rule to look for "X-Spam-Level: " in
> the message headers.  I had some messages that had scored over 15 and one
> that was around 5.  I created a rule that looked for messages that had 14 *s
> and move them to the deleted items folder.  I ran it on my "Marked Spam"
> folder and, voila!, it moved the ones that scored over 14 *s to deleted
> items and left the one that had only scored 5 *s.
> 
> What you will probably want to do is specify the rule the greater number of
> "*"s first and then have it followed by the rule to handle the lesser number
> of "*"s.  Ordering of these rules will be EXTREMELY important.  Plus it's
> probably best to test it out yourself first to make sure the rules behave
> the way you want them too.
> 
> But, it apparently is possible.  Or it seems to be.  Your mileage may vary,
> etc.  ;-)

Thanks for trying this out Joe. This is actually pretty neat in that each
user can decide for themselves just how many stars they are willing to
tolerate. Thanks to everyone else for the feedback.

Regards,
-richard

Re: Does SA 304 look for these HTML tricks?

[Daryl C. W. O'Shea]

Dr Robert Young wrote:

.
{whatever}
inserting "" in the middle of "key words"


When you pass an email through SpamAssassin with things like the above 
in it, do you see any tests hit?

Re: Rule Advice

[dennis]

On Jul 14, 2005, at 6:05 PM, Robert Menschel wrote:header FROM_STARTS_WITH_NUMS     From:addr =~ /^\d{6,}\S+\@/i The email address used in the From header begins with 6 (or more) digits. it's not hitting on 360SkinCare.com, but on the user part of the email address (doesn't even look at the domain name). dsc> The From line didn't start with numbers (unless I'm missing dsc> your point). It was the username.  Exactly -- the user part of the email address, "Firstname Lastname" <[EMAIL PROTECTED]>                        If that username starts with six digits, it hits that rule, as shown in Loren's example. Ah, here is the From header:From: 360° Skin Care <[EMAIL PROTECTED]>Not 6 digits, but maybe the degree symbol is contributing. I'll advise not to start the username with 360°.

Does SA 304 look for these HTML tricks?

[Dr Robert Young]

.
{whatever}
inserting "" in the middle of "key words"




Dr. Robert Young
ALI Database Consultants
1151 Williams Dr
Aiken SC 29803
USA

WWW: http://www.aliconsultants.com
Tele: 1-803-648-5931
Toll free in US: 1-866-257-8970 Fax:1-803-641-0345
Email: [EMAIL PROTECTED]
"Source of Rdb Controller, software for database analysis &  
performance tuning"

Re: this receive line only in spam

[List Mail User]

>...
>
>FYI,
>I got another receive line here that occurs only in spam, with always the
>same ip-segment (not the ip-address that actually delivers the mail).
>First I tagged it with SA but now I block the mail in postfix, 15% less
>spam!.
>Maybe somebody recognizes these lines. It's the second receive line, and
>the envelope-sender ends at @punkass.com, @sexmagnet.com, @thoughguy.com
>etcetera.
>
>Regards
>Menno van Bennekom
>
>Received: from bonbon.net (mx2.bonbon.net [38.113.3.55])
>Received: from bonbon.net (mx3.bonbon.net [38.113.3.75])
>Received: from gamebox.net (mx1.gamebox.net [38.113.3.68])
>Received: from gamebox.net (mx2.gamebox.net [38.113.3.58])
>Received: from gamebox.net (mx3.gamebox.net [38.113.3.78])
>Received: from hotpop.com (mx1.hotpop.com [38.113.3.72])
>Received: from hotpop.com (mx2.hotpop.com [38.113.3.72])
>Received: from hotpop.com (mx4.hotpop.com [38.113.3.72])
>Received: from phreaker.net (mx1.phreaker.net [38.113.3.57])
>Received: from phreaker.net (mx2.phreaker.net [38.113.3.57])
>Received: from phreaker.net (mx3.phreaker.net [38.113.3.77])
>Received: from punkass.com (mx1.punkass.com [38.113.3.63])
>Received: from punkass.com (mx2.punkass.com [38.113.3.63])
>Received: from punkass.com (mx3.punkass.com [38.113.3.53])
>Received: from sexmagnet.com (mx1.sexmagnet.com [38.113.3.64])
>Received: from toughguy.net (mx1.toughguy.net [38.113.3.56])
>Received: from toughguy.net (mx2.toughguy.net [38.113.3.56])
>
>
>
>
>> [orginal post snipped]

Those are all domain names a user can chose from hotpop.com,
a "free" mail provider who's accounts are both widely abused and forged.
Blocking them is probably not "a good thing".  They do have at least
tens of thousands or legitimate users (and I could easily be underestimating
by one or two orders of magnitude).

