I finally got one of these boogers above a 7 so I had the raw in my trap. Take a look at this raw mbox email and why SA rules don't hit. The MUA decodes the email and shows the spam when read. After the ************* is what the decoded base64 looks like. Headers don't matter. I've looked at them all. No pattern, always different, either DSL or open relay. Don't tell me to use an RBL or I'll send the tree ents after you!!! (Guess what movie I watched last night?) ;)
Message-ID: <[EMAIL PROTECTED]> From: "Young Duncan" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: *****SPAM***** Is that you? Date: Thu, 28 Aug 2003 15:05:22 +0000 MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft Exchange V6.0.6859.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0BDE_629EF834.8B0CC358" X-Spam-Status: Yes, hits=6.8 required=5.0 tests=BASE64_ENC_TEXT,MAY_BE_FORGED,MIME_HTML_NO_CHARSET,MY_DSL, MY_MESSAGEID,SPAM_PHRASE_02_03,UPPERCASE_25_50 version=2.43 X-Spam-Flag: YES X-Spam-Level: ****** X-Spam-Checker-Version: SpamAssassin 2.43 (1.115.2.20-2002-10-15-exp) X-Spam-Report: 6.80 hits, 5 required; * 2.0 -- Contains likely dsl address in header * 0.6 -- Outlook header type used by spammer. Testing for Meta with BASE64. * 0.0 -- 'Received:' has 'may be forged' warning * 0.8 -- BODY: Spam phrases score is 02 to 03 (medium) [score: 2] * 1.4 -- RAW: Message text disguised using base-64 encoding * 0.7 -- RAW: Message text in HTML without specified charset * 1.3 -- message body is 25-50% uppercase This is a multi-part message in MIME format. ------=_NextPart_000_0BDE_629EF834.8B0CC358 Content-Type: text/plain Content-Transfer-Encoding: 8bit ------=_NextPart_000_0BDE_629EF834.8B0CC358 Content-Type: text/html Content-Transfer-Encoding: base64 DQogIA0KIDxodG1sPgkJDQoJCTxCT0RZIEJHQ09MT1I9I2ZmZmZmZj4JDQoJ CTxLWkVOPjxwIGFsaWduPSJjZW50ZXIiPnJ1NTBvYzFqM2pwOHVyc2swcDEx NmYzPGJyPg0KPGEgaHJlZj0iKmh0dHA6L2ludGVybmV0LWdlbmVyaWMtcGhh cm1hY3kuY29tL3JlbW92ZSI+UkVNT1ZFDQpNRSBOT1cgUExFQVNFPC9hPjxi cj4gDQo8YSBocmVmPSJodHRwOi8vd1dXLkxpYmlETy1IZUFMVEguTkVUL2Fm JTY2aSU2Qy9uJTZELz9pJTY0PTM0Ij48Vz48WlVHPjxLSj48aW1nIHNyYz0i aHR0cDovL0ltRy5sSUJJRG8tSEVBTHRILk5FdC9uJTZELyU2RSU2ZCUyRCU2 OSU2ZCU2Ny4lNkFwJTY3IiBib3JkZXI9MD48L2E+DQo8YnI+MGVjdjVodmQ0 NGoxPGJyPmZiYmQ3aTQ4amJuMTI8L3A+IA0KCQkJPC9CT0RZPjwvSFRNTD4J ------=_NextPart_000_0BDE_629EF834.8B0CC358-- ***** Decoded base64 looks like: ************ <html> <BODY BGCOLOR=#ffffff> <KZEN><p align="center">ru50oc1j3jp8ursk0p116f3<br> <a href="*http:/internet-generic-pharmacy.com/remove">REMOVE ME NOW PLEASE</a><br> <a href="http://wWW.LibiDO-HeALTH.NET/af%66i%6C/n%6D/?i%64=34"><W><ZUG><KJ><img src="http://ImG.lIBIDo-HEALtH.NEt/n%6D/%6E%6d%2D%69%6d%67.%6Ap%67" border=0></a> <br>0ecv5hvd44j1<br>fbbd7i48jbn12</p> </BODY></HTML> But SA never sees that code. So now we have a good example. How do we fight it? The pic.gif spam is similar but different. :) Any legit mailer send this way? Please, if you have something similar, I really want to look at the raw code. I'm curious as to how the base64 code compares. Particularly the very first line of the base64 code. Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm "A little nonsense now and then, is relished by the wisest men." - Willy Wonka ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk