Re: new spam image with random body message

2009-06-19 Thread Paweł Tęcza 
Randal, Phil pisze:
> Anthony Peacock wrote:
>> Paweł Tęcza wrote:
>>> Anthony Peacock pisze:
 Hi,
 
 Paweł Tęcza wrote:
>>> 
> Hi Anthony,
> 
> Please show us your addition tests, of course :D
 Unless you are a UK Higher Education organisation you won't be able
 to use RCVD_IN_JANET_DUL.
>>> 
>>> What a pity. We are Polish university :)
>> 
>> Yes, but this is just an academic feed of the MAPS RBL+
>> http://mail-abuse.com/index.html 
> 
> I've just had a quick look at our recent MAPS RBL+ hits and there are
> none which weren't already scoring highly.

It's good to know that we can life happy without that RBL :) Thanks!

> I'd recommend both the Botnet and iXhash SA plugins if you're not
> already using them.

Thank you for that recommendation! I'll try both plugins.

Best regards,

P.

RE: new spam image with random body message

2009-06-19 Thread Randal, Phil 
Anthony Peacock wrote:
> Paweł Tęcza wrote:
>> Anthony Peacock pisze:
>>> Hi,
>>> 
>>> Paweł Tęcza wrote:
>> 
 Hi Anthony,
 
 Please show us your addition tests, of course :D
>>> Unless you are a UK Higher Education organisation you won't be able
>>> to use RCVD_IN_JANET_DUL.
>> 
>> What a pity. We are Polish university :)
> 
> Yes, but this is just an academic feed of the MAPS RBL+
> http://mail-abuse.com/index.html 

I've just had a quick look at our recent MAPS RBL+ hits and there are none 
which weren't already scoring highly.

I'd recommend both the Botnet and iXhash SA plugins if you're not already using 
them.

Cheers,

Phil

-- 
Phil Randal | Networks Engineer
Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
Tel: 01432 260160
email: pran...@herefordshire.gov.uk

Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council. 

This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error
please contact the sender immediately and destroy all copies of it.

Re: new spam image with random body message

2009-06-19 Thread Anthony Peacock 

Paweł Tęcza wrote:

Anthony Peacock pisze:

Hi,

Paweł Tęcza wrote:



Hi Anthony,

Please show us your addition tests, of course :D
Unless you are a UK Higher Education organisation you won't be able to 
use RCVD_IN_JANET_DUL.


What a pity. We are Polish university :)


Yes, but this is just an academic feed of the MAPS RBL+ 
http://mail-abuse.com/index.html



--
Anthony Peacock
CHIME, UCL Medical School
WWW:http://www.chime.ucl.ac.uk/~rmhiajp/
Study Health Informatics - Modular Postgraduate Degree
http://www.chime.ucl.ac.uk/study-health-informatics/

Re: new spam image with random body message

2009-06-19 Thread Paweł Tęcza 
Anthony Peacock pisze:
> Hi,
> 
> Paweł Tęcza wrote:

>> Hi Anthony,
>> 
>> Please show us your addition tests, of course :D
> 
> Unless you are a UK Higher Education organisation you won't be able to 
> use RCVD_IN_JANET_DUL.

What a pity. We are Polish university :)

> Other than that I think the only additional one is the BOTNET plugin by 
> John Rudd, which is available here:
> 
> http://people.ucsc.edu/~jrudd/spamassassin/
> 
> As far as I remember the rest are standard.

Thank you very much for the URL to BOTNET plugin!

Have a nice weekend,

P.

Re: new spam image with random body message

2009-06-19 Thread Anthony Peacock 

Hi,

Paweł Tęcza wrote:

Anthony Peacock pisze:

Adam Cécile (Le_Vert) wrote:



Hello,

Could you give us the line from your local.cf to enable such tests ?

Thanks in advance,
Which tests?  You quote the whole list, some are standard some are 
additions.


Hi Anthony,

Please show us your addition tests, of course :D


Unless you are a UK Higher Education organisation you won't be able to 
use RCVD_IN_JANET_DUL.


Other than that I think the only additional one is the BOTNET plugin by 
John Rudd, which is available here:


http://people.ucsc.edu/~jrudd/spamassassin/

As far as I remember the rest are standard.

--
Anthony Peacock
CHIME, UCL Medical School
WWW:http://www.chime.ucl.ac.uk/~rmhiajp/
Study Health Informatics - Modular Postgraduate Degree
http://www.chime.ucl.ac.uk/study-health-informatics/

Re: new spam image with random body message

2009-06-19 Thread Paweł Tęcza 
Anthony Peacock pisze:
> Adam Cécile (Le_Vert) wrote:

>> Hello,
>> 
>> Could you give us the line from your local.cf to enable such tests ?
>> 
>> Thanks in advance,
> 
> Which tests?  You quote the whole list, some are standard some are 
> additions.

Hi Anthony,

Please show us your addition tests, of course :D

My best regards,

P.

Re: new spam image with random body message

2009-06-19 Thread Anthony Peacock 

Adam Cécile (Le_Vert) wrote:

Anthony Peacock a écrit :

[..]

 0.9 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL
[62.57.252.74 listed in zen.spamhaus.org]
 3.0 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
 2.0 RCVD_IN_JANET_DUL  RBL: Relay in JANET MAPS RBL+ DUL
   [62.57.252.74 listed in 
rbl-plus.mail-abuse.ja.net]
 0.9 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP 
address

[62.57.252.74 listed in dnsbl.sorbs.net]
 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see 
]

 0.1 BOTNET_CLIENTWORDS Hostname contains client-like substrings

[botnet_clientwords,ip=62.57.252.74,rdns=62.57.252.74.dyn.user.ono.com]
 1.5 BOTNET Relay might be a spambot or virusbot
[botnet0.8,ip=62.57.252.74,rdns=62.57.252.74.dyn.user.ono.com,client,ipinhostname,clientwords] 


 0.1 BOTNET_IPINHOSTNAMEHostname contains its own IP address

[botnet_ipinhosntame,ip=62.57.252.74,rdns=62.57.252.74.dyn.user.ono.com]
 0.1 BOTNET_CLIENT  Relay has a client-like hostname
[botnet_client,ip=62.57.252.74,rdns=62.57.252.74.dyn.user.ono.com,ipinhostname,clientwords] 

 0.1 RDNS_NONE  Delivered to trusted network by a host 
with no rDNS

[...]

Hello,

Could you give us the line from your local.cf to enable such tests ?

Thanks in advance,


Which tests?  You quote the whole list, some are standard some are 
additions.


--
Anthony Peacock
CHIME, UCL Medical School
WWW:http://www.chime.ucl.ac.uk/~rmhiajp/
Study Health Informatics - Modular Postgraduate Degree
http://www.chime.ucl.ac.uk/study-health-informatics/

Re: new spam image with random body message

2009-06-18 Thread Adam Cécile (Le_Vert) 

Anthony Peacock a écrit :

[..]

 0.9 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL
[62.57.252.74 listed in zen.spamhaus.org]
 3.0 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
 2.0 RCVD_IN_JANET_DUL  RBL: Relay in JANET MAPS RBL+ DUL
   [62.57.252.74 listed in 
rbl-plus.mail-abuse.ja.net]
 0.9 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP 
address

[62.57.252.74 listed in dnsbl.sorbs.net]
 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see 
]

 0.1 BOTNET_CLIENTWORDS Hostname contains client-like substrings

[botnet_clientwords,ip=62.57.252.74,rdns=62.57.252.74.dyn.user.ono.com]
 1.5 BOTNET Relay might be a spambot or virusbot
[botnet0.8,ip=62.57.252.74,rdns=62.57.252.74.dyn.user.ono.com,client,ipinhostname,clientwords] 


 0.1 BOTNET_IPINHOSTNAMEHostname contains its own IP address

[botnet_ipinhosntame,ip=62.57.252.74,rdns=62.57.252.74.dyn.user.ono.com]
 0.1 BOTNET_CLIENT  Relay has a client-like hostname
[botnet_client,ip=62.57.252.74,rdns=62.57.252.74.dyn.user.ono.com,ipinhostname,clientwords] 

 0.1 RDNS_NONE  Delivered to trusted network by a host 
with no rDNS

[...]

Hello,

Could you give us the line from your local.cf to enable such tests ?

Thanks in advance,

Adam.

Re: new spam image with random body message

2009-06-18 Thread Steve Freegard 
Paweł Tęcza wrote:
> Steve Freegard pisze:
>> Paweł Tęcza wrote:
>>> Also a lot of spams I received have good reverse IP address. We use
>>> greylisting for our mail system, but we still receive that spam.
>>>
>>> Maybe that IP address above has been noted on popular RBL lists, but the
>>> spammers still use new infected machines, so they can leave RBLed hosts.
>>> So I would like to find better solution for fighting that spam than only
>>> using RBLs.
>> I don't really agree with you; RBLs like the Spamhaus PBL and SORBL DUHL
>> list hosts dynamic/consumer IP ranges that should not be connecting
>> directly to port 25 and these are precisely the hosts that are sending
>> this spam; using the PBL myself and that kills 99.99% of these spams
>> cheaply without requiring the more expensive SA checks.
> 
> Hello Steve,
> 
> Probably you misunderstood me. I wanted to say that only RBL protection
> is not sufficient to kill all spam messages.
> 
> I use a lot RBLs, below is a list of them:
> 
> bl.spamcop.net
> combined.njabl.org
> dnsbl.sorbs.net
> iadb.isipp.com
> list.dnswl.org
> plus.bondedsender.org
> sa-accredit.habeas.com
> sa-other.bondedsender.org
> sa-trusted.bondedsender.org
> zen.spamhaus.org
> 
> but I still get many spams.

Depending on how you call SA depends on whether it has enough
information to actually know the IP address of the host delivering the
message and be able to look up the offending IP in the DNSBLs.

Put zen.spamhaus.org and bl.spamcop.net into your MTA in addition to
SpamAssassin; then see how many you get...

> Thank you very much for these rules! :) I can try them.

The rule I posted isn't effective any more since I posted it here...
I'll send you another off-list...

Cheers,
Steve.

Re: new spam image with random body message

2009-06-17 Thread rich...@buzzhost.co.uk 
On Wed, 2009-06-17 at 18:02 +0300, Ibrahim Harrani wrote:

> http://pastebin.com/m6a027715
See if you can spot the keys;
1. Received: from unknown #if you don't know who you are goodbye.
2 (HELO .user.x) #mail servers don't tend to HELO/EHLO with
'user' 'dsl' 'ppp' as a rule.
3.(62.57.252.74)
62.57.252.74 listed in b.barracudacentral.org. 
62.57.252.74 listed in XBL NJABL 
62.57.252.74 listed in PBL (SPAMHAUS) 
62.57.252.74 listed in dul.dnsbl.sorbs.net 
62.57.252.74 listed in cbl.abuseat.org. 
62.57.252.74 listed in no-more-funn.moensted.dk. 
62.57.252.74 listed in ix.dnsbl.manitu.net.
2. Subject: Christian sex - What Are Goood Christian sex Pradctices?
#funny that attempts to mis-spell the wrong keywords here. sex x 2 would
be good enough for me, but that's with hindsight.


> http://pastebin.com/d2c94dba0
1 Received: from unknown #again if you don't know who you are
2. telecomitalia.it #do you ever get *anything* legitimate from them? 
3. 82.49.96.239 listed in PBL (ISP) 
82.49.96.239 listed in dul.dnsbl.sorbs.net 
82.49.96.239 listed in no-more-funn.moensted.dk.
4. PTR RECORD ADVERTISING DYNAMIC HOST:
host239-96-dynamic.49-82-r.retail.telecomitalia.it. 
HENCE: listed in PBL
5. Subject: How too Introduce Men to Your GG Spot Location
#useful keys but careful ones. Not so interested in the carnage that
could be 'how to. location', but 'G Spot' would be easy to pick out.
Again, useful hindsight.
> http://pastebin.com/m21c9df0
Skipping the unknowns (no more need for comedy effect)
86.110.151.117 listed in b.barracudacentral.org. 
86.110.151.117 listed in XBL NJABL 
86.110.151.117 listed in cbl.abuseat.org. 
86.110.151.117 listed in no-more-funn.moensted.dk. 
86.110.151.117 listed in ix.dnsbl.manitu.net. 
No PTR record.

> http://pastebin.com/m775253b7
Again unknown, again that same old ISP spam machine
88.52.177.53 listed in b.barracudacentral.org. 
88.52.177.53 listed in XBL NJABL 
88.52.177.53 listed in cbl.abuseat.org. 
88.52.177.53 listed in bl.spamcop.net. 
88.52.177.53 listed in ix.dnsbl.manitu.net. 
This one reports static in PTR:
host53-177-static.52-88-b.business.telecomitalia.it but 'unknown' would
have already had me drop it. My view, if you can't set your server up
properly with correct DNS and are not monitoring your logs for 5xx
errors, I don't really need your mail.