You can check them at http://www.hotpop.com

BTW.  hotpop is "white hat", so when it is abuse, not forgery
they do act (though like most companies, not a quick as I'd like).
Also, they even have a clause in their TOS which prohibits using them
for a "dropbox".


Paul Shupak
[EMAIL PROTECTED]

Re: Whitelisting for users on 3.0.4 and BSD in regards to 3.1.X

[Matt Kettler]

The Doctor wrote:

1)  I do have user-configs that have whitelists but it seems to have next to no
effect.  What could be wrong?


Is your SA being *executed* as those users?

99% of site-wide configurations run as one user only, usually root,mail, or 
nobody.

SpamAssassin does not look at the To: header and setuid itself to that user. You 
must pass -u to spamc, or call spamc from a process already running as that user 
to get SA to use that particular userid for it's configuration.

Whitelisting for users on 3.0.4 and BSD in regards to 3.1.X

[The Doctor]

1)  I do have user-configs that have whitelists but it seems to have next to no
effect.  What could be wrong?

2)  3.1.0 and BSDes.  The ruid problem, will that be adddressed in 3.1.0 pre4?

-- 
Member - Liberal International  
This is [EMAIL PROTECTED]   Ici [EMAIL PROTECTED]
God Queen and country! Beware Anti-Christ rising!
Better to serve in Heaven that to Rule in Hell.

RE: this receive line only in spam

[Chris Santerre]

> -Original Message-
> From: Menno van Bennekom [mailto:[EMAIL PROTECTED]
> Sent: Friday, July 15, 2005 10:41 AM
> To: users@spamassassin.apache.org
> Subject: Re: this receive line only in spam
> 
> 
> FYI,
> I got another receive line here that occurs only in spam, 
> with always the
> same ip-segment (not the ip-address that actually delivers the mail).
> First I tagged it with SA but now I block the mail in 
> postfix, 15% less
> spam!.
> Maybe somebody recognizes these lines. It's the second 
> receive line, and
> the envelope-sender ends at @punkass.com, @sexmagnet.com, 
> @thoughguy.com
> etcetera.
> 
> Regards
> Menno van Bennekom
> 
> Received: from bonbon.net (mx2.bonbon.net [38.113.3.55])
> Received: from bonbon.net (mx3.bonbon.net [38.113.3.75])
> Received: from gamebox.net (mx1.gamebox.net [38.113.3.68])
*snip*

That subnet is listed in spews. Block away!

http://spews.org/html/S2888.html

http://www.completewhois.com/cgi-bin/whois.cgi?query=38.113.3.57

This rings a bell for some reason:
Org-Name  Jerky Network Services
Street-AddressPO Box 552
City  Newton
State MA
Postal-Code   02460

Added to my watch list. 

--Chris 

RE: Penny stocks, microcaps, etc.

[Chris Santerre]

> -Original Message-
> From: Evan Platt [mailto:[EMAIL PROTECTED]
> Sent: Friday, July 15, 2005 11:09 AM
> To: spamassassin-users@incubator.apache.org
> Subject: Re: Penny stocks, microcaps, etc.
> 
> 
> At 10:04 PM 6/23/2005, you wrote:
> >Sare's obfuscation rule set is doing a pretty good job now 
> of catching
> >most of those that attempt obfuscation.  The other SARE rules (bml,
> >genlsubj, header, etc) do a decent job with the others. Won't catch
> >them all, but they catch better than 99% of them here.
> 
> I know I'm coming in late in this thread but most of the stock spams 
> I've seen lately should be pretty east to catch, but then again, 
> I couldn't write a rule if I had to.
> 
> The spams I've seen contain a LARGE disclaimer, with granted a FEW 
> typos. Does any of this help anyones rules?
> 
> Disclaimer:

*snip*

Well yes and no. SARE does have disclaimer rules. SARE trys to pick out
underlying key phrases that are NOT likely to change over time. This is very
tough. If you are using the SARE rulesets and these are still getting by,
then we may need to update the rules a little. 

I'll keep an eye out for spams that miss the ruleset. 

--Chris 

Re: GIF attachments

[Matt Kettler]

At 09:33 AM 7/15/2005, Dr Robert Young wrote:
Is there a good way to handle spam where the bulk of the  "ad" is a image 
file (jpg, gif, etc) that is attached to the email so that it "displays" 
when the user opens the email?



See my reply under:
"Re: Tag all emails with gif, jpg, tif, or tiff?"

You could combine that with a rule that looks for an extremely short body 
text..


body __L_BODY_100   .{100}
body IMAGE_SHORT_BODY   !__L_BODY_100 && L_EMBEDDED_GFX

That might score do.. Maybe..


Otherwise razor/dcc are good options.. 

Re: this receive line only in spam

[Menno van Bennekom]

FYI,
I got another receive line here that occurs only in spam, with always the
same ip-segment (not the ip-address that actually delivers the mail).
First I tagged it with SA but now I block the mail in postfix, 15% less
spam!.
Maybe somebody recognizes these lines. It's the second receive line, and
the envelope-sender ends at @punkass.com, @sexmagnet.com, @thoughguy.com
etcetera.

Regards
Menno van Bennekom

Received: from bonbon.net (mx2.bonbon.net [38.113.3.55])
Received: from bonbon.net (mx3.bonbon.net [38.113.3.75])
Received: from gamebox.net (mx1.gamebox.net [38.113.3.68])
Received: from gamebox.net (mx2.gamebox.net [38.113.3.58])
Received: from gamebox.net (mx3.gamebox.net [38.113.3.78])
Received: from hotpop.com (mx1.hotpop.com [38.113.3.72])
Received: from hotpop.com (mx2.hotpop.com [38.113.3.72])
Received: from hotpop.com (mx4.hotpop.com [38.113.3.72])
Received: from phreaker.net (mx1.phreaker.net [38.113.3.57])
Received: from phreaker.net (mx2.phreaker.net [38.113.3.57])
Received: from phreaker.net (mx3.phreaker.net [38.113.3.77])
Received: from punkass.com (mx1.punkass.com [38.113.3.63])
Received: from punkass.com (mx2.punkass.com [38.113.3.63])
Received: from punkass.com (mx3.punkass.com [38.113.3.53])
Received: from sexmagnet.com (mx1.sexmagnet.com [38.113.3.64])
Received: from toughguy.net (mx1.toughguy.net [38.113.3.56])
Received: from toughguy.net (mx2.toughguy.net [38.113.3.56])




> FYI,
> Made a small rule for this and it gets hit every day sofar without any
> FP's.
> So if anyone is interested:
> header PORT_HELO Received =~ /from \[[0-9\.]*\]
> \(port\=[0-9][0-9][0-9][0-9] helo\=\[[a-zA-Z]*\]\)/
> describe PORT_HELO Header contains special port and helo
> score PORT_HELO 10.00
>
> Menno
>
>> I get a lot of med-spams lately that look the same, short, 2 lines with
>> one url, below that some text (from a book?).
>> Often it gets marked as spam because of the url, but not always because
>> bayes has no real grip on this mail.
>> Maybe there is a way to recognise them in the second receive-line
>> because
>> of the special helo and port text.
>> I want to block it with this at the MTA level because I couldn't find
>> HAM
>> with this text (port-number and special helo syntax).
>> But I'm not so sure yet so my question is do you know of any HAM that
>> uses
>> receive lines like this?
>>
>> Thanks
>> Menno van Bennekom
>>
>> Received: from [66.98.106.84] (port=4465 helo=[Batista])
>> Received: from [180.111.168.219] (port=4464 helo=[discharge])
>> Received: from [221.54.120.107] (port=4548 helo=[benchmark])
>> Received: from [240.232.66.156] (port=4015 helo=[infrared])
>> Received: from [123.120.113.68] (port=4426 helo=[chronograph])
>> Received: from [130.98.112.26] (port=4102 helo=[lash])
>> Received: from [50.188.174.87] (port=4590 helo=[simplifications])

RE: SPAMD dies

[Chris Santerre]

Title: SPAMD dies



What 
user is spamd running as? I'm guessing its a permissions problem. These always 
seem to be permission based problems. 
 
If we 
wait long enough, Matt will post a FAQ worthy answer ;) 
 
--Chris 

  -Original Message-From: Thomas Kinghorn [MTNNS 
  -Rosebank] [mailto:[EMAIL PROTECTED]Sent: Friday, July 15, 2005 
  1:27 AMTo: users@spamassassin.apache.orgSubject: SPAMD 
  dies
  Good morning list. 
  I am having issues with SPAMD just dying and no 
  info being shown in the logs to help troubleshoot. 
  This is what I have: 
  Jul 15 01:01:04 jp-mx-1 spamd[16441]: identified 
  spam (8.8/4.4) for xadmin:501 in 4.5 seconds, 5865 bytes.Jul 15 01:01:04 
  jp-mx-1 spamd[16441]: result: Y  8 - 
  AWL,BAYES_99,J_CHICKENPOX_31,J_CHICKENPOX_41,J_CHICKENPOX_47,NO_REAL_NAME,PYZOR_CHECK 
  scantime=4.5,size=5865,mid=<[EMAIL PROTECTED]>,bayes=1,autolearn=no
  Jul 15 01:03:11 jp-mx-1 spamc[17673]: 
  connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#1 of 3): Connection 
  refused
  Jul 15 01:03:12 jp-mx-1 spamc[17673]: 
  connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#2 of 3): Connection 
  refusedJul 15 01:03:13 jp-mx-1 spamc[17673]: connect(AF_INET) to spamd at 
  127.0.0.1 failed, retrying (#3 of 3): Connection refused
  Jul 15 01:03:14 jp-mx-1 spamc[17673]: connection 
  attempt to spamd aborted after 3 retries 
  The system is running Redhat 9, Latest versions of 
  Exim  & spamassassin. Spamassassin 
  uses pyzor, razor & dcc. 
  Many thanks 
  Tom 

Re: GIF attachments

[JamesDR]

Dr Robert Young wrote:
Is there a good way to handle spam where the bulk of the  "ad" is a 
image file (jpg, gif, etc) that is attached to the email so that it 
"displays" when the user opens the email?





Dr. Robert Young
ALI Database Consultants
1151 Williams Dr
Aiken SC 29803
USA



This was semi-answered in your "Tag all emails with gif, jpg, tif, or 
tiff?" thread.


--
Thanks,
James

GIF attachments

[Dr Robert Young]

Is there a good way to handle spam where the bulk of the  "ad" is a 
image file (jpg, gif, etc) that is attached to the email so that it 
"displays" when the user opens the email?





Dr. Robert Young
ALI Database Consultants
1151 Williams Dr
Aiken SC 29803
USA

RE: I am NOT a spammer

[Geoff Manning]

Loren Wilton wrote:
> Now, I grant IPV6 is a different problem.  But this particular case
> should be trivially solvable if anyone felt it was worth solving.
> 
> Loren

I agree that it wouldn't be a tough problem to solve if it were necessary to
do so. But that seems like too much overhead just to *manage* the data set
IP by IP. If the original OP's ISP had properly differentiated between the
static and dynamic pools of IP's then all of this would be unnecessary (and
overkill). 

Geoff

Re: How can I correct this FalsePositive?

[Kai Schaetzl]

Sander Holthaus - Orange XL wrote on Fri, 15 Jul 2005 13:13:19 +0200:

> because 
> their mail looks needlessly spammish.

Not from their point of view. It's an advertisement with some 
"value-added" stuff (the weather foreacast).

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org

Re: Unsubscribing

[Kai Schaetzl]

Ron McKeating wrote on Fri, 15 Jul 2005 11:08:02 +0100:

> Is my suggestion of 
> having a "don't send me any traffic for x weeks" option viable ?

There are list managers which allow you to indefinitely suspend your 
subscription without unsubscribing, f.i. Mailman. I don't know if ezmlm (I 
think that's what ASF uses deducing from qmail as their mailer) supports 
it, but it doesn't look like it's offered, whether supported by the 
software or not. I would think that this would be a valuable addition. On 
the other hand, I doubt that many people will be aware of this option if 
it was offered.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org

Re: Unsubscribing

[Duncan Hill]

On Friday 15 July 2005 12:05, Loren Wilton typed:
> > Is there information somewhere else
> > that tells people how to unsubscribe from the list.
>
> Yes, its hidden in the headers of the messages from the list, where most
> rational people won't think to look.  I guess they did that as a test,
> since this list is supposed to be for mail admin (or at least spam admin)
> types. Rational lists put this sort of thing where people will think to
> look, rather than making it an easter egg hunt.

Several MUAs, including Squirrelmail, will check the headers for the RFC 2369 
entries (standards track since 1998) and update their display appropriately.  
Imo, it beats having footers mangled onto the bottom of every e-mail.  

*shrug*  Horses for courses I guess.

RE: How can I correct this FalsePositive?

[Sander Holthaus - Orange XL]

Kai Schaetzl wrote:
> Thomas Booms wrote on Fri, 15 Jul 2005 10:29:35 +0200:
> 
>> Content analysis details:   (2.2 points, 2.0 required)
> 
> Your problem is this setting. You should know by now from
> following the list that this is stupid. So, why do you do that and
> then ask for help? Set your spam threshold correctly and your FP
> problem is gone. 
> 
> Kai

2.0 is indeed low. However, I would also notify the sending party, because
their mail looks needlessly spammish. No plaintext content, no MIME-headers,
a webbug, bad html/css...

Using Bayes might help your problem and you can whitelist the sender. But
with a 2.0 point-level for spam, you'll always gonna have some FP's.

Kind Regards,
Sander Holthaus

Re: How can I correct this FalsePositive?

[Chris Lear]

* Loren Wilton wrote (07/15/05 12:02):
>> X-Spam-Status: Yes, score=2.2 required=2.0
> tests=HTML_BACKHAIR_8,HTML_MESSAGE,
>> HTML_OBFUSCATE_05_10,MIME_HTML_ONLY autolearn=no version=3.0.4
> 
> The easiest way to eliminate this FP would be to take your spam threshold
> back to 5, or at least something close to that.  The rules that hit on this
> mail have nothing whatever to do with the site - they are related to the
> mail message formatting.
> 
> Since it only got 2.2 points, nobody should really notice this.  But since
> you have set your spam cutoff way too low, it FPs for you.

...and the cheapest way to fix the message formatting, as I see it, is
to get them to fix the message so it doesn't hit this rule:

1.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

Which should also make the message more friendly to non-HTML mail
readers, which is worthwhile anyway. And it will take the score down to 1.0.

--
Chris

Re: Unsubscribing

[Loren Wilton]

> Is there information somewhere else
> that tells people how to unsubscribe from the list.

Yes, its hidden in the headers of the messages from the list, where most
rational people won't think to look.  I guess they did that as a test, since
this list is supposed to be for mail admin (or at least spam admin) types.
Rational lists put this sort of thing where people will think to look,
rather than making it an easter egg hunt.

Loren

Re: How can I correct this FalsePositive?

[Loren Wilton]

> X-Spam-Status: Yes, score=2.2 required=2.0
tests=HTML_BACKHAIR_8,HTML_MESSAGE,
> HTML_OBFUSCATE_05_10,MIME_HTML_ONLY autolearn=no version=3.0.4

The easiest way to eliminate this FP would be to take your spam threshold
back to 5, or at least something close to that.  The rules that hit on this
mail have nothing whatever to do with the site - they are related to the
mail message formatting.

Since it only got 2.2 points, nobody should really notice this.  But since
you have set your spam cutoff way too low, it FPs for you.

Loren

Re: How can I correct this FalsePositive?

