You wrote: >There is no subject and the e-mail body contains all the headers with a random >single digit number at the top.
Actually all the "headers" in the body are faked, in particular the "Received" line. Note that it does not correspond to the Received line that your MTA added to the real header. I have seen hundreds of these, and the messages vary a bit, but all of them contain this text: All the medications You Will Ever Need so you can just make a BODY rule for this if they are getting past SA. Pierre Thomson BIC -----Original Message----- From: Brian Dial [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 9:31 AM To: [EMAIL PROTECTED] Subject: new spam flood of broken messages Has anyone else been getting flooded with spam that is hardly readable because it almost looks like a malformed e-mail. They're coming from a endless number of domains and all start with a string of random characters like [EMAIL PROTECTED] There is no subject and the e-mail body contains all the headers with a random single digit number at the top. Here is an example. As you can see the headers that are put in the body of the e-mail are different from the actual headers. No matter how much I seem to feed these to bayes-learn it doesn't seem to score them, probably because they're virtually unreadable. Also in their "fake" headers they have things like X-Virus-Status: Scanned by norton. We don't use norton here. Is this an attempt to fool some mail clients by faking headers? I'm using mozilla-mail. >From - Tue Mar 23 22:27:58 2004 X-UIDL: LZ<"!8cn!!R%C!!OXX"! X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: <[EMAIL PROTECTED]> Received: from cpe-66-190-159-078.hky.nc.charter.com (cpe-66-190-159-078.hky.nc.charter.com [66.190.159.78]) by zeus.rkkengineers.com (8.12.10/8.12.10/SuSE Linux 0.7) with SMTP id i2O3Kwc2006597 for <[EMAIL PROTECTED]>; Tue, 23 Mar 2004 22:21:49 -0500 Date: Tue, 23 Mar 2004 22:20:58 -0500 From: [EMAIL PROTECTED] Message-Id: <[EMAIL PROTECTED]> To: undisclosed-recipients:; X-Virus-Scanned: by amavisd-new X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on zeus.rkkengineers.com X-Spam-Status: No, hits=2.5 required=7.0 tests=BAYES_30,BIZ_TLD,HTML_MESSAGE, MSGID_FROM_MTA_SHORT,NO_REAL_NAME autolearn=no version=2.63 X-Spam-Level: ** X-UIDL: LZ<"!8cn!!R%C!!OXX"! 8 X-Message-Info: 7hhlkktd1pKQ/ebAJgflKHqWscwUYV1DAAg Received: from YC70PE37 ([10.2.202.25]) by EHNT54.chuckwalla.videotron.ca with Microsoft SMTPSVC(5.0.2195.6713); Tue, 23 Mar 2004 19:20:26 -0500 From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> 7 Subject: Fwd: Confidential. Stocks available. V1'codin.V|@[EMAIL PROTECTED] Date: Wed, 24 Mar 2004 05:19:26 +0500 Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--90489521205624851446" X-Mailer: Microsoft CDO for Windows 2000 Thread-Index: FiuTY2HuKU25fs55ISlEK+ZSGP31VU73cBV== Content-Class: jnk:content-classes:message X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Virus-Status: Scanned by norton ----90489521205624851446 Content-Type: text/html; Content-Transfer-Encoding: quoted-printable <!DOCTYPE html public "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www= w3.org/TR/html4/loose.dtd"> <HTML> <HEAD> <TITLE>All the medications You Will Ever Need</TITLE> </HEAD> <BODY> <p> <a href=3D"http://www.prabhums.org/knowledgebase/pages/Web User Interface/= Javascripts/print_from_nested_frameset.htm">Priting from a nested frameset= </a><br> <p> <a href=3D"http://www.healthassist.biz";><img src=3D"http://www.healthassis= t.biz/viz/7.gif" border=3D"0"></a> <br><a href=3D"http://www.healthassist.biz";>healthassist.biz</a> <p> <a href=3D"http://www.prabhums.org/knowledgebase/pages/Microsoft Technolog= y/MS Office/Word/office2000_html_filter.htm">Office 2000 HTML Filter</a><b= r> <p> </BODY> </HTML> ----90489521205624851446--