> http://pastebin.com/d2c94dba0
Again unknown, again that same old ISP spam machine
82.49.96.239 listed in PBL (ISP) 
82.49.96.239 listed in dul.dnsbl.sorbs.net 
82.49.96.239 listed in no-more-funn.moensted.dk. 
Subject with G Spot
PTR again dynamic (confirms PBL)
host239-96-dynamic.49-82-r.retail.telecomitalia.it

> http://pastebin.com/m21c9df0
Again unknown
86.110.151.117 listed in b.barracudacentral.org. 
86.110.151.117 listed in XBL NJABL 
86.110.151.117 listed in cbl.abuseat.org. 
86.110.151.117 listed in no-more-funn.moensted.dk. 
86.110.151.117 listed in ix.dnsbl.manitu.net. 
No PTR

> http://pastebin.com/m775253b7
already posted above - 3 back. 
> Let me know if these are not enough.
> 
> Thanks.
> 
Again, this could have all been easily blocked ahead wasting the time of
Spamassassin. The tools and keys are already there, they just need to be
configured correctly. Even if they got as far as a correctly configured
SA, it would have had most of them on the similar rules. In the PBL,
keywords, DNS issues, Dynamic hosts. Spamassassin is expensive. Treat it
like a Lawyer, only make it work if you have to :-)

Re: new spam image with random body message

2009-06-17 Thread rich...@buzzhost.co.uk 
On Wed, 2009-06-17 at 15:02 +0200, Matus UHLAR - fantomas wrote: 
> On 17.06.09 13:48, rich...@buzzhost.co.uk wrote:
> > But there are certain words you would never expect to see in the
> > subjects of legitimate mail none the less unless you often get mail with
> > words like 'Orgasms' in it :-) If you do, please *share* your friends
> > with us all!
> 
> The often cited point on spam filtering is, that words you usually don't see
> in mail may the others see often. For example, while you may not need
> viagra, a m.d. can use if very often. The same applies to words "orgasms"
> and many others - people may exchange anything in their private
> communication and you may not to know about it.
Indeed, but any reputable and legitimate venor or contact would act with
dis discretion and not plaster 'Viagra' and 'Sex' or 'Orgasm' in the
subject lines. If they did, they would rightfully be blocked. I would
not go into my doctors surgery or pharmacy and expect anyone to shout
out, in the clear, RICHARD BUZZHOST - YOUR VIAGRA IS HERE. It's about
appropriate behaviour and knowing how professionals would behave


> 
> That is why solutions like spamassassin exist and that is also why SA people
> don't like poison pill rules.
It's true to say that Forensic Science exists too, but I would rather
keep the crook out of the house in the first place, rather than have it
dusted for prints and examined afterwards. 
> 
> > Seriously, the RBL's would have killed this, the missing hostname, the
> > hint that it is a 'user' ip connecting (not a legit mail server), the
> > key words - all could have been used by the MTA to drop this message on
> > the floor without troubling SA to scan it. Looking at the content of the
> > mail is the last resort - if it's got that far in to your system, the
> > spammer wins
> 
> While connecting IP and its DNS name is known before the mail is received,
> the subject is only seen after the data phase.
Yes, but responsibility for the message is not handed over until the end
of the data phase. Specifically when the recipient server issues;

250 2.0.0 Ok: queued as ..

Up until that point it is free to drop with an SMTP error. It's just
SpamAssassin does not seem able to keep up with the speed of SMTP.
That's just an observation. If you set that against Postfix with some
simple and obvious header and body filters you can drop lots of rubbish
quickly without wasting the time to look at it. This lets Spamassassin
concentrate on those truly annoying messages that fall into the twilight
zone.

Re: new spam image with random body message

2009-06-17 Thread Andy Dorman 

We have been looking at these also.

In most cases they are indeed being dropped by the MTA checks and our own 
internal BLs.


Most of what slips through is being forwarded from a couple of legit servers 
that have no filtering (and we are working on that).  So the MTA doesn't drop 
them since the forwarding servers are legit and hands them to Spamassassin.


It would be nice if anyone can spot a pattern that would allow SpamAssassin to 
catch these even if the MTA checks fail.  I have been looking and found nothing 
so far.


In case more examples will help...here are a few that were forwarded to me:

http://people.ironicdesign.com/adorman/spam1
http://people.ironicdesign.com/adorman/spam2
http://people.ironicdesign.com/adorman/spam3
http://people.ironicdesign.com/adorman/spam4
http://people.ironicdesign.com/adorman/spam5
http://people.ironicdesign.com/adorman/spam6

And no worries if this group can not find a pattern to check for.  Sometimes the 
ONLY way to catch a spam is to deal with it based on the MTA sender characteristics.


--
Andy Dorman
Ironic Design, Inc.
AnteSpam.com, HomeFreeMail.com, ComeHome.net

Re: new spam image with random body message

2009-06-17 Thread Martin Gregorie 
On Wed, 2009-06-17 at 18:02 +0300, Ibrahim Harrani wrote:
> http://pastebin.com/m6a027715
> http://pastebin.com/d2c94dba0
> http://pastebin.com/m21c9df0
> http://pastebin.com/m775253b7

These all have three things in common:

- the MIME type of the image attachment doesn't match the attached image
  file. A rule for trapping that (image type mismatch) was published
  here recently.

- all three have deliberate misspellings on the subject and text body.
  A discussion about this (bad teens) has just ended here.

- one of the Received: headers says 'from unknown', but note that my
  domain host generates this, so its not an infallible mark of spam 
  and should probably be scored low and used only as a component of
  meta rules

Personally, I'd use small to moderate (0.5 - 1.5) scores for rules
matching the first two points, add a meta rule to boost the score of
both these rules fire, and ignore the third point because IME it is not
a spam indicator, but of course ymmv.


Martin

Re: new spam image with random body message

2009-06-17 Thread Ibrahim Harrani 
Hi,

http://pastebin.com/m6a027715
http://pastebin.com/d2c94dba0
http://pastebin.com/m21c9df0
http://pastebin.com/m775253b7

Let me know if these are not enough.

Thanks.



On Wed, Jun 17, 2009 at 3:15 PM, Steeve McCauley wrote:
> Copy the full message (headers and body) to pastebin.com and
> send the link to the list.
>
> On Wed, Jun 17, 2009 at 01:51:02PM +0300, Ibrahim Harrani wrote:
>> Hi,
>>
>> Here is the full header.
>>
>> Received: from unknown (HELO ognh.user.ono.com) (62.57.252.74) by 0
>> with SMTP; 16 Jun 2009 10:06:24 -
>> Message-ID: <643596679...@hirogin.co.jp>
>> MIME-Version: 1.0
>> Subject: Christian sex - What Are Goood Christian sex Pradctices?
>> Date: Tue, 16 Jun 2009 10:06:16 -0200 (WET)
>> From: "Igel" 
>> Content-Type: 
>> multipart/mixed;boundary="---ON36q632-Md30Wdyv7vW6e0a8_12451466544631"
>> To: u...@mydomain.com
>> X-Antivirus: avast! (VPS 090615-0, 15/06/2009), Outbound message
>> X-Antivirus-Status: Clean
>>
>>
>> -ON36q632-Md30Wdyv7vW6e0a8_12451466544631
>> Content-Type: text/plain; charset=UTF-8
>> Content-Transfer-Encoding: 7bit
>>
>> Blfack Holes Agre 'Green,' X-Ray Study Says
>> -ON36q632-Md30Wdyv7vW6e0a8_12451466544631
>> Content-Type: image/jpg; name=harbourage.jpg
>> Content-transfer-encoding: base64
>> Content-Disposition: attachment; filename=harbourage.jpg
>>
>> 2009/6/17 Paweł Tęcza :
>> > Ibrahim Harrani pisze:
>> >> Do you have any solution about this kind of spams?
>> >
>> > Hello Ibrahim,
>> >
>> > Could you please show me the Content-* headers of image attachment?
>> > Did you send all headers of that spam in your previous post?
>> >
>> > I have some success with fighting that spam I called "BAD GOOD PENIS",
>> > but I can see that it evolves, so my rules should be improved too.
>> >
>> > My best regards,
>> >
>> > Pawel
>> >
>
> --
> Steeve McCauley                                      ste...@oneguycoding.com
> :wq                                                  http://oneguycoding.com
> "An intellectual is someone whose mind watches itself"
> - Albert Camus
>

Re: new spam image with random body message

2009-06-17 Thread Steve Freegard 
Steve Freegard wrote:
> Normally I wouldn't post these rules here; but I'm interested to see how
> long before this rule gets rendered unless by the botmaster that's
> sending these.

/me waves at the botmaster; that *was* fast - but you still suck

Re: new spam image with random body message

2009-06-17 Thread Martin Gregorie 
On Wed, 2009-06-17 at 14:50 +0200, Paweł Tęcza wrote:
> Sorry, but it's not academic, because we are not talking only about spam
> messages received by Ibrahim. It's discussion about "BAD GOOD PENIS"
> spam at all. I agree that Subject header for that spams often includes
> sex-related words, but it's not a rule. For example, I received the
> spams with the following subject:
> 
> Adultery: Probllems, People, and Pvain
> How to Esialy Find a 'Friend with Benefits'
> Boyfriend Hucnting: Where tjhe Men Are
> Kissjing Meets Your Pleasure Nseeds
> 
On the other hand those subjects ALL contain deliberately misspelt
words. In addition, the message Jeremy Morton just put in pastebin trips
the recently published IMAGE_MISMATCH rule (actual image type doesn't
match its MIME header type), so if you were running similar rules that
may have raised the score enough. I have these scored at 1.0 and 1.5
respectively.

Martin

Re: new spam image with random body message

2009-06-17 Thread Steve Freegard 
Paweł Tęcza wrote:
> Also a lot of spams I received have good reverse IP address. We use
> greylisting for our mail system, but we still receive that spam.
> 
> Maybe that IP address above has been noted on popular RBL lists, but the
> spammers still use new infected machines, so they can leave RBLed hosts.
> So I would like to find better solution for fighting that spam than only
> using RBLs.

I don't really agree with you; RBLs like the Spamhaus PBL and SORBL DUHL
list hosts dynamic/consumer IP ranges that should not be connecting
directly to port 25 and these are precisely the hosts that are sending
this spam; using the PBL myself and that kills 99.99% of these spams
cheaply without requiring the more expensive SA checks.

And this rule kills any that get relayed or are from infected hosts not
listed in the PBL:

# Image spam
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader  __ANY_IMAGE_ATTACH  Content-Type =~ /image\/\w+/i
endif
header  __FSL_BOGUS_TZ  Date =~ /\s-0200\s\(\S+\)$/
metaFSL_IMAGE_SPAM1 (__ANY_IMAGE_ATTACH && __FSL_BOGUS_TZ)
score   FSL_IMAGE_SPAM1 5.0

Note: requires that you have the MIMEHeader plug-in enabled.

Normally I wouldn't post these rules here; but I'm interested to see how
long before this rule gets rendered unless by the botmaster that's
sending these.

Regards,
Steve.

Re: new spam image with random body message

2009-06-17 Thread Matus UHLAR - fantomas 
On 17.06.09 13:48, rich...@buzzhost.co.uk wrote:
> But there are certain words you would never expect to see in the
> subjects of legitimate mail none the less unless you often get mail with
> words like 'Orgasms' in it :-) If you do, please *share* your friends
> with us all!

The often cited point on spam filtering is, that words you usually don't see
in mail may the others see often. For example, while you may not need
viagra, a m.d. can use if very often. The same applies to words "orgasms"
and many others - people may exchange anything in their private
communication and you may not to know about it.

That is why solutions like spamassassin exist and that is also why SA people
don't like poison pill rules.

> Seriously, the RBL's would have killed this, the missing hostname, the
> hint that it is a 'user' ip connecting (not a legit mail server), the
> key words - all could have been used by the MTA to drop this message on
> the floor without troubling SA to scan it. Looking at the content of the
> mail is the last resort - if it's got that far in to your system, the
> spammer wins

While connecting IP and its DNS name is known before the mail is received,
the subject is only seen after the data phase. After the data phase,
virus and spam filters may look at the message as well as the MTA checking
the subject or the body.

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I just got lost in thought. It was unfamiliar territory.

Re: new spam image with random body message

2009-06-17 Thread Jeremy Morton 
I'm getting a ton of these lately and they're fscking annoying.  If it 
helps at all, here's an example of one I got:

http://pastebin.com/m6670fab1

Got a positive score, but not high enough.  My SA only seems to be 
checking the Spamhaus PBL - how do I add the other blacklists to my 
scanning, that were mentioned by rich...@buzzhost?  Is there a good 
reason why a default cPanel install might not include these, like 
checking in them takes up significantly more resources?