[Kai Schaetzl]

Thomas Booms wrote on Fri, 15 Jul 2005 10:29:35 +0200:

> Content analysis details:   (2.2 points, 2.0 required)

Your problem is this setting. You should know by now from following the 
list that this is stupid. So, why do you do that and then ask for help? 
Set your spam threshold correctly and your FP problem is gone.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org

Re: Unsubscribing

[Ron McKeating]

On Fri, 2005-07-15 at 09:49 +, Duane Hill wrote:
> On Friday, July 15, 2005 at 9:45:17 AM, [EMAIL PROTECTED] confabulated:
> 
> > I am shortly to go on hols for 2 weeks and so was planning to
> > unsubscribe until I get back. I notice on the web page at
> > http://wiki.apache.org/spamassassin/MailingLists
> 
> > it tells you how to subscribe
> 
> And in the headers of all messages to the list state this:
> 
> list-help: 
> list-unsubscribe: 
> List-Post: 
> 

Doh! shows how often I use the "show full headers" option in Evolution.
OK going to unsubscribe now and be back in 2 weeks. Is my suggestion of
having a "don't send me any traffic for x weeks" option viable ?

Cheers all

Ron


> > Subscription: send mail to users-subscribe -at- spamassassin.apache.org
> 
> > but does not tell you how to unsubscribe, I would like to suggest that
> > unsubscribe details be added to the page. I also notice that I seem to
> > be subscribed to two spamassassin lists, not sure how that happened,
> > probably user stupidity knowing me. Is there information somewhere else
> > that tells people how to unsubscribe from the list. Or what would be
> > better would be a "don't send me any list traffic for 2 weeks" kind of
> > option.
> 
> > Well I shall be thinking of you all fighting the good fight as I lay on
> > the beach sipping brandy sours. Keep up the good work, never give a
> > spammer and even break I say.
> 
> ---
>  Duane Hill  |  Network Operations  - YourNetPlus.Com, Inc.
>  | E-mail Administrator - [EMAIL PROTECTED]
> ---
> "This message is made of 100% recycled electrons."
> 
-- 
Ron McKeating
Senior IT Services Specialist
Computing Services
Loughborough University
01509 222329

Re: Unsubscribing

[Chris Lear]

* Duane Hill wrote (07/15/05 10:49):
> On Friday, July 15, 2005 at 9:45:17 AM, [EMAIL PROTECTED] confabulated:
> 
>> I am shortly to go on hols for 2 weeks and so was planning to
>> unsubscribe until I get back. I notice on the web page at
>> http://wiki.apache.org/spamassassin/MailingLists
> 
>> it tells you how to subscribe
> 
> And in the headers of all messages to the list state this:
> 
> list-help: 
> list-unsubscribe: 
> List-Post: 

Which helps. The OP's suggestion was...

>> [...] I would like to suggest that
>> unsubscribe details be added to the page.

I think this is a reasonably sensible suggestion.

>> I also notice that I seem to
>> be subscribed to two spamassassin lists, not sure how that happened,

And you seem to have sent mail to both at once, resulting in a
duplicate. I think that spamassassin-users@incubator.apache.org is out
of date.

>> probably user stupidity knowing me. Is there information somewhere else
>> that tells people how to unsubscribe from the list.

See the headers (as mentioned above)

--
Chris

Re: Unsubscribing

[Duane Hill]

On Friday, July 15, 2005 at 9:45:17 AM, [EMAIL PROTECTED] confabulated:

> I am shortly to go on hols for 2 weeks and so was planning to
> unsubscribe until I get back. I notice on the web page at
> http://wiki.apache.org/spamassassin/MailingLists

> it tells you how to subscribe

And in the headers of all messages to the list state this:

list-help: 
list-unsubscribe: 
List-Post: 

> Subscription: send mail to users-subscribe -at- spamassassin.apache.org

> but does not tell you how to unsubscribe, I would like to suggest that
> unsubscribe details be added to the page. I also notice that I seem to
> be subscribed to two spamassassin lists, not sure how that happened,
> probably user stupidity knowing me. Is there information somewhere else
> that tells people how to unsubscribe from the list. Or what would be
> better would be a "don't send me any list traffic for 2 weeks" kind of
> option.

> Well I shall be thinking of you all fighting the good fight as I lay on
> the beach sipping brandy sours. Keep up the good work, never give a
> spammer and even break I say.

---
 Duane Hill  |  Network Operations  - YourNetPlus.Com, Inc.
 | E-mail Administrator - [EMAIL PROTECTED]
---
"This message is made of 100% recycled electrons."

