I finally got one of these boogers above a 7 so I had the raw in my trap.
Take a look at this raw mbox email and why SA rules don't hit. The MUA
decodes the email and shows the spam when read. After the ************* is
what the decoded base64 looks like. Headers don't matter. I've looked at
them all. No pattern, always different, either DSL or open relay. Don't tell
me to use an RBL or I'll send the tree ents after you!!! (Guess what movie I
watched last night?) ;)
Message-ID: <[EMAIL PROTECTED]>
From: "Young Duncan" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: *****SPAM***** Is that you?
Date: Thu, 28 Aug 2003 15:05:22 +0000
MIME-Version: 1.0
X-MimeOLE: Produced By Microsoft Exchange V6.0.6859.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0BDE_629EF834.8B0CC358"
X-Spam-Status: Yes, hits=6.8 required=5.0
tests=BASE64_ENC_TEXT,MAY_BE_FORGED,MIME_HTML_NO_CHARSET,MY_DSL,
MY_MESSAGEID,SPAM_PHRASE_02_03,UPPERCASE_25_50
version=2.43
X-Spam-Flag: YES
X-Spam-Level: ******
X-Spam-Checker-Version: SpamAssassin 2.43 (1.115.2.20-2002-10-15-exp)
X-Spam-Report: 6.80 hits, 5 required;
* 2.0 -- Contains likely dsl address in header
* 0.6 -- Outlook header type used by spammer. Testing for Meta with
BASE64.
* 0.0 -- 'Received:' has 'may be forged' warning
* 0.8 -- BODY: Spam phrases score is 02 to 03 (medium)
[score: 2]
* 1.4 -- RAW: Message text disguised using base-64 encoding
* 0.7 -- RAW: Message text in HTML without specified charset
* 1.3 -- message body is 25-50% uppercase
This is a multi-part message in MIME format.
------=_NextPart_000_0BDE_629EF834.8B0CC358
Content-Type: text/plain
Content-Transfer-Encoding: 8bit
------=_NextPart_000_0BDE_629EF834.8B0CC358
Content-Type: text/html
Content-Transfer-Encoding: base64
DQogIA0KIDxodG1sPgkJDQoJCTxCT0RZIEJHQ09MT1I9I2ZmZmZmZj4JDQoJ
CTxLWkVOPjxwIGFsaWduPSJjZW50ZXIiPnJ1NTBvYzFqM2pwOHVyc2swcDEx
NmYzPGJyPg0KPGEgaHJlZj0iKmh0dHA6L2ludGVybmV0LWdlbmVyaWMtcGhh
cm1hY3kuY29tL3JlbW92ZSI+UkVNT1ZFDQpNRSBOT1cgUExFQVNFPC9hPjxi
cj4gDQo8YSBocmVmPSJodHRwOi8vd1dXLkxpYmlETy1IZUFMVEguTkVUL2Fm
JTY2aSU2Qy9uJTZELz9pJTY0PTM0Ij48Vz48WlVHPjxLSj48aW1nIHNyYz0i
aHR0cDovL0ltRy5sSUJJRG8tSEVBTHRILk5FdC9uJTZELyU2RSU2ZCUyRCU2
OSU2ZCU2Ny4lNkFwJTY3IiBib3JkZXI9MD48L2E+DQo8YnI+MGVjdjVodmQ0
NGoxPGJyPmZiYmQ3aTQ4amJuMTI8L3A+IA0KCQkJPC9CT0RZPjwvSFRNTD4J
------=_NextPart_000_0BDE_629EF834.8B0CC358--
***** Decoded base64 looks like: ************
<html>
<BODY BGCOLOR=#ffffff>
<KZEN><p align="center">ru50oc1j3jp8ursk0p116f3<br>
<a href="*http:/internet-generic-pharmacy.com/remove">REMOVE
ME NOW PLEASE</a><br>
<a
href="http://wWW.LibiDO-HeALTH.NET/af%66i%6C/n%6D/?i%64=34";><W><ZUG><KJ><img
src="http://ImG.lIBIDo-HEALtH.NEt/n%6D/%6E%6d%2D%69%6d%67.%6Ap%67";
border=0></a>
<br>0ecv5hvd44j1<br>fbbd7i48jbn12</p>
</BODY></HTML>
But SA never sees that code.
So now we have a good example. How do we fight it? The pic.gif spam is
similar but different. :) Any legit mailer send this way?
Please, if you have something similar, I really want to look at the raw
code. I'm curious as to how the base64 code compares. Particularly the very
first line of the base64 code.
Chris Santerre
System Admin and SA Custom Rules Emporium keeper
http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm
"A little nonsense now and then, is relished by the wisest men." - Willy
Wonka
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