Best regards,
Jeremy Morton (Jez)

Cory Hawkless wrote:

The RBL is a good point, I'm only getting these when i turn of zen.spamhaus(For 
testing)
BUT the emails i got did NOT have sex in the subject, "How To Give Her strong Harder 
Orgasms - 3 Spectaceular Tips To Make Her Beeg For More And More" is what i got

-Original Message-
From: rich...@buzzhost.co.uk [mailto:rich...@buzzhost.co.uk]
Sent: Wednesday, 17 June 2009 9:43 PM
To: Paweł Tęcza
Cc: users@spamassassin.apache.org
Subject: Re: new spam image with random body message

On Wed, 2009-06-17 at 13:33 +0200, Pawe? T?cza wrote:

Ibrahim Harrani pisze:

Hi,

another header from another image spams.
All images contain god, bad and a url with numbers.

The spamers are cunning... It seems that they have stopped sending spams
with X-Mailer: header containing something like "PHP v5.2.0" or
"PHP/4.4.5". Also they don't use only digits in attachment filenames.
So I'm affraid that my Spamassassin rules are not effective for that
kind of spam :(


It seems that ocrad can't decode the strings in the images.
FuzzyOcr version is 3.6.0

I've added "BAD", "GOOD" and exemplary domain name to my FuzzyOcr word
file, but unfortunately FuzzyOcr didn't recognise them :(

Maybe someone has better idea how to fight that image spam?

Cheers,

P.


But this is all totally academic; Why jump through all the hoops to
block the image when the original connecting IP is showing 'unknown' in
the hostname

Received: from unknown (HELO ognh.user.ono.com)

Is listed on piles of policy and RBL lists;

62.57.252.74 listed in b.barracudacentral.org.
62.57.252.74 listed in PBL (SPAMHAUS)
62.57.252.74 listed in XBL NJABL
62.57.252.74 listed in dul.dnsbl.sorbs.net
62.57.252.74 listed in cbl.abuseat.org.
62.57.252.74 listed in bl.spamcop.net.
62.57.252.74 listed in no-more-funn.moensted.dk.

and has SEX twice in the subject.

Why would it ever get as far as blocking it on the content? What has
gone so wrong it ever got that far?

RE: new spam image with random body message

2009-06-17 Thread rich...@buzzhost.co.uk 
On Wed, 2009-06-17 at 22:16 +0930, Cory Hawkless wrote: 
> The RBL is a good point, I'm only getting these when i turn of 
> zen.spamhaus(For testing)
> BUT the emails i got did NOT have sex in the subject, "How To Give Her strong 
> Harder Orgasms - 3 Spectaceular Tips To Make Her Beeg For More And More" is 
> what i got
> 
> -Original Message-
> From: rich...@buzzhost.co.uk [mailto:rich...@buzzhost.co.uk] 
> Sent: Wednesday, 17 June 2009 9:43 PM
> To: Paweł Tęcza
> Cc: users@spamassassin.apache.org
> Subject: Re: new spam image with random body message
> 
> On Wed, 2009-06-17 at 13:33 +0200, Pawe? T?cza wrote:
> > Ibrahim Harrani pisze:
> > > Hi,
> > > 
> > > another header from another image spams.
> > > All images contain god, bad and a url with numbers.
> > 
> > The spamers are cunning... It seems that they have stopped sending spams
> > with X-Mailer: header containing something like "PHP v5.2.0" or
> > "PHP/4.4.5". Also they don't use only digits in attachment filenames.
> > So I'm affraid that my Spamassassin rules are not effective for that
> > kind of spam :(
> > 
> > > It seems that ocrad can't decode the strings in the images.
> > > FuzzyOcr version is 3.6.0
> > 
> > I've added "BAD", "GOOD" and exemplary domain name to my FuzzyOcr word
> > file, but unfortunately FuzzyOcr didn't recognise them :(
> > 
> > Maybe someone has better idea how to fight that image spam?
> > 
> > Cheers,
> > 
> > P.
> > 
> But this is all totally academic; Why jump through all the hoops to
> block the image when the original connecting IP is showing 'unknown' in
> the hostname
> 
> Received: from unknown (HELO ognh.user.ono.com)
> 
> Is listed on piles of policy and RBL lists;
> 
> 62.57.252.74   listed in b.barracudacentral.org. 
> 62.57.252.74   listed in PBL (SPAMHAUS) 
> 62.57.252.74   listed in XBL NJABL 
> 62.57.252.74   listed in dul.dnsbl.sorbs.net 
> 62.57.252.74   listed in cbl.abuseat.org. 
> 62.57.252.74   listed in bl.spamcop.net. 
> 62.57.252.74   listed in no-more-funn.moensted.dk.
> 
> and has SEX twice in the subject.
> 
> Why would it ever get as far as blocking it on the content? What has
> gone so wrong it ever got that far?
> 
> 
> 
But there are certain words you would never expect to see in the
subjects of legitimate mail none the less unless you often get mail with
words like 'Orgasms' in it :-) If you do, please *share* your friends
with us all!

Seriously, the RBL's would have killed this, the missing hostname, the
hint that it is a 'user' ip connecting (not a legit mail server), the
key words - all could have been used by the MTA to drop this message on
the floor without troubling SA to scan it. Looking at the content of the
mail is the last resort - if it's got that far in to your system, the
spammer wins

RE: new spam image with random body message

2009-06-17 Thread Cory Hawkless 
The RBL is a good point, I'm only getting these when i turn of zen.spamhaus(For 
testing)
BUT the emails i got did NOT have sex in the subject, "How To Give Her strong 
Harder Orgasms - 3 Spectaceular Tips To Make Her Beeg For More And More" is 
what i got

-Original Message-
From: rich...@buzzhost.co.uk [mailto:rich...@buzzhost.co.uk] 
Sent: Wednesday, 17 June 2009 9:43 PM
To: Paweł Tęcza
Cc: users@spamassassin.apache.org
Subject: Re: new spam image with random body message

On Wed, 2009-06-17 at 13:33 +0200, Pawe? T?cza wrote:
> Ibrahim Harrani pisze:
> > Hi,
> > 
> > another header from another image spams.
> > All images contain god, bad and a url with numbers.
> 
> The spamers are cunning... It seems that they have stopped sending spams
> with X-Mailer: header containing something like "PHP v5.2.0" or
> "PHP/4.4.5". Also they don't use only digits in attachment filenames.
> So I'm affraid that my Spamassassin rules are not effective for that
> kind of spam :(
> 
> > It seems that ocrad can't decode the strings in the images.
> > FuzzyOcr version is 3.6.0
> 
> I've added "BAD", "GOOD" and exemplary domain name to my FuzzyOcr word
> file, but unfortunately FuzzyOcr didn't recognise them :(
> 
> Maybe someone has better idea how to fight that image spam?
> 
> Cheers,
> 
> P.
> 
But this is all totally academic; Why jump through all the hoops to
block the image when the original connecting IP is showing 'unknown' in
the hostname

Received: from unknown (HELO ognh.user.ono.com)

Is listed on piles of policy and RBL lists;

62.57.252.74 listed in b.barracudacentral.org. 
62.57.252.74 listed in PBL (SPAMHAUS) 
62.57.252.74 listed in XBL NJABL 
62.57.252.74 listed in dul.dnsbl.sorbs.net 
62.57.252.74 listed in cbl.abuseat.org. 
62.57.252.74 listed in bl.spamcop.net. 
62.57.252.74 listed in no-more-funn.moensted.dk.

and has SEX twice in the subject.