Unsubscribing

[Ron McKeating]

I am shortly to go on hols for 2 weeks and so was planning to
unsubscribe until I get back. I notice on the web page at
http://wiki.apache.org/spamassassin/MailingLists

it tells you how to subscribe

Subscription: send mail to users-subscribe -at- spamassassin.apache.org

but does not tell you how to unsubscribe, I would like to suggest that
unsubscribe details be added to the page. I also notice that I seem to
be subscribed to two spamassassin lists, not sure how that happened,
probably user stupidity knowing me. Is there information somewhere else
that tells people how to unsubscribe from the list. Or what would be
better would be a "don't send me any list traffic for 2 weeks" kind of
option.

Well I shall be thinking of you all fighting the good fight as I lay on
the beach sipping brandy sours. Keep up the good work, never give a
spammer and even break I say.

Cheers all

Ron
-- 
Ron McKeating
Senior IT Services Specialist
Computing Services
Loughborough University
01509 222329

Re: Long Scanning Delays

[Technical Department]

Hi

Thank you for yours and everyones advice, I now have a decent set of 
rules and found that SURBL checks were being done twice (Or possibly 
conflicting) and it seems to be running better since I upped the 
softlimit so hopefully that should be sorted :)


Cheers,
John

Daryl C. W. O'Shea wrote:

jdow wrote:


From: "Technical Department" <[EMAIL PROTECTED]>




We are running Qmail Scanner 1.25 + Spamassassin 3.04 + Clamd 1.86.1 on
our dual 1.4Ghz P3 Linux mail server. We've been experiencing some
problems with the server taking a long time to scan messages (In most
cases they are taking between 60 and 80 seconds). I have the following
rulesets installed:




If softlimit does what I think it does the memory expansion won't help.
Spamd is taking about 63 megabytes of memory. So he may be starving it.
And he may be driving it into swapping. On the other paw 60 to 80
seconds end to end for one message is about right for 1.6 GHz. It's
maybe a bit low for so few rule sets. There is also a potential for
a bad DNS based rule in is batch.
{^_^}



60 to 80 seconds is normal?  Maybe a 15th of that would be considered 
normal.


Try increasing the softlimit to 75MB and if that doesn't work definitely 
check in to things like slow/broken DNS or failing bayes expiry.



Daryl

Re: How can I correct this FalsePositive? [Correcture]

[Thomas Booms]

There was a mistake in my pasting of the whitelist entries. These are 
[EMAIL PROTECTED] and [EMAIL PROTECTED]


Thomas

--
Booms EDV
- hosting & more -
Herrenstrasse 10
D-59073 Hamm

www.booms-edv.de
[EMAIL PROTECTED]

How can I correct this FalsePositive?

[Thomas Booms]

Hi all,

a customer mades an abonnement for a weather newsletter and spamassassin 
always tags it as spam. I've explicitely set some email addresses in the 
database driven whitelist:


Filtername  Einstellung Letzte Änderung Funktion
WHITELIST_FROM 
 
[EMAIL PROTECTED] 	14.07.2005 10:00:53 	Ändern 
 Löschen 

WHITELIST_FROM 
 
[EMAIL PROTECTED] 	14.07.2005 09:59:12 	Ändern 
 Löschen 




Here's the *cutted* mail source. If you want it complete, let me know:


From - Fri Jul 15 10:23:39 2005

X-UIDL: 1121409728.M235441P13835051114615035475.host1
X-Mozilla-Status: 0001
X-Mozilla-Status2: 1000
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: ***
Received: from localhost by ***
with SpamAssassin (version 3.0.4);
Fri, 15 Jul 2005 08:42:01 +0200
From: "Wetter.com" <[EMAIL PROTECTED]>
To: ***
Subject: ***SPAM*** Ihr persoenlicher Wetterletter fuer Samstag, den 16.07.2005
Date: Fri, 15 Jul 2005 08:41:56 +0200 (MEST)
Message-Id: <[EMAIL PROTECTED]>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on ***
X-Spam-Level: **
X-Spam-Status: Yes, score=2.2 required=2.0 tests=HTML_BACKHAIR_8,HTML_MESSAGE,
HTML_OBFUSCATE_05_10,MIME_HTML_ONLY autolearn=no version=3.0.4
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--=_42D75AB9.1D5E14D2"

This is a multi-part message in MIME format.

=_42D75AB9.1D5E14D2
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Spam detection software, running on the system "***", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
*** for details.