Why would it ever get as far as blocking it on the content? What has
gone so wrong it ever got that far?

Re: new spam image with random body message

2009-06-17 Thread rich...@buzzhost.co.uk 
On Wed, 2009-06-17 at 13:33 +0200, Paweł Tęcza wrote:
> Ibrahim Harrani pisze:
> > Hi,
> > 
> > another header from another image spams.
> > All images contain god, bad and a url with numbers.
> 
> The spamers are cunning... It seems that they have stopped sending spams
> with X-Mailer: header containing something like "PHP v5.2.0" or
> "PHP/4.4.5". Also they don't use only digits in attachment filenames.
> So I'm affraid that my Spamassassin rules are not effective for that
> kind of spam :(
> 
> > It seems that ocrad can't decode the strings in the images.
> > FuzzyOcr version is 3.6.0
> 
> I've added "BAD", "GOOD" and exemplary domain name to my FuzzyOcr word
> file, but unfortunately FuzzyOcr didn't recognise them :(
> 
> Maybe someone has better idea how to fight that image spam?
> 
> Cheers,
> 
> P.
> 
But this is all totally academic; Why jump through all the hoops to
block the image when the original connecting IP is showing 'unknown' in
the hostname

Received: from unknown (HELO ognh.user.ono.com)

Is listed on piles of policy and RBL lists;

62.57.252.74 listed in b.barracudacentral.org. 
62.57.252.74 listed in PBL (SPAMHAUS) 
62.57.252.74 listed in XBL NJABL 
62.57.252.74 listed in dul.dnsbl.sorbs.net 
62.57.252.74 listed in cbl.abuseat.org. 
62.57.252.74 listed in bl.spamcop.net. 
62.57.252.74 listed in no-more-funn.moensted.dk.

and has SEX twice in the subject.

Why would it ever get as far as blocking it on the content? What has
gone so wrong it ever got that far?

Re: new spam image with random body message

2009-06-17 Thread Paweł Tęcza 
Ibrahim Harrani pisze:
> Hi,
> 
> another header from another image spams.
> All images contain god, bad and a url with numbers.

The spamers are cunning... It seems that they have stopped sending spams
with X-Mailer: header containing something like "PHP v5.2.0" or
"PHP/4.4.5". Also they don't use only digits in attachment filenames.
So I'm affraid that my Spamassassin rules are not effective for that
kind of spam :(

> It seems that ocrad can't decode the strings in the images.
> FuzzyOcr version is 3.6.0

I've added "BAD", "GOOD" and exemplary domain name to my FuzzyOcr word
file, but unfortunately FuzzyOcr didn't recognise them :(

Maybe someone has better idea how to fight that image spam?

Cheers,

P.

Re: new spam image with random body message

2009-06-17 Thread Anthony Peacock 

Hi,

Before someone else says it.  It would be much better if you put a 
complete copy of these samples on a website (pastebin or somesuch) for 
people here to download.  Snatches of headers and standalone images do 
not provide a proper example for people to run through their own setups. 
 The full, unedited original email is the only usuable example.


Ibrahim Harrani wrote:

Hi,

another header from another image spams.
All images contain god, bad and a url with numbers.

spam header 1

Received: from unknown (HELO zkjg.proxad.net) (88.176.40.137) by 0
with SMTP; 16 Jun 2009 17:06:08 -
From: Mrkvicka Coutee 
Date: Tue, 16 Jun 2009 17:06:00 -0200 (G)
To: u...@mydomain.com
MIME-Version: 1.0
Subject: How too Give Her a Mind Blowwing Foreplay and Make Her
Achieve Multiple Orgasms Several Times
Message-ID: <23665e9707392e5f7bea0...@ghide.plus.com>
Content-Type: 
multipart/mixed;boundary="2F42CCE68412108733DC041115017579B"
X-Antivirus: avast! (VPS 090615-0, 15/06/2009), Outbound message
X-Antivirus-Status: Clean


--2F42CCE68412108733DC041115017579B
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

Cloud Arrrt
--2F42CCE68412108733DC041115017579B
Content-Type: image/jpg; name=fermenting.jpg
Content-transfer-encoding: base64
Content-Disposition: attachment; filename=fermenting.jpg


spam header 2


Received: from unknown (HELO vhnwrl.telecomitalia.it) (82.105.116.141)
by 0 with SMTP; 17 Jun 2009 03:25:14 -
Subject: Fellatio Poositions - 3 Fellatio Positions to Make Ylour Guy Goes Crazy
Date: Wed, 17 Jun 2009 03:23:45 -0200 (WDT)
To: us...@mydomain.com
Content-Type: multipart/mixed;boundary="QDmrufsRgxcrA4K13576430733h3xErY6Onu"
MIME-Version: 1.0
Message-ID: 
From: Kotrba


--QDmrufsRgxcrA4K13576430733h3xErY6Onu
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

China busticng out off bras
--QDmrufsRgxcrA4K13576430733h3xErY6Onu
Content-Type: image/jpg; name=lieve.jpg
Content-transfer-encoding: base64
Content-Disposition: attachment; filename=lieve.jpg

spam header 3:

Received: from unknown (HELO xbasrka.user.ono.com) (84.123.118.68) by
0 with SMTP; 16 Jun 2009 10:58:34 -
Subject: AA Gpood Relationship Starts With You
From: "Bruess Lindler" 
Content-Type: 
multipart/mixed;boundary="--5954_AvQXOLyDSVSPGNgxyhgz3xm"
To: i...@mydomain.com
Date: Tue, 16 Jun 2009 10:58:36 -0200 (HNP)
MIME-Version: 1.0
Message-ID: <3e1ffc6e6851394f_eide...@soboba.net>

5954_AvQXOLyDSVSPGNgxyhgz3xm
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

Ben Franklin, Betsy Ross actors wced inn Philly
5954_AvQXOLyDSVSPGNgxyhgz3xm
Content-Type: image/jpg; name=detonators.jpg
Content-transfer-encoding: base64
Content-Disposition: attachment; filename=detonators.jpg


It seems that ocrad can't decode the strings in the images.
FuzzyOcr version is 3.6.0


58] info: FuzzyOcr: Scanset Order: ocrad(0) ocrad-invert(0)
ocrad-decolorize-invert(0) ocrad-decolorize(0) gocr(0) gocr-180(0)
[69976] dbg: FuzzyOcr: Exec : /usr/local/bin/ocrad -s5
/tmp/.spamassassin699580vzBYdtmp/amdahl.jpg.pnm
[69958] dbg: FuzzyOcr: Saved pid: 69976
[69976] dbg: FuzzyOcr: Stdout:

/tmp/.spamassassin699580vzBYdtmp/scanset.ocrad.out

[69976] dbg: FuzzyOcr: Stderr:

/tmp/.spamassassin699580vzBYdtmp/scanset.ocrad.err

[69958] dbg: FuzzyOcr: Elapsed [69976]: 0.242362 sec.
(/usr/local/bin/ocrad: exit 0)
[69958] dbg: FuzzyOcr: ocrdata=>><<=end
[69958] dbg: FuzzyOcr: Not enough OCR Hits without space stripping,
doing second matching pass...
[69958] dbg: FuzzyOcr: Saved pid: 69977
[69977] dbg: FuzzyOcr: Exec : /usr/local/bin/ocrad -s5 -i
/tmp/.spamassassin699580vzBYdtmp/amdahl.jpg.pnm
[69977] dbg: FuzzyOcr: Stdout:

/tmp/.spamassassin699580vzBYdtmp/scanset.ocrad-invert.out

[69977] dbg: FuzzyOcr: Stderr:

/tmp/.spamassassin699580vzBYdtmp/scanset.ocrad-invert.err

[69958] dbg: FuzzyOcr: Elapsed [69977]: 0.333053 sec.
(/usr/local/bin/ocrad: exit 0)
[69958] dbg: FuzzyOcr: ocrdata=>>_ . /
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: .. _,. . . . -- i _ . .
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: _ ._..._`. ._. // ÷j- .-._\ !i. - _. _
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: _ ,, ' _l\..__'
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: r__-__`_ .. -_' ..,-_-. /
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: . \ . _,-_ ._/
[69958] dbg: FuzzyOcr: __ \ __
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: _t_ - _T
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: .___ _ _ _ _'_ ._
[69958] dbg: FuzzyOcr: ||]\. _
[69958] dbg: FuzzyOcr: _ \ _ _ _ _,
[69958] dbg: FuzzyOcr: ' -| ._ m LL
[69958] dbg: FuzzyOcr: __:\_
[69958] dbg: FuzzyOcr: _ _.. / ._/
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: _._/_ _
[69958] dbg: FuzzyOcr: | ? _
[69958] dbg: FuzzyOcr:
[699

Re: new spam image with random body message

2009-06-17 Thread Ibrahim Harrani 
Hi,

another header from another image spams.
All images contain god, bad and a url with numbers.

spam header 1

Received: from unknown (HELO zkjg.proxad.net) (88.176.40.137) by 0
with SMTP; 16 Jun 2009 17:06:08 -
From: Mrkvicka Coutee 
Date: Tue, 16 Jun 2009 17:06:00 -0200 (G)
To: u...@mydomain.com
MIME-Version: 1.0
Subject: How too Give Her a Mind Blowwing Foreplay and Make Her
Achieve Multiple Orgasms Several Times
Message-ID: <23665e9707392e5f7bea0...@ghide.plus.com>
Content-Type: 
multipart/mixed;boundary="2F42CCE68412108733DC041115017579B"
X-Antivirus: avast! (VPS 090615-0, 15/06/2009), Outbound message
X-Antivirus-Status: Clean


--2F42CCE68412108733DC041115017579B
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

Cloud Arrrt
--2F42CCE68412108733DC041115017579B
Content-Type: image/jpg; name=fermenting.jpg
Content-transfer-encoding: base64
Content-Disposition: attachment; filename=fermenting.jpg


spam header 2


Received: from unknown (HELO vhnwrl.telecomitalia.it) (82.105.116.141)
by 0 with SMTP; 17 Jun 2009 03:25:14 -
Subject: Fellatio Poositions - 3 Fellatio Positions to Make Ylour Guy Goes Crazy
Date: Wed, 17 Jun 2009 03:23:45 -0200 (WDT)
To: us...@mydomain.com
Content-Type: multipart/mixed;boundary="QDmrufsRgxcrA4K13576430733h3xErY6Onu"
MIME-Version: 1.0
Message-ID: 
From: Kotrba


--QDmrufsRgxcrA4K13576430733h3xErY6Onu
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

China busticng out off bras
--QDmrufsRgxcrA4K13576430733h3xErY6Onu
Content-Type: image/jpg; name=lieve.jpg
Content-transfer-encoding: base64
Content-Disposition: attachment; filename=lieve.jpg

spam header 3:

Received: from unknown (HELO xbasrka.user.ono.com) (84.123.118.68) by
0 with SMTP; 16 Jun 2009 10:58:34 -
Subject: AA Gpood Relationship Starts With You
From: "Bruess Lindler" 
Content-Type: 
multipart/mixed;boundary="--5954_AvQXOLyDSVSPGNgxyhgz3xm"
To: i...@mydomain.com
Date: Tue, 16 Jun 2009 10:58:36 -0200 (HNP)
MIME-Version: 1.0
Message-ID: <3e1ffc6e6851394f_eide...@soboba.net>

5954_AvQXOLyDSVSPGNgxyhgz3xm
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

Ben Franklin, Betsy Ross actors wced inn Philly
5954_AvQXOLyDSVSPGNgxyhgz3xm
Content-Type: image/jpg; name=detonators.jpg
Content-transfer-encoding: base64
Content-Disposition: attachment; filename=detonators.jpg


It seems that ocrad can't decode the strings in the images.
FuzzyOcr version is 3.6.0