Content preview:  Wetterletter Abflughafen:
 beliebigNordSüdWestOstAltenburg-NobitzAmsterdam
 (NL)AugsburgBasel-Mulhouse
 (CH)Berlin-SchönefeldBerlin-TegelBerlin-TempelhofBern-Belp
 (CH)BremenBrüssel (B)DortmundDresdenDüsseldorfEnschede
 (NL)ErfurtFrankfurtFrankfurt-HahnFriedrichshafe! nGenf (CH)Graz
 (A)HamburgHannoverHof-PlauenInnsbruck (A)KarlsruheKasselKielKlagenfurt
 (A)Köln-BonnLeipzig-HalleLinz (A)LübeckLüttich (B)LuxemburgMaastricht
 (NL)MönchengladbachMünchenMünster-OsnabrückNiederrhein
 (Weeze)NürnbergPaderbornRostockSaarbrückenSalzburg!
 (A)SchwerinStrasbourg (F)StuttgartWeeze (Niederrhein)Wien (A)Zürich
 (CH)Zweibrücken Hinflug: (tt.mm.) Reisedauer: egal 3 Tage 7 Tage 10
 Tage 14 Tage 21 Tage Reiseziel:
 beliebigNahstreckeMittelstreckeFernstreckeMittelmeer
 (Gesamt)Spanien-PortugalGriechenland-Türkei-ZypernKanarische
 
InselnMallorca-Menorca-IbizaKaribik-Mexiko-Dom.Rep.Ägypten-Israel-VAEAsien-Thailand-MaledivenAfrika-Mauritius-SeychellenTunesien-MarokkoKroatien-BulgarienBesondere
 Tauchregionen Rückflug: (tt.mm.) Wetter-Schnellsuche Suchen Sie
 nach: - Ort (weltweit) - PLZ (D) [...] 


Content analysis details:   (2.2 points, 2.0 required)

pts rule name  description
 -- --
0.5 HTML_OBFUSCATE_05_10   BODY: Message is 5% to 10% HTML obfuscation
0.6 HTML_BACKHAIR_8BODY: HTML tags used to obfuscate words
0.0 HTML_MESSAGE   BODY: HTML included in message
1.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.


=_42D75AB9.1D5E14D2
Content-Type: text/plain; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit

Received: (qmail 22094 invoked by uid 567); 15 Jul 2005 06:41:57 -
Received: from 193.28.192.167 by host1 (envelope-from <[EMAIL PROTECTED]>, uid 502) with qmail-scanner-1.25 
(clamdscan: 0.86.1/978. spamassassin: 3.0.4.  
Clear:RC:0(193.28.192.167):SA:0(2.2/5.0):. 
Processed in 0.360914 secs); 15 Jul 2005 06:41:57 -

X-Spam-Status: No, hits=2.2 required=5.0
X-Spam-Level: ++
Received: from unknown (HELO burgas.71im.de) (193.28.192.167)
 by 0 with SMTP; 15 Jul 2005 06:41:57 -
Received: from freiberg.dmz.prosiebensat1.net (freiberg.dmz.prosiebensat1.net 
[192.168.192.42])
by burgas.71im.de (8.12.11/8.12.11) with ESMTP id j6F6fuhJ000842
for <***>; Fri, 15 Jul 2005 08:41:57 +0200 (CEST)
Received: (from [EMAIL PROTECTED])
by freiberg.dmz.prosiebensat1.net (8.11.6+Sun/8.11.6) id j6F6fua

[ot?] themafia.us virus hosting.

[Duncan Hill]

Not sure where to post this, but this should reach a fair number of admins.

themafia.us, hosted on Yahoo! is kindly serving up 2 txt files of email 
addresses and a virus.

The mail that tries to get the gullible looks like 


  
 You have just 
received a virtual 
 greeting from a friend!
 .
 You can pick up 
your postcard 
 at the following web address:
 .
 http://themafia.us/a0190313376667.gif.exe";
target=_blank>http://www.postcards4u.com/?a0190313376667
 .
 If you can&apst 
click on the web 

I've emailed Yahoo!s abuse department, but I don't have much faith in them.  
SURBL and URIBL both list the domain, but you may wish to configure web 
proxies etc to not allow the URL.