58] info: FuzzyOcr: Scanset Order: ocrad(0) ocrad-invert(0)
ocrad-decolorize-invert(0) ocrad-decolorize(0) gocr(0) gocr-180(0)
[69976] dbg: FuzzyOcr: Exec : /usr/local/bin/ocrad -s5
/tmp/.spamassassin699580vzBYdtmp/amdahl.jpg.pnm
[69958] dbg: FuzzyOcr: Saved pid: 69976
[69976] dbg: FuzzyOcr: Stdout:
>/tmp/.spamassassin699580vzBYdtmp/scanset.ocrad.out
[69976] dbg: FuzzyOcr: Stderr:
>/tmp/.spamassassin699580vzBYdtmp/scanset.ocrad.err
[69958] dbg: FuzzyOcr: Elapsed [69976]: 0.242362 sec.
(/usr/local/bin/ocrad: exit 0)
[69958] dbg: FuzzyOcr: ocrdata=>><<=end
[69958] dbg: FuzzyOcr: Not enough OCR Hits without space stripping,
doing second matching pass...
[69958] dbg: FuzzyOcr: Saved pid: 69977
[69977] dbg: FuzzyOcr: Exec : /usr/local/bin/ocrad -s5 -i
/tmp/.spamassassin699580vzBYdtmp/amdahl.jpg.pnm
[69977] dbg: FuzzyOcr: Stdout:
>/tmp/.spamassassin699580vzBYdtmp/scanset.ocrad-invert.out
[69977] dbg: FuzzyOcr: Stderr:
>/tmp/.spamassassin699580vzBYdtmp/scanset.ocrad-invert.err
[69958] dbg: FuzzyOcr: Elapsed [69977]: 0.333053 sec.
(/usr/local/bin/ocrad: exit 0)
[69958] dbg: FuzzyOcr: ocrdata=>>_ . /
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: .. _,. . . . -- i _ . .
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: _ ._..._`. ._. // ÷j- .-._\ !i. - _. _
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: _ ,, ' _l\..__'
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: r__-__`_ .. -_' ..,-_-. /
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: . \ . _,-_ ._/
[69958] dbg: FuzzyOcr: __ \ __
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: _t_ - _T
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: .___ _ _ _ _'_ ._
[69958] dbg: FuzzyOcr: ||]\. _
[69958] dbg: FuzzyOcr: _ \ _ _ _ _,
[69958] dbg: FuzzyOcr: ' -| ._ m LL
[69958] dbg: FuzzyOcr: __:\_
[69958] dbg: FuzzyOcr: _ _.. / ._/
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: _._/_ _
[69958] dbg: FuzzyOcr: | ? _
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: . |.' _, .
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr: _W, L __ " /
[69958] dbg: FuzzyOcr: W._
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: FuzzyOcr:
[69958] dbg: Fuzz

Re: new spam image with random body message

2009-06-17 Thread Ibrahim Harrani 
Hi,

Here is the full header.

Received: from unknown (HELO ognh.user.ono.com) (62.57.252.74) by 0
with SMTP; 16 Jun 2009 10:06:24 -
Message-ID: <643596679...@hirogin.co.jp>
MIME-Version: 1.0
Subject: Christian sex - What Are Goood Christian sex Pradctices?
Date: Tue, 16 Jun 2009 10:06:16 -0200 (WET)
From: "Igel" 
Content-Type: 
multipart/mixed;boundary="---ON36q632-Md30Wdyv7vW6e0a8_12451466544631"
To: u...@mydomain.com
X-Antivirus: avast! (VPS 090615-0, 15/06/2009), Outbound message
X-Antivirus-Status: Clean


-ON36q632-Md30Wdyv7vW6e0a8_12451466544631
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

Blfack Holes Agre 'Green,' X-Ray Study Says
-ON36q632-Md30Wdyv7vW6e0a8_12451466544631
Content-Type: image/jpg; name=harbourage.jpg
Content-transfer-encoding: base64
Content-Disposition: attachment; filename=harbourage.jpg

2009/6/17 Paweł Tęcza :
> Ibrahim Harrani pisze:
>> Do you have any solution about this kind of spams?
>
> Hello Ibrahim,
>
> Could you please show me the Content-* headers of image attachment?
> Did you send all headers of that spam in your previous post?
>
> I have some success with fighting that spam I called "BAD GOOD PENIS",
> but I can see that it evolves, so my rules should be improved too.
>
> My best regards,
>
> Pawel
>

Re: new spam image with random body message

2009-06-17 Thread Paweł Tęcza 
Ibrahim Harrani pisze:
> Do you have any solution about this kind of spams?

Hello Ibrahim,

Could you please show me the Content-* headers of image attachment?
Did you send all headers of that spam in your previous post?

I have some success with fighting that spam I called "BAD GOOD PENIS",
but I can see that it evolves, so my rules should be improved too.

My best regards,

Pawel

RE: new spam image with random body message

2009-06-17 Thread Cory Hawkless 
I got the exact same results on a similar email last week, the image was
subtly different in that the penis's were smaller and in the top right
corner of the image, suggesting that the sender is creating a number of
different images to avoid detection?
I'm reasonably new to this game, can any of you Pro's give any clues as to
how we can go about blocking such a campain?


-Original Message-
From: Ibrahim Harrani [mailto:ibrahim.harr...@gmail.com] 
Sent: Wednesday, 17 June 2009 3:37 PM
To: users@spamassassin.apache.org
Subject: new spam image with random body message

Hello,

Recently, I am getting image spams like following content.
you can find also attached spam image

spamd gives negative score for this kind of mails.
Return-Path: 
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on mail.mydomain.com
X-Spam-Level:
X-Spam-Status: No, score=-3.4 required=5.0 tests=BAYES_00,
DCC_CHECK,RDNS_NONE autolearn=no version=3.2.4



From: Igel 
To: u...@mydomain.com
CC:
Date: Tuesday, June 16, 2009, 3:06:16 PM
Subject: Christian sex - What Are Goood Christian sex Pradctices?


Blfack Holes Agre 'Green,' X-Ray Study Says
---

Do you have any solution about this kind of spams?

Thanks.

new spam image with random body message

2009-06-16 Thread Ibrahim Harrani 
Hello,

Recently, I am getting image spams like following content.
you can find also attached spam image

spamd gives negative score for this kind of mails.
Return-Path: 
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on mail.mydomain.com
X-Spam-Level:
X-Spam-Status: No, score=-3.4 required=5.0 tests=BAYES_00,
DCC_CHECK,RDNS_NONE autolearn=no version=3.2.4



From: Igel 
To: u...@mydomain.com
CC:
Date: Tuesday, June 16, 2009, 3:06:16 PM
Subject: Christian sex - What Are Goood Christian sex Pradctices?


Blfack Holes Agre 'Green,' X-Ray Study Says
---

Do you have any solution about this kind of spams?

Thanks.
<>